Skip to content

Instantly share code, notes, and snippets.

@joshskidmore

joshskidmore/wireguard.md

Last active February 20, 2019 21:32
Show Gist options
  • Save joshskidmore/afbe344eb9b33636fa88c77511d4d730 to your computer and use it in GitHub Desktop.
Save joshskidmore/afbe344eb9b33636fa88c77511d4d730 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard OpenVPN Replacement
Raw
wireguard.md

server setup

[ON SERVER] install wireguard (ubuntu)

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools

[ON SERVER] create wireguard conf

  • __PRIVATE_IP_FOR_SERVER__ is a private ipv4 that wireguard listens on (like 10.90.0.1)
  • __PRIVATE_KEY_OF_SERVER__ is generated using instructions in addendum 1
  • my main network interface is ens3; just swap those iptable statments with your primary network interface

/etc/wireguard/wg0.conf:

[Interface]
Address = __PRIVATE_IP_OF_SERVER__/24
PrivateKey = __PRIVATE_KEY_FOR_SERVER__
ListenPort = 51820
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[ON SERVER] enable and start systemd service

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

adding clients

[ON CLIENT] install wireguard (arch)

yay -S wireguard-arch wireguard-tools

[ON CLIENT] create wireguard conf

  • __PRIVATE_IP_FOR_CLIENT__ is a private ipv4 that make up within the same subnet as __PRIVATE_IP_FOR_SERVER__ (like 10.90.0.15)
  • __PRIVATE_KEY_OF_CLIENT__ and __PRIVATE_KEY_OF_CLIENT__ is generated using instructions in addendum 1
  • the section Peer refers the server in this case

/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = __PRIVATE_KEY_OF_CLIENT__
Address = __PRIVATE_IP_OF_CLIENT__/24

[Peer]
PublicKey = __PUBLIC_KEY_OF_SERVER__
Endpoint = __PUBLIC_IP_OF_SERVER__:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 10

[ON SERVER] add client to wg

On the server, each client is added as Peer in the server config (/etc/wireguard/wg0.conf). To prevent having to restart the wg systemd process, you can use the wg cli utility to add the client ("peer"). This only adds the peer to the running process and you have to use the second command to sync the in-memory changes to the config file.

# add to running wg instance
wg set wg0 peer __PUBLIC_KEY_OF_SERVER__ allowed-ips __PRIVATE_IP_OF_CLIENT__

# have wg sync new peer to the config
wg-quick save wg0

[ON_SERVER] enable ipv4 + ipv6 port forwarding

# /etc/sysctl.d/ip_forward.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

[ON CLIENT] enable and start systemd service

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

addendum 1: generate wireguard keys and private keys

# generate a key
KEY=$(wg genkey)

# generate a private key from $KEY
PRIVATE_KEY=$(echo $KEY | wg pubkey)

addendum 2: show all peers (can be ran on server or client)

sudo wg show
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment