Skip to content

Instantly share code, notes, and snippets.

@awabcodes

awabcodes/wireguard-server-setup.md

Last active June 18, 2022 20:55
Show Gist options
  • Save awabcodes/cfb6156520fe0ba0fda8e4fdc9029701 to your computer and use it in GitHub Desktop.
Save awabcodes/cfb6156520fe0ba0fda8e4fdc9029701 to your computer and use it in GitHub Desktop.
Download ZIP
[Wireguard Server Setup] #wireguard #vpn #linux
Raw
wireguard-server-setup.md

Server setup

Installation

sudo apt install wireguard

Generate wireguard key pair

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Setup wireguard interface

sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.9.10/24, fd42:42:42::10/64
ListenPort = {wireguardPort}
PrivateKey = {hostPrivateKey}

PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

[Peer]
PublicKey = {peerPublicKey}
AllowedIPs = 192.168.9.2/32, fd42:42:42::2/128

NAT routing scripts

sudo mkdir -v /etc/wireguard/helper/
sudo vim /etc/wireguard/helper/add-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"          
 
IN_FACE="eth0"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC 
SUB_NET="192.168.9.0/24"         # WG IPv4 sub/net aka CIDR
WG_PORT="{wireguardPort}"        # WG udp port
SUB_NET_6="fd42:42:42:42::/112"  # WG IPv6 sub/net
 
# IPv4 #
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
 
# IPv6 #
$IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
sudo vim /etc/wireguard/helper/remove-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"          
 
IN_FACE="eth0"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC 
SUB_NET="192.168.9.0/24"         # WG IPv4 sub/net aka CIDR
WG_PORT="{wireguardPort}"                  # WG udp port
SUB_NET_6="fd42:42:42:42::/112"  # WG IPv6 sub/net
 
# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
 
# IPv6 rules #
$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT

Enable IP forwarding

sudo vim /etc/sysctl.d/10-wireguard.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Allow port in firewall

sudo ufw allow {wireguardPort}/udp

Initialize

sudo sysctl -p /etc/sysctl.d/10-wireguard.conf
sudo chmod -v +x /etc/wireguard/helper/*.sh
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Client setup

Installation

sudo apt install wireguard

Generate wireguard key pair

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Setup wireguard interface

sudo vim /etc/wireguard/wg0.conf
[Interface]
PrivateKey = {clientPrivateKey}
Address = 192.168.9.2/24, fd42:42:42::2/64

[Peer]
PublicKey = {serverPublicKey}
Endpoint = {wireguardServerIp}:{wireguardServerPort}
AllowedIPs = 0.0.0.0/0, ::/0

Wireguard connection commands

Start interface

sudo wg-quick up wg0

Stop interface

sudo wg-quick down wg0

Interface status

sudo wg

Enable wireguard auto start

sudo systemctl enable wg-quick@wg0.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment