Install Wireguard
sudo apt install wireguard
Enable IP forwarding, uncomment net.ipv4.ip_forward = 1
and net.ipv6.conf.all.forwarding = 1
in /etc/sysctl.conf
and reload config sudo sysctl --system
.
Create public and private keys
mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Create /etc/wireguard/wg0.conf
[Interface]
Address = 10.4.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o br-1a114ce33d30 -d 192.168.100.1/30 -j MASQUERADE; iptables -t nat -A POSTROUTING -o enp0s25 ! -d 192.168.100.1/30 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o br-1a114ce33d30 -d 192.168.100.1/30 -j MASQUERADE; iptables -t nat -D POSTROUTING -o enp0s25 ! -d 192.168.100.1/30 -j MASQUERADE
enp0s25 -j MASQUERADE
ListenPort = 51820
PrivateKey = <server-private-key>
Maybe update the firewall rule
sudo ufw allow 51820/udp
sudo ufw enable
Start the Wireguard server
sudo wg-quick up wg0
Start the system service to auto-start the server at bootup
sudo systemctl enable wg-quick@wg0.service
Install Wireguard
sudo apt install wireguard
Create public and private keys
mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Create /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <client-private-key>
Address = 10.4.0.2/32 # use different IP for each client
DNS = <dns-server-comma-separated>
[Peer]
PublicKey = <server-public-key>
Endpoint = <public-server-ip/domain>:51820
AllowedIPs = 10.4.0.0/24 # or just 0.0.0.0/0 to run everything over the server
PersistentKeepalive = 25
On the server execute
sudo wg set wg0 peer <client-public-key> persistent-keepalive 25 allowed-ips <client-ip-address>/32
sudo systemctl restart wg-quick@wg0.service