Skip to content

Instantly share code, notes, and snippets.

@samuelba

samuelba/wireguard.md

Last active December 29, 2022 00:53
Show Gist options
  • Save samuelba/b7432b21cac775a2aa03d1093291ff94 to your computer and use it in GitHub Desktop.
Save samuelba/b7432b21cac775a2aa03d1093291ff94 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard with local server network access
Raw
wireguard.md

Wireguard

Server

Install Wireguard

sudo apt install wireguard

Enable IP forwarding, uncomment net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1 in /etc/sysctl.conf and reload config sudo sysctl --system.

Create public and private keys

mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Create /etc/wireguard/wg0.conf

[Interface]
Address = 10.4.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o br-1a114ce33d30 -d 192.168.100.1/30 -j MASQUERADE; iptables -t nat -A POSTROUTING -o enp0s25 ! -d 192.168.100.1/30 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o br-1a114ce33d30 -d 192.168.100.1/30 -j MASQUERADE; iptables -t nat -D POSTROUTING -o enp0s25 ! -d 192.168.100.1/30 -j MASQUERADE
enp0s25 -j MASQUERADE
ListenPort = 51820
PrivateKey = <server-private-key>

Maybe update the firewall rule

sudo ufw allow 51820/udp
sudo ufw enable

Start the Wireguard server

sudo wg-quick up wg0

Start the system service to auto-start the server at bootup

sudo systemctl enable wg-quick@wg0.service

Client

Install Wireguard

sudo apt install wireguard

Create public and private keys

mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Create /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <client-private-key>
Address = 10.4.0.2/32 # use different IP for each client
DNS = <dns-server-comma-separated>

[Peer]
PublicKey = <server-public-key>
Endpoint = <public-server-ip/domain>:51820
AllowedIPs = 10.4.0.0/24 # or just 0.0.0.0/0 to run everything over the server
PersistentKeepalive = 25

Register Client

On the server execute

sudo wg set wg0 peer <client-public-key> persistent-keepalive 25 allowed-ips <client-ip-address>/32
sudo systemctl restart wg-quick@wg0.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment