-
Star
(362)
You must be signed in to star a gist -
Fork
(79)
You must be signed in to fork a gist
-
-
Save chrisswanda/88ade75fc463dcf964c6411d1e9b20f4 to your computer and use it in GitHub Desktop.
Install WireGuard via whatever package manager you use. For me, I use apt. | |
$ sudo add-apt-repository ppa:wireguard/wireguard | |
$ sudo apt-get update | |
$ sudo apt-get install wireguard | |
MacOS | |
$ brew install wireguard-tools | |
Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
generated on any device, as long as you keep the private key on the source and | |
place the public on the destination. | |
$ wg genkey | tee privatekey | wg pubkey > publickey | |
example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. | |
# wg genpsk > preshared | |
Take the above private key, and place it in the server. And conversely, put the | |
public key on the peer. Generate a second key pair, and do the opposite, put the | |
public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it. | |
On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
so use whatever IP ranges and CIDR blocks that will work for your network. | |
################################ | |
[Interface] | |
Address = 10.0.0.1/24 | |
DNS = 1.1.1.1 | |
PrivateKey = [ServerPrivateKey] | |
ListenPort = 51820 | |
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
[Peer] | |
#Peer #1 | |
PublicKey = [Peer#1PublicKey] | |
AllowedIPs = 10.0.0.3/32 | |
[Peer] | |
#Peer #2 | |
PublicKey = [Peer#2PublicKey] | |
AllowedIPs = 10.0.0.10/32 | |
[Peer] | |
#Peer #3 | |
PublicKey = [Peer#3PublicKey] | |
AllowedIPs = 10.0.0.2/32 | |
[Peer] | |
#Peer #4 | |
PublicKey = [Peer#4PublicKey] | |
AllowedIPs = 10.0.0.11/32 | |
################################## | |
On each client, define a /etc/wireguard/mobile_user.conf - | |
################################### | |
[Interface] | |
Address = 10.0.0.3/24 | |
PrivateKey = [PrivateKeyPeer#1] | |
[Peer] | |
PublicKey = [ServerPublicKey] | |
PresharedKey = [PresharedKey] | |
Endpoint = some.domain.com:51820 | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
# if you want to do split tunnel, add your allowed IPs | |
# for example if your home network is 192.168.1.0/24 | |
# AllowedIPs = 192.168.1.0/24 | |
# This is for if you're behind a NAT and | |
# want the connection to be kept alive. | |
PersistentKeepalive = 25 | |
######################################## | |
sudo wg show | |
######################################### | |
peer: Peer #1 | |
endpoint: 192.168.2.1:50074 | |
allowed ips: 10.0.0.2/32 | |
latest handshake: 4 minutes, 16 seconds ago | |
transfer: 57.58 KiB received, 113.32 KiB sent | |
peer: Peer #2 | |
endpoint: 99.203.28.43:36770 | |
allowed ips: 10.0.0.10/32 | |
latest handshake: 5 minutes, 30 seconds ago | |
transfer: 92.98 KiB received, 495.89 KiB sent | |
################################################## | |
Start/stop interface | |
wg-quick up wg0 | |
wg-quick down wg0 | |
Start/stop service | |
$ sudo systemctl stop wg-quick@wg0.service | |
$ sudo systemctl start wg-quick@wg0.service | |
Instead of having to modify the file for every client you want to add to the | |
server you could also use the wg tool instead: | |
# add peer | |
wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
# verify connection | |
wg | |
# save to config | |
wg-quick save wg0 | |
######### EDIT ############## | |
I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine. | |
qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
ββββ βββββ ββββββββββ ββββββ ββββββ β ββββ ββββββ β βββββ ββ βββββ βββββ ββββ | |
ββββ β β β ββββββββ βββββ ββ β ββββββ βββββββ ββ β β ββββββ β β ββββ | |
ββββ βββββ βββββ ββ βββββββ β ββββ β βββ ββββββββββββ ββ β β βββ βββββ ββββ | |
ββββββββββββββ βββββ βββββ β βββ β β βββ βββ βββββββ βββ βββ ββββββββββββββββ | |
ββββββ ββββ β βββ ββββββββ ββββββ β β β β βββ ββββββ β β β ββββ β ββββ | |
ββββββ ββββββ β βββββ βββββ βββββ βββ ββ ββββββββ βββββββββ β ββ ββββββββ | |
βββββ βββ β ββββββ βββ β β β βββ βββ β βββββ ββ βββ βββββ β ββ βββ β ββ ββββ | |
ββββββ β ββββ ββββββββββ ββββ βββββ ββ ββββββ βββ ββββ ββββ ββ ββββ β ββββ | |
ββββ ββ βββββββ ββ ββββ ββ β β β βββββ βββ β β ββ ββββββββ ββββ βββββββββ | |
βββββ ββ ββββββ ββ ββββββββ βββββ βββ ββ ββ β ββββββββββ ββββ ββ βββ βββββ | |
βββββ β ββββββ β βββββββ βββββββββββ ββ βββββββββββββββ β βββββ β ββββ βββββ | |
ββββββ βββββββ ββ β βββ ββ ββ ββββ β β ββββββ ββββββββββββββββ ββββββ ββββ | |
βββββ βββββ ββββββ β ββ ββ ββ ββββββ βββββββ ββ ββ β βββββββ ββββ ββββββββ | |
ββββ βββ βββ ββ β βββββ β ββ ββ β β βββββββββ ββββ ββββ ββββββββ ββββββββ | |
βββββββββββββββββ βββ βββββββββββββββββ βββββββ β ββββββββββββ β β β ββββ | |
βββββ β βββ ββββββββββββ ββββββββββ ββββββββ ββββ β ββββββββββββ ββββββββββ | |
ββββββββ βββ βββββββββββββ ββ ββββ βββ ββββ β βββ βββββ ββββ βββ ββ βββββ | |
βββββ ββ βββ βββ ββ β β ββββββ βββ βββ βββ ββββββββ βββ βββββ βββ ββββββββ | |
ββββ ββ βββββ β ββββββ ββ β ββββ ββββββββββ ββ βββββββ ββ βββββ | |
βββββββββ ββββ ββ ββ ββ ββββ β ββββββββββ ββββ ββββ ββββββββ ββββββ ββββββ | |
ββββββ β β βββ ββ ββββββββββ β βββ βββ βββββ ββ ββββββββ βββββ β ββββ | |
ββββββββ βββ βββ β βββββ ββββββββ β ββ β ββββ ββββββββ βββ βββ β βββββ | |
ββββββ ββββ ββ ββ β β β β βββ ββ ββ βββββ β ββ βββββββββββ ββ βββββ | |
ββββ ββββββββ ββ ββ β ββββββββ β βββββ ββββ β ββββ ββββββββ βββββ ββ ββββ | |
ββββββββββββ β β ββββ ββββββββββ βββββ β β β β βββββββ ββ βββ βββββββ ββββ | |
βββββ βββββββ ββ ββ βββ ββββ ββββββββ ββ β βββ ββ βββββ ββ β βββ β ββββββ | |
ββββ βββ ββββββ βββββββ ββ ββββββββ βββ ββββββββββ β βββββββ ββββ βββ ββββ | |
βββββ β ββββββββ βββ βββββ βββββββ βββββββββββββ βββ β ββββββββββ βββββββ | |
ββββ β β ββββββ βββ ββββ βββββββββββββββββββββ βββ ββββββ βββββ βββββββββ | |
ββββ βββββββ βββββββββ βββββ ββ βββββββββββββββββ β ββ βββ β ββ β β β ββββ | |
ββββββββββββ ββ ββββββ ββ βββββββββ βββ ββββββ βββββββ ββ β βββ βββ ββββββββ | |
ββββ βββββ ββ βββββ βββββββ βββ ββββ βββ βββ βββββ βββββββββββββ βββ βββββββ | |
ββββ β β βββββ βββ β ββββ ββββββββββ ββββββββββ β β ββββββ β ββ ββββββββ | |
ββββ βββββ β ββ ββ β ββββββ ββββββ ββ βββ β βββββββ ββββ ββββ βββ ββ βββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
This is a great concise setup guide. Thanks for posting and maintaining it.
For those new to WireGuard and/or networking, some additional comments in the config files may be helpful:
#*******************************************
#
# server config
[Interface]
# This is the server config file, so the [Interface] is on the server
# PrivateKey is the server private key generated during setup
PrivateKey = copy-and-paste-the-server-private-key-here
# Address is the server's VPN IP address and subnet range; /24 is 254 available addresses
Address = 172.16.2.1/24
#ListenPort is the server UDP port; for cloud implementations, open this port in the server's security group
ListenPort = 51820
#DNS is the server's DNS resolvers; the 1.1.1.1 and 1.0.0.1 DNS resolvers are hosted by Cloudflare
DNS = 1.1.1.1, 1.0.0.1
# PostUp and PostDown commands for iptables
# The next two commands open and close the required iptables routing rules on the server
# When the server's WireGuard network interface is up, the PostUp command is executed
# When the server's WireGuard network interface is down, the PostDown command is executed
# >>> Important <<< ensure that your server's network interface name is correct in the next two commands
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE
# >>> Important <<< each client needs a [Peer] section with a unique AllowedIP VPN IP address
[Peer]
# Peer/client #1
# This is the server config file, so the [peer] is the client, e.g., your laptop
# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here
# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
AllowedIPs = 172.16.2.2/32
[Peer]
# Peer/client #2
# This is the server config file, so the [peer] is the client, e.g., your laptop
# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here
# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
AllowedIPs = 172.16.2.3/32
#*******************************************
#
# client config
[Interface]
# This is the client config file, so the [Interface] is on the client, e.g., your laptop
#Address is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique VPN IP address, e.g., 172.16.2.2/32, 172.16.2.3/32, 172.16.2.4/32, etc.
Address = 172.16.2.2/32
# PrivateKey is the client private key; on some clients, this is automatically generated by the client WireGuard app
PrivateKey = '>>>DO NOT<<<' overwrite the client app automatically generated client private key here; if there is no automatically generated client private key, copy-and-paste-the-client-private-key-here
[Peer]
# This is the client config file, so the [Peer] is the server
# PublicKey is the server's public key generated during the server WireGuard setup process
PublicKey = copy-and-paste-the-server-public-key-here
# Endpoint is the server's public IP address
Endpoint = copy-and-paste-the-server-public-IP-address-here:51820
# AllowedIPs: controls which network traffic enters and leaves the client
# AllowedIPs: acts as a routing table when sending and an Access Control List (ACL) when receiving
# AllowedIPs: for client-to-Internet-VPN scenario, use: 0.0.0.0/0, ::/0
# AllowedIPs: 0.0.0.0/0, ::/0 allows traffic from any source to any target
# AllowedIPs: 0.0.0.0/0, ::/0 allows traffic to and from the entire internet
# AllowedIPs: for client-to-server(s)-VPN scenario, use: server.IP.address, server(s).subnet.CIDR
# AllowedIPs: client-to-server(s)-VPN scenario example: 172.16.2.1/32, 10.2.1.0/16
# AllowedIPs: 172.16.2.1/32, 10.2.1.0/16 allows traffic to and from a WireGuard server at 172.16.2.1 and any server/device in the 10.2.1.0/16 subnet
# AllowedIPs: /16 is 65,534 available IP addresses
AllowedIPs = 0.0.0.0/0, ::/0
# PersistentKeepalive is for a Network Address Translation (NAT) scenario; it keeps the client connection to the server alive
PersistentKeepalive = 25
Thank you very much for this git! I used it for my git. If you don't allow I will remove it. https://github.com/spaskol/dobarbobar/blob/master/06-wireguard-setup.md
This is a great concise setup guide. Thanks for posting and maintaining it.
For those new to WireGuard and/or networking, some additional comments in the config files may be helpful:
Can I include some of your config in my git? https://github.com/spaskol/dobarbobar/blob/master/06-wireguard-setup.md I will quote you
Can I include some of your config in my git? https://github.com/spaskol/dobarbobar/blob/master/06-wireguard-setup.md I will quote you
You are welcome to use it
From the Arch Wiki, use
So the private key is created not readable to others.