| Install WireGuard via whatever package manager you use. For me, I use apt. | |
| $ sudo add-apt-repository ppa:wireguard/wireguard | |
| $ sudo apt-get update | |
| $ sudo apt-get install wireguard | |
| MacOS | |
| $ brew install wireguard-tools | |
| Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
| generated on any device, as long as you keep the private key on the source and | |
| place the public on the destination. | |
| $ wg genkey | tee privatekey | wg pubkey > publickey | |
| example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
| example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
| One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. | |
| # wg genpsk > preshared | |
| Take the above private key, and place it in the server. And conversely, put the | |
| public key on the peer. Generate a second key pair, and do the opposite, put the | |
| public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it. | |
| On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
| so use whatever IP ranges and CIDR blocks that will work for your network. | |
| ################################ | |
| [Interface] | |
| Address = 10.0.0.1/24 | |
| DNS = 1.1.1.1 | |
| PrivateKey = [ServerPrivateKey] | |
| ListenPort = 51820 | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
| [Peer] | |
| #Peer #1 | |
| PublicKey = [Peer#1PublicKey] | |
| AllowedIPs = 10.0.0.3/32 | |
| [Peer] | |
| #Peer #2 | |
| PublicKey = [Peer#2PublicKey] | |
| AllowedIPs = 10.0.0.10/32 | |
| [Peer] | |
| #Peer #3 | |
| PublicKey = [Peer#3PublicKey] | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| #Peer #4 | |
| PublicKey = [Peer#4PublicKey] | |
| AllowedIPs = 10.0.0.11/32 | |
| ################################## | |
| On each client, define a /etc/wireguard/mobile_user.conf - | |
| ################################### | |
| [Interface] | |
| Address = 10.0.0.3/24 | |
| PrivateKey = [PrivateKeyPeer#1] | |
| [Peer] | |
| PublicKey = [ServerPublicKey] | |
| PresharedKey = [PresharedKey] | |
| Endpoint = some.domain.com:51820 | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| # if you want to do split tunnel, add your allowed IPs | |
| # for example if your home network is 192.168.1.0/24 | |
| # AllowedIPs = 192.168.1.0/24 | |
| # This is for if you're behind a NAT and | |
| # want the connection to be kept alive. | |
| PersistentKeepalive = 25 | |
| ######################################## | |
| sudo wg show | |
| ######################################### | |
| peer: Peer #1 | |
| endpoint: 192.168.2.1:50074 | |
| allowed ips: 10.0.0.2/32 | |
| latest handshake: 4 minutes, 16 seconds ago | |
| transfer: 57.58 KiB received, 113.32 KiB sent | |
| peer: Peer #2 | |
| endpoint: 99.203.28.43:36770 | |
| allowed ips: 10.0.0.10/32 | |
| latest handshake: 5 minutes, 30 seconds ago | |
| transfer: 92.98 KiB received, 495.89 KiB sent | |
| ################################################## | |
| Start/stop interface | |
| wg-quick up wg0 | |
| wg-quick down wg0 | |
| Start/stop service | |
| $ sudo systemctl stop wg-quick@wg0.service | |
| $ sudo systemctl start wg-quick@wg0.service | |
| Instead of having to modify the file for every client you want to add to the | |
| server you could also use the wg tool instead: | |
| # add peer | |
| wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
| # verify connection | |
| wg | |
| # save to config | |
| wg-quick save wg0 | |
| ######### EDIT ############## | |
| I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine. | |
| qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf | |
| █████████████████████████████████████████████████████████████████████████████ | |
| █████████████████████████████████████████████████████████████████████████████ | |
| ████ ▄▄▄▄▄ █▄▀████▀▀█ ▄▀▀▀▄▄ ▄▄▄▄▄▀ █ ██▀█ ▄▀▀██▄ ▄ ▀█▀▄█ ▄▄ ▀▄▄▄█ ▄▄▄▄▄ ████ | |
| ████ █ █ █ ▀▀█▀█▄▄▄ █▀██▄ ▄▀ ▀ ▄▀▄█▄▄ ▄█▀▀█▄▄ ▄█ ▄ █ ▄█▄█▀█ █ █ ████ | |
| ████ █▄▄▄█ █▄▄█▄ ▀█ ▀▄█████ ▀ ▄▄▀▄ █ ▄▄▄ █▄▄▀▀▀▀▀▀██▄ █▄ ▀ ▀ █▄█ █▄▄▄█ ████ | |
| ████▄▄▄▄▄▄▄█▄█ █▄▀▄▀ █▄█▄█ ▀ ▀▄▀ ▀ ▀ █▄█ █▄█ █▄█▄█▄▀ █▄▀ █▄▀ █▄▀▄█▄▄▄▄▄▄▄████ | |
| ████▄▄ ▀▀▄▀ ▄ ██▄ █▀▄▄▀█▄▀ ▄▀▄▀██ ▄ ▄ ▀ █ ██▀ █▀▄▀▄▄ ▀ ▄ █ █▀▄▄ ▀ ████ | |
| ████▀▄ ▀█▀▄▀█ █ ▀██▄█ █▀▄█▀ ▄▄█▄▀ ▀▄█ ▀▀ ▀▄▀▄▀██▄ ▀██▀▄▀█▀█ █ ▄█ ▄██▀████ | |
| █████ ▄▄▀ ▄ ██▀█▀▄ ▄▄█ ▀ ▄ █ ▀██ ▀▄█ █ ▄▄█▄█ ▀▀ ███ █▀▄▀▄ █ ▄█ ▄█▀ █ ▀█ ████ | |
| ████▀█ ▄ ▄▀▄▀ ▄████▄▄█▄█ █▀█▀ ▀▀█▄█ ▄▀ ▄█▀█▄▀ █▀▄ █▀▄▀ ▄█▄█ ██ █▄▀▀ ▀ ████ | |
| ████ ▀█ ▄▀▄█▄▄▀ ▀█ ▄█▄█ █▄ █ ▄ ▄ ▀▀█▄▀ ▀▄█ █ ▀ ▀▀ █▀██▄█▄▀ ▄█▄█ ▀▄▄▀▄████ | |
| ████▄ ▄█ ▀▄▀▄▄▄ █▀ ▄▀█▀▀▄▀█ █▀▄▄▀ ▄█▀ ██ █▀ ▄ ▄▀███▀██▀▀ █▀▄▄ ▄█ █▄█ █████ | |
| ████▀ ▄ ▄▀▄▄▀▀ ▄ ███▀▀▀█ ▀▄▄█▄▀█▀█▀█ ▄█ ▄█▄█▄█▄█▀▀█▄▀▄█ █ ▀▀▄██ █ ▀▀▄▄ ▄████ | |
| ████▀▄ ▄█▀▄▀██ █▀ ▄ ▀█▄ ▀▄ █▀ ▄▀▀█ ▄ ▄ ▀▀▀▄▀▀ ▄▄▄▄▀▀▄▀▄████▄█▄ ▄▀▀█▄█ ████ | |
| █████ ▀▄▄▀▄ ▄█▄▀█▀ ▀ ██ ▄█ ▄█ ▀▄█▀▄▄ ▀███▄█▀ ██ ▄█ ▄ ▀▀▄▄█▀▀ ██▄▀ █▀▀█████ | |
| ████ ▀▄█ ▄▀▄ ▀▄ ▀ █▀▄▀█ █ █▀ ██ █ ▄ █▄▄██▀▄▀▀ ▄▀█▄ █▄▄▀ ▀▀▄▀▀██▀ ██▀▀████ | |
| █████▄▄█▄█▄▀█▀▀▄▄ ▀▄▀ ▄▀▄▄██▀▀▀▀██▄█▄▄▀ ▄█▄▄█▄▄ █ ▀█▄▀█▀▀▄███▄ ▄ ▀ ▀ ████ | |
| █████ ▄ ▀▄▄ ▄▀█▄▄▄█▀█▄▄▄ ▀▀█▄▀█▄█▄█ ▄█▀▄█▀▄█ ██▀▄ ▄ ▄▄▄▀▀███▀█▄█ ▄▀██▀█████ | |
| ████▄███ ▄▄▄ ▀▄▄▄▄▀▀▄▀▀██▀ █▄ ▀█▀█ ▄▄▄ ▀▀▄▀ █ ▄▀▄ █▀▄▄▀ ▀▄▄▄ ▄▄▄ ▄▄ █████ | |
| ████▄ █▀ █▄█ █▀▄ ▀▄ ▄ ▄ ▀█▄█▀█ ▀▀█ █▄█ ▀█▀ ▄████▀▄█ ▄▀▄ ██▄▄▄ █▄█ ▀▄▄▄████ | |
| ████ ▄▄ ▄▄▄▄█ █ ▀▀█▄▄▄ █▄ ▄ █▀▀▀ ██▀▄▄▄▀██▀ ▄▄ ▄▀██▄▄▄ ▄▀ █████ | |
| ████▀█▀▀▄ ▄▀▀▄ ▄▀ ▀▀ ▀▄ █▀▄█ ▀ █▀▄▀▄▀▀█▄▀ ▄▄▀▀ ▀▀██ ▀▄▄▀▄▀▀▄ ▄▀███▄ ▄▄████ | |
| █████▀ ▀ ▄ █▀▀ ██ ▄▀▀▀▀▄█▀█▀ █ ▀█▄ ▀█▄ █▀███ █▄ ▄▀▀▄██▄▄ ▄▄█▀▄ ▄ ████ | |
| ███████▄ ▄▄▄ ▀▄▄ ▀ ████▄ ▀█▀▀▀█▄▀ ▀ ▄█ ▀ ▄█▀▄ █▀▀▀▄▄▀▀ ▄█▄ ██▀ ▀ █████ | |
| ██████ ▄▄▄▀ █▀ ▀▀ ▄ ▀ █ ▀ ███ ▄▄ ▄▀ ███▄▀ ▄ ▄▀ ▄███▄█▄▀▀▄█ ▄▀ ▀████ | |
| ████ ▄█▀▀▀▄▀▀ ▀█ ▀▄ █ █▀▄▄▄█▀▄ ▀ █▄▄█▄ ▄▄▀█ ▀ █▀▄▀ ██▀▄█▀▀█ ▄▀▄█▄ █▄ ████ | |
| ████▀███▀▀▄▀ ▀ █ ▄▀▄█ █▀██▀▀▄▀██ ▀▀▄▀█ ▀ ▀ ▄ ▀ ▀▄█▀█▄█ ▄▀ █▀▄ ██▄█▀▀▀ ████ | |
| ████▄ ▄▄▄▀▄▀▄ █▄ █▀ ▄▀▄ █▄▄▀ ▄▀█▄▀█▀▀ █▀ █ █▄▄ ▀▀ █▄▄▀█ █▀ ▀ ▀▀▄ ▄ ▄█████ | |
| ████ ▄▀█ █▄▀▄▀▄ ▄▄▄▀▄▄▀ █▀ ▄█▀▄█▄▄█ ▄▀▄ █▀█▀▀█▀█▀█ ▀ ▀▀▄█▀▄▄ ▄▄█▀ █▄█ ████ | |
| ████▀ █ ▀█▄▄█▄▀▄ █▄▄ █▀█▄█ ▀█▄▄▀▀█ ▄▀▀▄▄▄▄▀█▄▄▀█ ▀█▄ ▄ ▀█▄▀█▄█▀▄▄ ▄█▀████ | |
| ████ ▄ ▄ ▄█▀▀▀▄ ███ █▄▄█ █▄▀██▀▄████▄█▄██▄█▀▀▄ █▄▀ █▀▄█▀█ ▄█▄█▀ ▀██▄▀████ | |
| ████ █▄█▄▄▄▄ ▄▄███▀▄▄█ ▄▀▄▄█ ▄█ ▀▄▄▀▄█▀▀█▀▄▄▄█▀█▀ ▀ █▀ ▄▀▀ ▀ █▀ ▄ ▄ ▄ ████ | |
| ████▄██▄▄█▄▄ ▄▄ █▀▄█▄█ ██ ▄▀█████▀▀ ▄▄▄ ▄▀▄█▀▀ ▀█▀▀▄█▄ ▄▄ █ █▄▀ ▄▄▄ ▄▄█▄████ | |
| ████ ▄▄▄▄▄ ██ █▄▄▀▄ █▀▀▄▄█▄ ▄▄▀ ▀▀██ █▄█ ▀██ ▄▀▄█▀ ████▀▄██▄█▀█▄ █▄█ ▀▄▀████ | |
| ████ █ █ █▀▀▄█ ▄▄█ █ ▄▄█▄ ██▄▄▀▀█▄▄▄ █▄▄▀█▄█▄▄▄ ▀ ▀ ▀▀▄█▀▄ ▀ ▄▄ █▄▀▄████ | |
| ████ █▄▄▄█ █ ▄█ ▄▀ █ █▀▄▀▄█ ▀▀▀▀██ █▄ █▀▀ █ ▀▄▀▄▀█▀ ▄█▀▀ █▀▄▄ ▀▄▄ █▀ ▀█▀████ | |
| ████▄▄▄▄▄▄▄█▄███▄▄██▄▄▄▄▄█▄█▄█▄▄█▄▄▄▄█▄█▄▄█▄▄▄█▄▄█▄███▄█▄████▄█▄██▄█▄█▄██████ | |
| █████████████████████████████████████████████████████████████████████████████ | |
| ████████████████████████████████████████████████████████████████████████████ | |
Great explanation, saved me hours of setup. Thanks so much!
possible one peer multiple users ?
Possible, but I don't think that they could be on at the same time, as that would cause an IP conflict.
Thanks for this! Probably one of the best guides I've seen when setting up Wireguard.
Thanks for this! Probably one of the best guides I've seen when setting up Wireguard.
Well, thanks. Glad it helped you in some shape or fashion.
Awesome Cheatsheet, much appreciated!
I was having problems if my ISP gave me an ipv6; where the traffic is not forwarded. Using this for client configs AllowedIPs = 0.0.0.0/0, ::/0 fixed the problem.
Might also note that you need to enable ipv4/ipv6 forwarding in your server.
I've yet to run into IPv6 issues, but appreciate the update in case I or anyone else needs to modify their config to do so.
I've updated the gist above and also included a comment if you wanted to have a split tunnel configuration too.
Glad this gist is helping people.
To make possible communicate two peers connected to a peer acting as vpn server, the server must enable packet forward changing the file:
/etc/sysctl.conf
Uncomment the line with
net.ipv4.ip_forward=1
save and run to update configuration
$ sysctl -p
What do your peers' config files look like? The QR code does me no good.
Otherwise, thanks! This has helped me a lot already.
@charlescurley you're looking for the block between lines 60 and 77 for an example peer config.
@OvertCoffee is correct.
@charlescurley on your remote device, you would define a conf file and it would look like:
[Interface]
Address = 10.0.0.3/24
PrivateKey = [PrivateKeyPeer#1]
[Peer]
PublicKey = [ServerPublicKey]
PresharedKey = [PresharedKey]
Endpoint = some.domain.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
I'm just amazed people find this gist useful. :)
is there a way I can allow multiple people to connect to just one config?
Are you saying, allow multiple people using their own individual configs to connect to one server? Absolutely.
These are examples:
On the server:
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = wBfQNbT+SbkCl1Hsgv+sPV0kwpKdqC4Q3I94isUtQHQ=
[Peer]
PublicKey = NSPdMgTuLHnlg2PRio3x6GnVWicrUE+iaClEcPTfInc=
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = qW7suzm8Jw+0/Qu9g/lS5403PYzMk/HGgtG9Av3U0TI=
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = 8AgfQ408s9dmyAfVDccytqHBn5zEoIn6HWQ/OTH1Tyg=
AllowedIPs = 10.0.0.4/32
Client 1
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = 6PEGUwl7UMRj2veHOAkTryAu+Nm0tqjZlHBtVQH10GY=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
Client 2
Address = 10.0.0.3/24
ListenPort = 51820
PrivateKey = sG6LRsykciC46TGprzQvQZpjDOo9ekqijRCATQe4Zk8=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
Client 3
Address = 10.0.0.4/24
ListenPort = 51820
PrivateKey = qPD27SKbSp3dTdFIQ3KakwRgpXJdHBcrEUralEMATEs=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
no i meant allow multiple people to use a shared config. basically 1 config for like 5 people or something.
Why would you do that? If one person goes rogue and you need to prohibit them from connecting, you have to delete the config and reissue a new config to share with the remaining 4.
You could probably do it, it is just bad practice.
In case I would ever want to use it for a vpn app so it would allow people to use wireguard and it just makes things easier. Also if one of them goes rouge I could just use iptables and ban their ip address from the server to stop them from connecting.
If I go rogue and you ban my IP, I'll just come in from somewhere else with a different IP. Plus IP address may be dynamic, so that isn't a good strategy.
Seriously, if that is your route, issue credentials for each user. If you think that is too complex, just use something like https://www.wireguardconfig.com
That's a good point. Anyways thanks for your help. :)
Hi Chris, great post, thank you. If I want to connect a peer to another peer, what would the configuration file look like?
I have my server sitting on Ubuntu but the server my users need to access is a windows server that I've setup as a peer to Ubuntu.
I added the public key for each peer to the others config file but that didn't work.
Hi Chris! Posting that wireguardconfig site is so helpful! Great write up.
@kaylamc2 Heh, it makes it a little easier. While I still use Wireguard for things, tailscale.com awesome, especially for an enterprise.
I'm new to WireGuard and this is just a fantastic help. Thanks.
Hi Chris....
Fellow Rube Goldberg machine builder here....
Say, it would be really helpful if you describe what hardware you are using for each device...
I could guess Debian and MacOS, but it would help a lot if you were more explicit!
Thanks!