Wireguard Setup Notes

Wireguard is a wonderful new kind of VPN technology that has been widely praised for its code quality and speed. I decided to try it out recently and I now vastly prefer it to the SSHProxy approach that I used to use to log into my home network. The following are some notes regarding how to set it up, they should by no means be considered authoritative, I am 100% sure that there are people out there who know more about this than me, but I figured that it would be nice to share my experience in setting it up.

Useful References

Installation & Key Creation

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update && sudo apt-get install wireguard-dkms wireguard-tools

Generate the keys:

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

This will put the public key and a configuration wg0.conf into the /etc/wireguard/ directory.

Server Setup

Configure the server's /etc/wireguard/wg0.conf like so:

[Interface]
Address = 10.0.0.1/24
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <<<INTERFACE>>> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <<<INTERFACE>>> -j MASQUERADE

ListenPort = 51820
PrivateKey = <<<SERVER'S PRIVATE KEY (should've been generated by above command)>>>

# Add one of these for each client (note the IP address is assigned)
[Peer]
PublicKey = <<<CLIENT 1 PUBLIC KEY>>> # Laptop or whatever
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <<<CLIENT 2 PUBLIC KEY>>> # Cell phone or whatever
AllowedIPs = 10.0.0.3/32 # etc

Note the following:

  • The PostUp and PostDown directives of the configuration need the correct interface, you would need to adjust this to the appropriate interface on your machine.
  • You will need to add a [Peer] section with an IP address and a PublicKey for each client that you want to be able to use this VPN.
  • You will need to configure your router to forward port 51820 to the WireGuard server.

You will also need to set the system configuration to route IPv4 traffic, like so:

sysctl net.ipv4.ip_forward=1

and in order to make the change permanent, you will need to edit the /etc/sysctl.d/99-sysctl.conf file to add the following line: net.ipv4.ip_forward = 1.

Useful Server Commands

Starting the VPN

To start the WireGuard VPN on the server or on the client manually:

wg-quick up wg0

Stopping the VPN

Similarly, to stop it:

wg-quick down wg0

Starting on Boot

To start the VPN on boot (you probably only want this on the server, but I guess it works on the client too), execute the following:

systemctl enable wg-quick@wg0

Status

To see the status:

wg show
ifconfig wg0

Client Setup

To configure a client, you will first need to execute the same installation/key-generation steps as for the server (assuming you're running on Ubuntu). If you're running on Android, simply install this app: https://play.google.com/store/apps/details?id=com.wireguard.android It's fairly self-explanatory and has a button to generate keys. If you use the android app, the settings shown below map directly to the configuration fields available in the app.

The client configuration /etc/wireguard/wg0.conf (assuming you're connecting to a server configured as above) should look something like this.

[Interface]
Address = 10.0.0.2/24
PrivateKey = <<<CLIENT PRIVATE KEY>>>
DNS = 192.168.86.20

[Peer]
PublicKey = <<<SERVER PUBLIC KEY>>>
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = <<<SERVER PUBLIC IP>>>:51820
PersistentKeepalive = 25

You will need to set the IP address and a DNS server. In the above configuration I am using the PiHole DNS server on my network.

Note that if you wanna connect to many different wireguard servers, you can just keep making copies of the wg0.conf file in the /etc/wireguard/ directory, naming them something like wg1.conf, editing them as needed, and connecting using something like: wg-quick up wg1.