Wireguard is a new VPN like proticol that supports peer to peer encrypted tunnels. It's fairly easy to set up once you understand the logic behind it.
To try it out, I set up a quick cloud based server with an IP address that I could access from my laptop at home. Once I had the server spooled up, I ran all the updates
apt get update && apt get upgrade
And added the wireguard repo to the apt repository
add-apt-repository ppa:wireguard/wireguard
Then, add the packages for wireguard
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) openresolv qrencode
And reboot.
Once everything comes back up, create a new directory and traverse into it.
umask 077; mkdir wg ; cd wg
Now we need to make some keys. A private one and a public one. The command is
wg genkey | tee server.privatekey | wg pubkey > server.publickey
This command generates the private key, stores it in the file server.privatekey, and takes that input, and generates a public key, storing it in server.publickey.
Now, to set up the firewall
ufw disable ; ufw allow 22/tcp ; ufw allow 51820/udp ; ufw enable
This allows both port 22 and 51820, the wireguard default port. You can change it if you want, but remember to allow access via the firewall.
You can check status as well
ufw status
Once this is out of the way, time to configure the interface. My interface is wg0 (unless you have tried to set this up earlier and got half way through, wg0 should work for you. If you can't go with wg0, try wg1 etc.
vi /etc/wireguard/wg0.conf
Open the file for editing. I use vi. You can use the editor you are familiar with.
The file is typically in the format
[Interface]
Address =
SaveConfig =
PostUp =
PostDown =
ListenPort =
PrivateKey =
[Peer]
PublicKey =
AllowedIPs =
Endpoint =
[Peer]
PublicKey =
AllowedIPs =
Endpoint =
Interface section refers to the machine this file is on.
[Interface]
Address is a private IP space that the server and it's peers will be on when a tunnel has been established.
Address = 10.10.10.1/24
SaveConfig is set to true so that this section updates as peers connect.
SaveConfig = true
PostUp and PostDown refer to what needs to happen when a connection is established and torn down.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
In this command, the iptables are being (A)ppended with a FORWARD rule on the incoming interface (-i), as well as an ACCEPT on the target (-j)
iptables -A FORWARD -i %i -j ACCEPT
In this command, the iptables are being (A)ppended with a FORWARD rule on the outgoing interface (-o), as well as an ACCEPT on the target (-j)
iptables -A FORWARD -o %i -j ACCEPT
In this command, the iptables are being (A)ppended, with the nat table (-t nat) being asked to post route to the output interface (-o) eth0 (this might be different for you), with the MASQUERADE on the target (-j)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The PostDown section is identical, except that the (A)ppend is replaced with (D)elete.
ListenPort is 51820, because we set the firewall to allow it.
ListenPort = 51820
And finally the PrivateKey. This will be the contents of the file server.privatekey that was generated earlier.
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXX=
As for the Peers section, every peer that this wireguard connects to will have an entry here.
PublicKey will be the public key on the peer device. Remember, the keys need to be generated for both sides. Sometimes, the peer device is an iPhone etc and can't generate keys. In that case, run the genkey command and save the keys it a different file name. Then put that public key in here.
PublicKey = XXXXXXXXXXXX
For allowed IP's, stay within the range defined above.
AllowedIPs = 10.10.10.2/32
For the EndPoint, put the IP that your remote device is connecting from, and port.
Endpoint = 31.77.12.109:22 - Actually this is a fake IP. Use your own
Now, save the file. Before starting up though, you need to set up something in sysctl and make it persist across a reboot.
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf
To see if this stuck, run
sysctl --system
The entry will be near the bottom.
Now, before you start wireguard, there's one more thing. We need to create a file for a peer. On the iPhone, download wireguard app. Now, we need to set up a config file for the iPhone.
Create a similar file on the local directory of the server, calling it iphone-wg0.conf. Use the PrivateKey from generated private key for the iPhone.
[Interface]
PrivateKey = XXXXX
Address = 10.10.10.2/24
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = XXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = 31.77.12.100:51820
Add the DNS to 'help' the iPhone (this is why we added the openresolv package earlier), and the endpoint will be the server IP and listering port.
Now, we create a qrcode for this conf.
qrencode -t ansiutf8 < iphone-wg0.conf
A QR code will pop up on the screen. Open up the app in the iPhone, and set up tunnel via qrcode, and scan this.
Start up wireguard on the server
wg-quick up wg0
And start the tunnel on the iPhone.
And that's it! You have established a wireguard tunnel between the server and the iPhone.