Skip to content

Instantly share code, notes, and snippets.

@chrisswanda
Last active January 11, 2025 10:56
Show Gist options
  • Save chrisswanda/88ade75fc463dcf964c6411d1e9b20f4 to your computer and use it in GitHub Desktop.
Save chrisswanda/88ade75fc463dcf964c6411d1e9b20f4 to your computer and use it in GitHub Desktop.
Stupid simple setting up WireGuard - Server and multiple peers
Install WireGuard via whatever package manager you use. For me, I use apt.
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
MacOS
$ brew install wireguard-tools
Generate key your key pairs. The key pairs are just that, key pairs. They can be
generated on any device, as long as you keep the private key on the source and
place the public on the destination.
$ wg genkey | tee privatekey | wg pubkey > publickey
example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ=
example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg=
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.
# wg genpsk > preshared
Take the above private key, and place it in the server. And conversely, put the
public key on the peer. Generate a second key pair, and do the opposite, put the
public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it.
On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples,
so use whatever IP ranges and CIDR blocks that will work for your network.
################################
[Interface]
Address = 10.0.0.1/24
DNS = 1.1.1.1
PrivateKey = [ServerPrivateKey]
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE
[Peer]
#Peer #1
PublicKey = [Peer#1PublicKey]
AllowedIPs = 10.0.0.3/32
[Peer]
#Peer #2
PublicKey = [Peer#2PublicKey]
AllowedIPs = 10.0.0.10/32
[Peer]
#Peer #3
PublicKey = [Peer#3PublicKey]
AllowedIPs = 10.0.0.2/32
[Peer]
#Peer #4
PublicKey = [Peer#4PublicKey]
AllowedIPs = 10.0.0.11/32
##################################
On each client, define a /etc/wireguard/mobile_user.conf -
###################################
[Interface]
Address = 10.0.0.3/24
PrivateKey = [PrivateKeyPeer#1]
[Peer]
PublicKey = [ServerPublicKey]
PresharedKey = [PresharedKey]
Endpoint = some.domain.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
# if you want to do split tunnel, add your allowed IPs
# for example if your home network is 192.168.1.0/24
# AllowedIPs = 192.168.1.0/24
# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25
########################################
sudo wg show
#########################################
peer: Peer #1
endpoint: 192.168.2.1:50074
allowed ips: 10.0.0.2/32
latest handshake: 4 minutes, 16 seconds ago
transfer: 57.58 KiB received, 113.32 KiB sent
peer: Peer #2
endpoint: 99.203.28.43:36770
allowed ips: 10.0.0.10/32
latest handshake: 5 minutes, 30 seconds ago
transfer: 92.98 KiB received, 495.89 KiB sent
##################################################
Start/stop interface
wg-quick up wg0
wg-quick down wg0
Start/stop service
$ sudo systemctl stop wg-quick@wg0.service
$ sudo systemctl start wg-quick@wg0.service
Instead of having to modify the file for every client you want to add to the
server you could also use the wg tool instead:
# add peer
wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32
# verify connection
wg
# save to config
wg-quick save wg0
######### EDIT ##############
I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine.
qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf
█████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▄▀████▀▀█ ▄▀▀▀▄▄ ▄▄▄▄▄▀ █ ██▀█ ▄▀▀██▄ ▄ ▀█▀▄█ ▄▄ ▀▄▄▄█ ▄▄▄▄▄ ████
████ █ █ █ ▀▀█▀█▄▄▄ █▀██▄ ▄▀ ▀ ▄▀▄█▄▄ ▄█▀▀█▄▄ ▄█ ▄ █ ▄█▄█▀█ █ █ ████
████ █▄▄▄█ █▄▄█▄ ▀█ ▀▄█████ ▀ ▄▄▀▄ █ ▄▄▄ █▄▄▀▀▀▀▀▀██▄ █▄ ▀ ▀ █▄█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█ █▄▀▄▀ █▄█▄█ ▀ ▀▄▀ ▀ ▀ █▄█ █▄█ █▄█▄█▄▀ █▄▀ █▄▀ █▄▀▄█▄▄▄▄▄▄▄████
████▄▄ ▀▀▄▀ ▄ ██▄ █▀▄▄▀█▄▀ ▄▀▄▀██ ▄ ▄ ▀ █ ██▀ █▀▄▀▄▄ ▀ ▄ █ █▀▄▄ ▀ ████
████▀▄ ▀█▀▄▀█ █ ▀██▄█ █▀▄█▀ ▄▄█▄▀ ▀▄█ ▀▀ ▀▄▀▄▀██▄ ▀██▀▄▀█▀█ █ ▄█ ▄██▀████
█████ ▄▄▀ ▄ ██▀█▀▄ ▄▄█ ▀ ▄ █ ▀██ ▀▄█ █ ▄▄█▄█ ▀▀ ███ █▀▄▀▄ █ ▄█ ▄█▀ █ ▀█ ████
████▀█ ▄ ▄▀▄▀ ▄████▄▄█▄█ █▀█▀ ▀▀█▄█ ▄▀ ▄█▀█▄▀ █▀▄ █▀▄▀ ▄█▄█ ██ █▄▀▀ ▀ ████
████ ▀█ ▄▀▄█▄▄▀ ▀█ ▄█▄█ █▄ █ ▄ ▄ ▀▀█▄▀ ▀▄█ █ ▀ ▀▀ █▀██▄█▄▀ ▄█▄█ ▀▄▄▀▄████
████▄ ▄█ ▀▄▀▄▄▄ █▀ ▄▀█▀▀▄▀█ █▀▄▄▀ ▄█▀ ██ █▀ ▄ ▄▀███▀██▀▀ █▀▄▄ ▄█ █▄█ █████
████▀ ▄ ▄▀▄▄▀▀ ▄ ███▀▀▀█ ▀▄▄█▄▀█▀█▀█ ▄█ ▄█▄█▄█▄█▀▀█▄▀▄█ █ ▀▀▄██ █ ▀▀▄▄ ▄████
████▀▄ ▄█▀▄▀██ █▀ ▄ ▀█▄ ▀▄ █▀ ▄▀▀█ ▄ ▄ ▀▀▀▄▀▀ ▄▄▄▄▀▀▄▀▄████▄█▄ ▄▀▀█▄█ ████
█████ ▀▄▄▀▄ ▄█▄▀█▀ ▀ ██ ▄█ ▄█ ▀▄█▀▄▄ ▀███▄█▀ ██ ▄█ ▄ ▀▀▄▄█▀▀ ██▄▀ █▀▀█████
████ ▀▄█ ▄▀▄ ▀▄ ▀ █▀▄▀█ █ █▀ ██ █ ▄ █▄▄██▀▄▀▀ ▄▀█▄ █▄▄▀ ▀▀▄▀▀██▀ ██▀▀████
█████▄▄█▄█▄▀█▀▀▄▄ ▀▄▀ ▄▀▄▄██▀▀▀▀██▄█▄▄▀ ▄█▄▄█▄▄ █ ▀█▄▀█▀▀▄███▄ ▄ ▀ ▀ ████
█████ ▄ ▀▄▄ ▄▀█▄▄▄█▀█▄▄▄ ▀▀█▄▀█▄█▄█ ▄█▀▄█▀▄█ ██▀▄ ▄ ▄▄▄▀▀███▀█▄█ ▄▀██▀█████
████▄███ ▄▄▄ ▀▄▄▄▄▀▀▄▀▀██▀ █▄ ▀█▀█ ▄▄▄ ▀▀▄▀ █ ▄▀▄ █▀▄▄▀ ▀▄▄▄ ▄▄▄ ▄▄ █████
████▄ █▀ █▄█ █▀▄ ▀▄ ▄ ▄ ▀█▄█▀█ ▀▀█ █▄█ ▀█▀ ▄████▀▄█ ▄▀▄ ██▄▄▄ █▄█ ▀▄▄▄████
████ ▄▄ ▄▄▄▄█ █ ▀▀█▄▄▄ █▄ ▄ █▀▀▀ ██▀▄▄▄▀██▀ ▄▄ ▄▀██▄▄▄ ▄▀ █████
████▀█▀▀▄ ▄▀▀▄ ▄▀ ▀▀ ▀▄ █▀▄█ ▀ █▀▄▀▄▀▀█▄▀ ▄▄▀▀ ▀▀██ ▀▄▄▀▄▀▀▄ ▄▀███▄ ▄▄████
█████▀ ▀ ▄ █▀▀ ██ ▄▀▀▀▀▄█▀█▀ █ ▀█▄ ▀█▄ █▀███ █▄ ▄▀▀▄██▄▄ ▄▄█▀▄ ▄ ████
███████▄ ▄▄▄ ▀▄▄ ▀ ████▄ ▀█▀▀▀█▄▀ ▀ ▄█ ▀ ▄█▀▄ █▀▀▀▄▄▀▀ ▄█▄ ██▀ ▀ █████
██████ ▄▄▄▀ █▀ ▀▀ ▄ ▀ █ ▀ ███ ▄▄ ▄▀ ███▄▀ ▄ ▄▀ ▄███▄█▄▀▀▄█ ▄▀ ▀████
████ ▄█▀▀▀▄▀▀ ▀█ ▀▄ █ █▀▄▄▄█▀▄ ▀ █▄▄█▄ ▄▄▀█ ▀ █▀▄▀ ██▀▄█▀▀█ ▄▀▄█▄ █▄ ████
████▀███▀▀▄▀ ▀ █ ▄▀▄█ █▀██▀▀▄▀██ ▀▀▄▀█ ▀ ▀ ▄ ▀ ▀▄█▀█▄█ ▄▀ █▀▄ ██▄█▀▀▀ ████
████▄ ▄▄▄▀▄▀▄ █▄ █▀ ▄▀▄ █▄▄▀ ▄▀█▄▀█▀▀ █▀ █ █▄▄ ▀▀ █▄▄▀█ █▀ ▀ ▀▀▄ ▄ ▄█████
████ ▄▀█ █▄▀▄▀▄ ▄▄▄▀▄▄▀ █▀ ▄█▀▄█▄▄█ ▄▀▄ █▀█▀▀█▀█▀█ ▀ ▀▀▄█▀▄▄ ▄▄█▀ █▄█ ████
████▀ █ ▀█▄▄█▄▀▄ █▄▄ █▀█▄█ ▀█▄▄▀▀█ ▄▀▀▄▄▄▄▀█▄▄▀█ ▀█▄ ▄ ▀█▄▀█▄█▀▄▄ ▄█▀████
████ ▄ ▄ ▄█▀▀▀▄ ███ █▄▄█ █▄▀██▀▄████▄█▄██▄█▀▀▄ █▄▀ █▀▄█▀█ ▄█▄█▀ ▀██▄▀████
████ █▄█▄▄▄▄ ▄▄███▀▄▄█ ▄▀▄▄█ ▄█ ▀▄▄▀▄█▀▀█▀▄▄▄█▀█▀ ▀ █▀ ▄▀▀ ▀ █▀ ▄ ▄ ▄ ████
████▄██▄▄█▄▄ ▄▄ █▀▄█▄█ ██ ▄▀█████▀▀ ▄▄▄ ▄▀▄█▀▀ ▀█▀▀▄█▄ ▄▄ █ █▄▀ ▄▄▄ ▄▄█▄████
████ ▄▄▄▄▄ ██ █▄▄▀▄ █▀▀▄▄█▄ ▄▄▀ ▀▀██ █▄█ ▀██ ▄▀▄█▀ ████▀▄██▄█▀█▄ █▄█ ▀▄▀████
████ █ █ █▀▀▄█ ▄▄█ █ ▄▄█▄ ██▄▄▀▀█▄▄▄ █▄▄▀█▄█▄▄▄ ▀ ▀ ▀▀▄█▀▄ ▀ ▄▄ █▄▀▄████
████ █▄▄▄█ █ ▄█ ▄▀ █ █▀▄▀▄█ ▀▀▀▀██ █▄ █▀▀ █ ▀▄▀▄▀█▀ ▄█▀▀ █▀▄▄ ▀▄▄ █▀ ▀█▀████
████▄▄▄▄▄▄▄█▄███▄▄██▄▄▄▄▄█▄█▄█▄▄█▄▄▄▄█▄█▄▄█▄▄▄█▄▄█▄███▄█▄████▄█▄██▄█▄█▄██████
█████████████████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████████████
@chrisswanda
Copy link
Author

@kaylamc2 Heh, it makes it a little easier. While I still use Wireguard for things, tailscale.com awesome, especially for an enterprise.

@jamacoe
Copy link

jamacoe commented Mar 11, 2023

I'm new to WireGuard and this is just a fantastic help. Thanks.

@genieai-vikas
Copy link

@chrisswanda Can a single configuration file be used by multiple users, say, five users sharing the same configuration file? The use case is as follows: I am using the GitHub Action matrix, where the GitHub Action machine may have any IP address, making it difficult to whitelist those IPs in my database. Therefore, I am using a VPN, but providing a separate configuration file for each machine is challenging. Instead, can I create a single configuration file for all GitHub machines to use?

@chrisswanda
Copy link
Author

I would never reuse credentials; it is not a good operational practice. How is providing a separate configuration file challenging, versus if one of your credentials get compromised, and now you have to rotate out your single config on multiple machines versus changing a compromised credential on one machine? Merely curious. If you have to chop down a tree in 6 hours, spend 5 hours sharpening your axe.

But yes, you could use the same config on multiple machines. You are only using public/private key pairs.

@genieai-vikas
Copy link

@chrisswanda It's challenging and very complicated. Here is how
I have used the sharding technique in my BE and UI Tests and run my test parallelly. So GitHub action on the fly create job(machine).

On the contrary, it would be easy for me to rotate the GitHub config file if I am using one config. Instead of 20 config files for GitHub action

@chrisswanda
Copy link
Author

If you are running that many machines, you might want to look into something else, but that is another conversation.

But, if merely changing out a config file works and you are comfortable with using one credential, then it should work. It is merely a public/private keypair.

@thirupathicys
Copy link

Hi Chriss,
How to configure the wireguard VPN server in the load balancing scenario with multiple vpn servers in active-active mode ?. Wireguard peers should communicate between each other through multiple vpn server placed behind the udp load balancer?

@tabatinga0xffff
Copy link

In 10.0.0.x/32 is the x literally x? Or should I substitute it with a number?

@Dave9111
Copy link

Dave9111 commented Oct 18, 2023 via email

@chrisswanda
Copy link
Author

In 10.0.0.x/32 is the x literally x? Or should I substitute it with a number?

@tabatinga0x00 x would be whatever number you wish between 2 and 254.

@Dave9111
Copy link

Dave9111 commented Oct 18, 2023 via email

@Roy-Orbison
Copy link

From the Arch Wiki, use

wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey

So the private key is created not readable to others.

@dhackney
Copy link

dhackney commented Jan 3, 2025

This is a great concise setup guide. Thanks for posting and maintaining it.

For those new to WireGuard and/or networking, some additional comments in the config files may be helpful:

#*******************************************
#
# server config

[Interface]
# This is the server config file, so the [Interface] is on the server

# PrivateKey is the server private key generated during setup
PrivateKey = copy-and-paste-the-server-private-key-here 

# Address is the server's VPN IP address and subnet range; /24 is 254 available addresses
Address = 172.16.2.1/24

#ListenPort is the server UDP port; for cloud implementations, open this port in the server's security group
ListenPort = 51820

#DNS is the server's DNS resolvers; the 1.1.1.1 and 1.0.0.1 DNS resolvers are hosted by Cloudflare
DNS = 1.1.1.1, 1.0.0.1

# PostUp and PostDown commands for iptables
# The next two commands open and close the required iptables routing rules on the server
# When the server's WireGuard network interface is up, the PostUp command is executed
# When the server's WireGuard network interface is down, the PostDown command is executed
# >>> Important <<< ensure that your server's network interface name is correct in the next two commands
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE




# >>> Important <<< each client needs a [Peer] section with a unique AllowedIP VPN IP address

[Peer]
# Peer/client #1
# This is the server config file, so the [peer] is the client, e.g., your laptop

# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here

# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
AllowedIPs = 172.16.2.2/32



[Peer]
# Peer/client #2
# This is the server config file, so the [peer] is the client, e.g., your laptop

# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here

# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
AllowedIPs = 172.16.2.3/32




#*******************************************
#
# client config

[Interface]
# This is the client config file, so the [Interface] is on the client, e.g., your laptop

#Address is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
Address = 172.16.2.2/32

# PrivateKey is the client private key; on some clients, this is automatically generated by the client WireGuard app
PrivateKey = '>>>DO NOT<<<' overwrite the client app automatically generated client private key here; if there is no automatically generated client private key, copy-and-paste-the-client-private-key-here



[Peer]
# This is the client config file, so the [Peer] is the server

# PublicKey is the server's public key generated during the server WireGuard setup process
PublicKey = copy-and-paste-the-server-public-key-here

# Endpoint is the server's public IP address
Endpoint = copy-and-paste-the-server-public-IP-address-here:51820

# AllowedIPs: controls which network traffic enters and leaves the client 
# AllowedIPs: acts as a routing table when sending and an Access Control List (ACL) when receiving
# AllowedIPs: for client-to-Internet-VPN scenario, use: 0.0.0.0/0, ::/0
# AllowedIPs: 0.0.0.0/0, ::/0 allows traffic from any source to any target
# AllowedIPs: 0.0.0.0/0, ::/0 allows traffic to and from the entire internet
# AllowedIPs: for client-to-server(s)-VPN scenario, use: server.IP.address, server(s).subnet.CIDR 
# AllowedIPs: client-to-server(s)-VPN scenario example: 172.16.2.1/32, 10.2.1.0/16
# AllowedIPs: 172.16.2.1/32, 10.2.1.0/16 allows traffic to and from a WireGuard server at 172.16.2.1 and any server/device in the 10.2.1.0/16 subnet
# AllowedIPs: /16 is 65,534 available IP addresses
AllowedIPs = 0.0.0.0/0, ::/0

# PersistentKeepalive is for a Network Address Translation (NAT) scenario; it keeps the client connection to the server alive
PersistentKeepalive = 25


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment