Wireguard is a wonderful new kind of VPN technology that has been widely praised for its code quality and speed. I decided to try it out recently and I now vastly prefer it to the SSHProxy approach that I used to use to log into my home network. The following are some notes regarding how to set it up, they should by no means be considered authoritative, I am 100% sure that there are people out there who know more about this than me, but I figured that it would be nice to share my experience in setting it up.
sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update && sudo apt-get install wireguard-dkms wireguard-tools
Generate the keys:
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
This will put the public key and a configuration
wg0.conf into the
Configure the server's
/etc/wireguard/wg0.conf like so:
[Interface] Address = 10.0.0.1/24 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <<<INTERFACE>>> -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <<<INTERFACE>>> -j MASQUERADE ListenPort = 51820 PrivateKey = <<<SERVER'S PRIVATE KEY (should've been generated by above command)>>> # Add one of these for each client (note the IP address is assigned) [Peer] PublicKey = <<<CLIENT 1 PUBLIC KEY>>> # Laptop or whatever AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <<<CLIENT 2 PUBLIC KEY>>> # Cell phone or whatever AllowedIPs = 10.0.0.3/32 # etc
Note the following:
PostDowndirectives of the configuration need the correct interface, you would need to adjust this to the appropriate interface on your machine.
[Peer]section with an IP address and a
PublicKeyfor each client that you want to be able to use this VPN.
51820to the WireGuard server.
You will also need to set the system configuration to route IPv4 traffic, like so:
and in order to make the change permanent, you will need to edit the
/etc/sysctl.d/99-sysctl.conf file to add the following line:
net.ipv4.ip_forward = 1.
Starting the VPN
To start the WireGuard VPN on the server or on the client manually:
wg-quick up wg0
Stopping the VPN
Similarly, to stop it:
wg-quick down wg0
Starting on Boot
To start the VPN on boot (you probably only want this on the server, but I guess it works on the client too), execute the following:
systemctl enable wg-quick@wg0
To see the status:
wg show ifconfig wg0
To configure a client, you will first need to execute the same installation/key-generation steps as for the server (assuming you're running on Ubuntu). If you're running on Android, simply install this app: https://play.google.com/store/apps/details?id=com.wireguard.android It's fairly self-explanatory and has a button to generate keys. If you use the android app, the settings shown below map directly to the configuration fields available in the app.
The client configuration
/etc/wireguard/wg0.conf (assuming you're connecting to a server configured as above) should look something like this.
[Interface] Address = 10.0.0.2/24 PrivateKey = <<<CLIENT PRIVATE KEY>>> DNS = 192.168.86.20 [Peer] PublicKey = <<<SERVER PUBLIC KEY>>> AllowedIPs = 0.0.0.0/0, ::0/0 Endpoint = <<<SERVER PUBLIC IP>>>:51820 PersistentKeepalive = 25
You will need to set the IP address and a DNS server. In the above configuration I am using the PiHole DNS server on my network.
Note that if you wanna connect to many different wireguard servers, you can just keep making copies of the
wg0.conf file in the
/etc/wireguard/ directory, naming them something like
wg1.conf, editing them as needed, and connecting using something like:
wg-quick up wg1.