Last active
May 11, 2022 18:50
-
-
Save TahirJalilov/08d7efe0f0d3bbe51abb7c44a3d65851 to your computer and use it in GitHub Desktop.
Wireguard setup server/client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ----Server side----# | |
# Update server: | |
sudo apt update && sudo apt upgrade -y | |
# Install wireguard: | |
sudo apt install -y wireguard | |
# Generate server keys: | |
sudo wg genkey | sudo tee /etc/wireguard/wg_privatekey | sudo wg pubkey | sudo tee /etc/wireguard/wg_publickey | |
# Set the rights to the private key: | |
sudo chmod 600 /etc/wireguard/privatekey | |
# Let's check the name of your network interface it should be eth0 or ens3 or something else: | |
ip a | |
# Create wg config file | |
sudo vim /etc/wireguard/wg0.conf | |
# Paste the following to the wg0.conf file | |
[Interface] | |
PrivateKey = <paste here contents-of-server-privatekey /etc/wireguard/wg_privatekey> | |
Address = 10.10.10.1/24 | |
ListenPort = 51820 | |
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE | |
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE | |
# Setup IP forwarding by uncomment the required line (net.ipv4.ip_forward=1): | |
sudo sed -i 's/^#net\.ipv4\.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf | |
# Check the result: | |
sysctl -p | |
# Generate client keys: | |
sudo wg genkey | sudo tee /etc/wireguard/client_privatekey | sudo wg pubkey | sudo tee /etc/wireguard/client_publickey | |
# To add client paste the following to the /etc/wireguard/wg0.conf file | |
[Peer] | |
PublicKey = <paste here contents-of-client-publickey /etc/wireguard/client_publickey> | |
AllowedIPs = 10.10.10.2/32 | |
# Delete the following rules from iptables it exist. ICMP Forwarding should not be rejected | |
sudo iptables -S | grep prohibited | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
# Turn on systemd wireguard daemon: | |
sudo systemctl enable wg-quick@wg0.service | |
sudo systemctl start wg-quick@wg0.service | |
sudo systemctl status wg-quick@wg0.service | |
# ----Client side----# | |
# Create config file on the client side | |
vim ~/client_wg.conf | |
# Paste the following to the client_wg.conf file | |
[Interface] | |
PrivateKey = <paste here contents-of-client-privatekey /etc/wireguard/client_privatekey from the server> | |
Address = 10.10.10.2/32 | |
DNS = 8.8.8.8 | |
[Peer] | |
PublicKey = <paste here contents-of-server-publickey /etc/wireguard/wg_publickey from the server> | |
Endpoint = <server-public-ip>:51820 | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
PersistentKeepalive = 20 | |
# Import config to the wireguard client app |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment