sudo apt install wireguard
Generate wireguard key pair
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Setup wireguard interface
sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.9.10/24, fd42:42:42::10/64
ListenPort = {wireguardPort}
PrivateKey = {hostPrivateKey}
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh
[Peer]
PublicKey = {peerPublicKey}
AllowedIPs = 192.168.9.2/32, fd42:42:42::2/128
sudo mkdir -v /etc/wireguard/helper/
sudo vim /etc/wireguard/helper/add-nat-routing.sh
#! /bin/bash
IPT=" /sbin/iptables"
IPT6=" /sbin/ip6tables"
IN_FACE=" eth0" # NIC connected to the internet
WG_FACE=" wg0" # WG NIC
SUB_NET=" 192.168.9.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT=" {wireguardPort}" # WG udp port
SUB_NET_6=" fd42:42:42:42::/112" # WG IPv6 sub/net
# IPv4 #
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
# IPv6 #
$IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
sudo vim /etc/wireguard/helper/remove-nat-routing.sh
#! /bin/bash
IPT=" /sbin/iptables"
IPT6=" /sbin/ip6tables"
IN_FACE=" eth0" # NIC connected to the internet
WG_FACE=" wg0" # WG NIC
SUB_NET=" 192.168.9.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT=" {wireguardPort}" # WG udp port
SUB_NET_6=" fd42:42:42:42::/112" # WG IPv6 sub/net
# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
# IPv6 rules #
$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
sudo vim /etc/sysctl.d/10-wireguard.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
sudo ufw allow {wireguardPort}/udp
sudo sysctl -p /etc/sysctl.d/10-wireguard.conf
sudo chmod -v +x /etc/wireguard/helper/* .sh
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo apt install wireguard
Generate wireguard key pair
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Setup wireguard interface
sudo vim /etc/wireguard/wg0.conf
[Interface]
PrivateKey = {clientPrivateKey}
Address = 192.168.9.2/24, fd42:42:42::2/64
[Peer]
PublicKey = {serverPublicKey}
Endpoint = {wireguardServerIp}:{wireguardServerPort}
AllowedIPs = 0.0.0.0/0, ::/0
Wireguard connection commands
Enable wireguard auto start
sudo systemctl enable wg-quick@wg0.service