Simple Wireguard setup as VPN server and multiple clients

README.md

Simple WireGuard configuration

1 server, 2 clients

Getting started

Install Wireguard on all machines.

Generate all keys

$ wg genkey > server_privatekey
$ wg pubkey < server_privatekey > server_publickey_client1
$ wg pubkey < server_privatekey > server_publickey_client2
$ wg genkey | tee client1_privatekey | wg pubkey > client1_publickey
$ wg genkey | tee client2_privatekey | wg pubkey > client2_publickey

Start

$ wg-quick up wg0

Stop

$ wg-quick down wg0

Check status

$ wg show
interface: wg0
  public key: <SERVER PUBLIC KEY>
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: <CLIENT 1 PUBLIC KEY>
  endpoint: ...
  allowed ips: 10.100.0.2/32
  latest handshake: 4 seconds ago
  transfer: 21.11 KiB received, 38.92 KiB sent

peer: <CLIENT 2 PUBLIC KEY>
  endpoint: ...
  allowed ips: 10.100.0.3/32
  latest handshake: 9 seconds ago
  transfer: 911.10 KiB received, 2.57 MiB sent

client1-wg0.conf

[Interface]
Address = 10.100.0.2/32
PrivateKey = <CLIENT 1 PRIVATE KEY>
DNS = 10.100.0.1

[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820

client2-wg0.conf

[Interface]
Address = 10.100.0.3/32
PrivateKey = <CLIENT 2 PRIVATE KEY>
DNS = 10.100.0.1

[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820

postdown.sh

#!/usr/bin/env bash
set -ex

# Traffic forwarding
iptables -D FORWARD -i %i -j ACCEPT
iptables -D FORWARD -o %i -j ACCEPT

# Nat
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# DNS
iptables -D INPUT -s 10.100.0.1/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -D INPUT -s 10.100.0.1/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

postup.sh

#!/usr/bin/env bash
set -ex

# Traffic forwarding
iptables -A FORWARD -i %i -j ACCEPT
iptables -A FORWARD -o %i -j ACCEPT

# Nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# DNS
iptables -A INPUT -s 10.100.0.1/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.100.0.1/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

server-wg0.conf

[Interface]
Address = 10.100.0.1/24
SaveConfig = true
PostUp = /etc/wireguard/postup.sh
PostDown = /etc/wireguard/postdown.sh
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <SERVER PRIVATE KEY>

[Peer]
PublicKey = <CLIENT 1 PUBLIC KEY>
AllowedIPs = 10.100.0.2/32

[Peer]
PublicKey = <CLIENT 2 PUBLIC KEY>
AllowedIPs = 10.100.0.3/32

can client 1 and client 2 communicate directly with going trough server? like Hamachi P2P VPN ?

Talk about not being clear enough instructions.....

let say I have 4 device: server, peer1, peer2, peer3

I want make peer1 able to communicate to peer2 and peer3 without going through server

Like this:

main reason to avoid server is to save bandwidth

$ wg pubkey < server_privatekey > server_publickey_client1
$ wg pubkey < server_privatekey > server_publickey_client2

this can be simplified, the public key will be the same for all clients since it's generated from the same private key

Simple and nice. Thanks

how to use this if I have multiple ipv4 public ip addresses tried mapping then nothing worked wasted 6 hours of my life.