| Install WireGuard via whatever package manager you use. For me, I use apt. | |
| $ sudo add-apt-repository ppa:wireguard/wireguard | |
| $ sudo apt-get update | |
| $ sudo apt-get install wireguard | |
| MacOS | |
| $ brew install wireguard-tools | |
| Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
| generated on any device, as long as you keep the private key on the source and | |
| place the public on the destination. | |
| $ wg genkey | tee privatekey | wg pubkey > publickey | |
| example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
| example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
| One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. | |
| # wg genpsk > preshared | |
| Take the above private key, and place it in the server. And conversely, put the | |
| public key on the peer. Generate a second key pair, and do the opposite, put the | |
| public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it. | |
| On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
| so use whatever IP ranges and CIDR blocks that will work for your network. | |
| ################################ | |
| [Interface] | |
| Address = 10.0.0.1/24 | |
| DNS = 1.1.1.1 | |
| PrivateKey = [ServerPrivateKey] | |
| ListenPort = 51820 | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
| [Peer] | |
| #Peer #1 | |
| PublicKey = [Peer#1PublicKey] | |
| AllowedIPs = 10.0.0.3/32 | |
| [Peer] | |
| #Peer #2 | |
| PublicKey = [Peer#2PublicKey] | |
| AllowedIPs = 10.0.0.10/32 | |
| [Peer] | |
| #Peer #3 | |
| PublicKey = [Peer#3PublicKey] | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| #Peer #4 | |
| PublicKey = [Peer#4PublicKey] | |
| AllowedIPs = 10.0.0.11/32 | |
| ################################## | |
| On each client, define a /etc/wireguard/mobile_user.conf - | |
| ################################### | |
| [Interface] | |
| Address = 10.0.0.3/24 | |
| PrivateKey = [PrivateKeyPeer#1] | |
| [Peer] | |
| PublicKey = [ServerPublicKey] | |
| PresharedKey = [PresharedKey] | |
| Endpoint = some.domain.com:51820 | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| # if you want to do split tunnel, add your allowed IPs | |
| # for example if your home network is 192.168.1.0/24 | |
| # AllowedIPs = 192.168.1.0/24 | |
| # This is for if you're behind a NAT and | |
| # want the connection to be kept alive. | |
| PersistentKeepalive = 25 | |
| ######################################## | |
| sudo wg show | |
| ######################################### | |
| peer: Peer #1 | |
| endpoint: 192.168.2.1:50074 | |
| allowed ips: 10.0.0.2/32 | |
| latest handshake: 4 minutes, 16 seconds ago | |
| transfer: 57.58 KiB received, 113.32 KiB sent | |
| peer: Peer #2 | |
| endpoint: 99.203.28.43:36770 | |
| allowed ips: 10.0.0.10/32 | |
| latest handshake: 5 minutes, 30 seconds ago | |
| transfer: 92.98 KiB received, 495.89 KiB sent | |
| ################################################## | |
| Start/stop interface | |
| wg-quick up wg0 | |
| wg-quick down wg0 | |
| Start/stop service | |
| $ sudo systemctl stop wg-quick@wg0.service | |
| $ sudo systemctl start wg-quick@wg0.service | |
| Instead of having to modify the file for every client you want to add to the | |
| server you could also use the wg tool instead: | |
| # add peer | |
| wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
| # verify connection | |
| wg | |
| # save to config | |
| wg-quick save wg0 | |
| ######### EDIT ############## | |
| I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine. | |
| qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf | |
| █████████████████████████████████████████████████████████████████████████████ | |
| █████████████████████████████████████████████████████████████████████████████ | |
| ████ ▄▄▄▄▄ █▄▀████▀▀█ ▄▀▀▀▄▄ ▄▄▄▄▄▀ █ ██▀█ ▄▀▀██▄ ▄ ▀█▀▄█ ▄▄ ▀▄▄▄█ ▄▄▄▄▄ ████ | |
| ████ █ █ █ ▀▀█▀█▄▄▄ █▀██▄ ▄▀ ▀ ▄▀▄█▄▄ ▄█▀▀█▄▄ ▄█ ▄ █ ▄█▄█▀█ █ █ ████ | |
| ████ █▄▄▄█ █▄▄█▄ ▀█ ▀▄█████ ▀ ▄▄▀▄ █ ▄▄▄ █▄▄▀▀▀▀▀▀██▄ █▄ ▀ ▀ █▄█ █▄▄▄█ ████ | |
| ████▄▄▄▄▄▄▄█▄█ █▄▀▄▀ █▄█▄█ ▀ ▀▄▀ ▀ ▀ █▄█ █▄█ █▄█▄█▄▀ █▄▀ █▄▀ █▄▀▄█▄▄▄▄▄▄▄████ | |
| ████▄▄ ▀▀▄▀ ▄ ██▄ █▀▄▄▀█▄▀ ▄▀▄▀██ ▄ ▄ ▀ █ ██▀ █▀▄▀▄▄ ▀ ▄ █ █▀▄▄ ▀ ████ | |
| ████▀▄ ▀█▀▄▀█ █ ▀██▄█ █▀▄█▀ ▄▄█▄▀ ▀▄█ ▀▀ ▀▄▀▄▀██▄ ▀██▀▄▀█▀█ █ ▄█ ▄██▀████ | |
| █████ ▄▄▀ ▄ ██▀█▀▄ ▄▄█ ▀ ▄ █ ▀██ ▀▄█ █ ▄▄█▄█ ▀▀ ███ █▀▄▀▄ █ ▄█ ▄█▀ █ ▀█ ████ | |
| ████▀█ ▄ ▄▀▄▀ ▄████▄▄█▄█ █▀█▀ ▀▀█▄█ ▄▀ ▄█▀█▄▀ █▀▄ █▀▄▀ ▄█▄█ ██ █▄▀▀ ▀ ████ | |
| ████ ▀█ ▄▀▄█▄▄▀ ▀█ ▄█▄█ █▄ █ ▄ ▄ ▀▀█▄▀ ▀▄█ █ ▀ ▀▀ █▀██▄█▄▀ ▄█▄█ ▀▄▄▀▄████ | |
| ████▄ ▄█ ▀▄▀▄▄▄ █▀ ▄▀█▀▀▄▀█ █▀▄▄▀ ▄█▀ ██ █▀ ▄ ▄▀███▀██▀▀ █▀▄▄ ▄█ █▄█ █████ | |
| ████▀ ▄ ▄▀▄▄▀▀ ▄ ███▀▀▀█ ▀▄▄█▄▀█▀█▀█ ▄█ ▄█▄█▄█▄█▀▀█▄▀▄█ █ ▀▀▄██ █ ▀▀▄▄ ▄████ | |
| ████▀▄ ▄█▀▄▀██ █▀ ▄ ▀█▄ ▀▄ █▀ ▄▀▀█ ▄ ▄ ▀▀▀▄▀▀ ▄▄▄▄▀▀▄▀▄████▄█▄ ▄▀▀█▄█ ████ | |
| █████ ▀▄▄▀▄ ▄█▄▀█▀ ▀ ██ ▄█ ▄█ ▀▄█▀▄▄ ▀███▄█▀ ██ ▄█ ▄ ▀▀▄▄█▀▀ ██▄▀ █▀▀█████ | |
| ████ ▀▄█ ▄▀▄ ▀▄ ▀ █▀▄▀█ █ █▀ ██ █ ▄ █▄▄██▀▄▀▀ ▄▀█▄ █▄▄▀ ▀▀▄▀▀██▀ ██▀▀████ | |
| █████▄▄█▄█▄▀█▀▀▄▄ ▀▄▀ ▄▀▄▄██▀▀▀▀██▄█▄▄▀ ▄█▄▄█▄▄ █ ▀█▄▀█▀▀▄███▄ ▄ ▀ ▀ ████ | |
| █████ ▄ ▀▄▄ ▄▀█▄▄▄█▀█▄▄▄ ▀▀█▄▀█▄█▄█ ▄█▀▄█▀▄█ ██▀▄ ▄ ▄▄▄▀▀███▀█▄█ ▄▀██▀█████ | |
| ████▄███ ▄▄▄ ▀▄▄▄▄▀▀▄▀▀██▀ █▄ ▀█▀█ ▄▄▄ ▀▀▄▀ █ ▄▀▄ █▀▄▄▀ ▀▄▄▄ ▄▄▄ ▄▄ █████ | |
| ████▄ █▀ █▄█ █▀▄ ▀▄ ▄ ▄ ▀█▄█▀█ ▀▀█ █▄█ ▀█▀ ▄████▀▄█ ▄▀▄ ██▄▄▄ █▄█ ▀▄▄▄████ | |
| ████ ▄▄ ▄▄▄▄█ █ ▀▀█▄▄▄ █▄ ▄ █▀▀▀ ██▀▄▄▄▀██▀ ▄▄ ▄▀██▄▄▄ ▄▀ █████ | |
| ████▀█▀▀▄ ▄▀▀▄ ▄▀ ▀▀ ▀▄ █▀▄█ ▀ █▀▄▀▄▀▀█▄▀ ▄▄▀▀ ▀▀██ ▀▄▄▀▄▀▀▄ ▄▀███▄ ▄▄████ | |
| █████▀ ▀ ▄ █▀▀ ██ ▄▀▀▀▀▄█▀█▀ █ ▀█▄ ▀█▄ █▀███ █▄ ▄▀▀▄██▄▄ ▄▄█▀▄ ▄ ████ | |
| ███████▄ ▄▄▄ ▀▄▄ ▀ ████▄ ▀█▀▀▀█▄▀ ▀ ▄█ ▀ ▄█▀▄ █▀▀▀▄▄▀▀ ▄█▄ ██▀ ▀ █████ | |
| ██████ ▄▄▄▀ █▀ ▀▀ ▄ ▀ █ ▀ ███ ▄▄ ▄▀ ███▄▀ ▄ ▄▀ ▄███▄█▄▀▀▄█ ▄▀ ▀████ | |
| ████ ▄█▀▀▀▄▀▀ ▀█ ▀▄ █ █▀▄▄▄█▀▄ ▀ █▄▄█▄ ▄▄▀█ ▀ █▀▄▀ ██▀▄█▀▀█ ▄▀▄█▄ █▄ ████ | |
| ████▀███▀▀▄▀ ▀ █ ▄▀▄█ █▀██▀▀▄▀██ ▀▀▄▀█ ▀ ▀ ▄ ▀ ▀▄█▀█▄█ ▄▀ █▀▄ ██▄█▀▀▀ ████ | |
| ████▄ ▄▄▄▀▄▀▄ █▄ █▀ ▄▀▄ █▄▄▀ ▄▀█▄▀█▀▀ █▀ █ █▄▄ ▀▀ █▄▄▀█ █▀ ▀ ▀▀▄ ▄ ▄█████ | |
| ████ ▄▀█ █▄▀▄▀▄ ▄▄▄▀▄▄▀ █▀ ▄█▀▄█▄▄█ ▄▀▄ █▀█▀▀█▀█▀█ ▀ ▀▀▄█▀▄▄ ▄▄█▀ █▄█ ████ | |
| ████▀ █ ▀█▄▄█▄▀▄ █▄▄ █▀█▄█ ▀█▄▄▀▀█ ▄▀▀▄▄▄▄▀█▄▄▀█ ▀█▄ ▄ ▀█▄▀█▄█▀▄▄ ▄█▀████ | |
| ████ ▄ ▄ ▄█▀▀▀▄ ███ █▄▄█ █▄▀██▀▄████▄█▄██▄█▀▀▄ █▄▀ █▀▄█▀█ ▄█▄█▀ ▀██▄▀████ | |
| ████ █▄█▄▄▄▄ ▄▄███▀▄▄█ ▄▀▄▄█ ▄█ ▀▄▄▀▄█▀▀█▀▄▄▄█▀█▀ ▀ █▀ ▄▀▀ ▀ █▀ ▄ ▄ ▄ ████ | |
| ████▄██▄▄█▄▄ ▄▄ █▀▄█▄█ ██ ▄▀█████▀▀ ▄▄▄ ▄▀▄█▀▀ ▀█▀▀▄█▄ ▄▄ █ █▄▀ ▄▄▄ ▄▄█▄████ | |
| ████ ▄▄▄▄▄ ██ █▄▄▀▄ █▀▀▄▄█▄ ▄▄▀ ▀▀██ █▄█ ▀██ ▄▀▄█▀ ████▀▄██▄█▀█▄ █▄█ ▀▄▀████ | |
| ████ █ █ █▀▀▄█ ▄▄█ █ ▄▄█▄ ██▄▄▀▀█▄▄▄ █▄▄▀█▄█▄▄▄ ▀ ▀ ▀▀▄█▀▄ ▀ ▄▄ █▄▀▄████ | |
| ████ █▄▄▄█ █ ▄█ ▄▀ █ █▀▄▀▄█ ▀▀▀▀██ █▄ █▀▀ █ ▀▄▀▄▀█▀ ▄█▀▀ █▀▄▄ ▀▄▄ █▀ ▀█▀████ | |
| ████▄▄▄▄▄▄▄█▄███▄▄██▄▄▄▄▄█▄█▄█▄▄█▄▄▄▄█▄█▄▄█▄▄▄█▄▄█▄███▄█▄████▄█▄██▄█▄█▄██████ | |
| █████████████████████████████████████████████████████████████████████████████ | |
| ████████████████████████████████████████████████████████████████████████████ | |
I've yet to run into IPv6 issues, but appreciate the update in case I or anyone else needs to modify their config to do so.
I've updated the gist above and also included a comment if you wanted to have a split tunnel configuration too.
Glad this gist is helping people.
To make possible communicate two peers connected to a peer acting as vpn server, the server must enable packet forward changing the file:
/etc/sysctl.conf
Uncomment the line with
net.ipv4.ip_forward=1
save and run to update configuration
$ sysctl -p
What do your peers' config files look like? The QR code does me no good.
Otherwise, thanks! This has helped me a lot already.
@charlescurley you're looking for the block between lines 60 and 77 for an example peer config.
@OvertCoffee is correct.
@charlescurley on your remote device, you would define a conf file and it would look like:
[Interface]
Address = 10.0.0.3/24
PrivateKey = [PrivateKeyPeer#1]
[Peer]
PublicKey = [ServerPublicKey]
PresharedKey = [PresharedKey]
Endpoint = some.domain.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
I'm just amazed people find this gist useful. :)
is there a way I can allow multiple people to connect to just one config?
Are you saying, allow multiple people using their own individual configs to connect to one server? Absolutely.
These are examples:
On the server:
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = wBfQNbT+SbkCl1Hsgv+sPV0kwpKdqC4Q3I94isUtQHQ=
[Peer]
PublicKey = NSPdMgTuLHnlg2PRio3x6GnVWicrUE+iaClEcPTfInc=
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = qW7suzm8Jw+0/Qu9g/lS5403PYzMk/HGgtG9Av3U0TI=
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = 8AgfQ408s9dmyAfVDccytqHBn5zEoIn6HWQ/OTH1Tyg=
AllowedIPs = 10.0.0.4/32
Client 1
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = 6PEGUwl7UMRj2veHOAkTryAu+Nm0tqjZlHBtVQH10GY=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
Client 2
Address = 10.0.0.3/24
ListenPort = 51820
PrivateKey = sG6LRsykciC46TGprzQvQZpjDOo9ekqijRCATQe4Zk8=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
Client 3
Address = 10.0.0.4/24
ListenPort = 51820
PrivateKey = qPD27SKbSp3dTdFIQ3KakwRgpXJdHBcrEUralEMATEs=
[Peer]
PublicKey = 4UfqmvsT2uFz17wUScJxBGmmZ0LWRealFecgO2UheW4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
no i meant allow multiple people to use a shared config. basically 1 config for like 5 people or something.
Why would you do that? If one person goes rogue and you need to prohibit them from connecting, you have to delete the config and reissue a new config to share with the remaining 4.
You could probably do it, it is just bad practice.
In case I would ever want to use it for a vpn app so it would allow people to use wireguard and it just makes things easier. Also if one of them goes rouge I could just use iptables and ban their ip address from the server to stop them from connecting.
If I go rogue and you ban my IP, I'll just come in from somewhere else with a different IP. Plus IP address may be dynamic, so that isn't a good strategy.
Seriously, if that is your route, issue credentials for each user. If you think that is too complex, just use something like https://www.wireguardconfig.com
That's a good point. Anyways thanks for your help. :)
Hi Chris, great post, thank you. If I want to connect a peer to another peer, what would the configuration file look like?
I have my server sitting on Ubuntu but the server my users need to access is a windows server that I've setup as a peer to Ubuntu.
I added the public key for each peer to the others config file but that didn't work.
I was having problems if my ISP gave me an ipv6; where the traffic is not forwarded. Using this for client configs
AllowedIPs = 0.0.0.0/0, ::/0fixed the problem.Might also note that you need to enable ipv4/ipv6 forwarding in your server.