Skip to content

Instantly share code, notes, and snippets.

@ssdean

ssdean/wireguard.md

Last active May 4, 2023 23:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ssdean/744d426cde5d5644fecad2a8f366e83f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ssdean/744d426cde5d5644fecad2a8f366e83f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
wireguard.md

Wireguard setup

Installation

A comprehensive list of installation methods can be found here https://www.wireguard.com/install/

Server

Generate Keys

Create a private and public key.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Allow IP forwarding

For the server to work it will need to be able to forward addresses. If using UFW uncomment the line below in /etc/ufw/sysctl.conf. Otherwise the option may be found in /etc/sysctl.conf. If neither of the previous options exist, add the line to a file called /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward = 1

Config file

The name of the conf file specifies the wireguard inteface name. To create an interface called wg0 place the below config in /etc/wireguard/wg0.conf. The PostUp option adds an iptables rule to allow forwarding on this interface. eth0 specifies the internet facing inteface.

# /etc/wireguard/wg0.conf

# Server

[Interface]
PrivateKey = (Server private key)
Address    = (IP of the wireguard interface for this device E.g. 10.0.0.1/24)
SaveConfig = true (Save any changes to peer connections)
ListenPort = (Port to listen for connections. 51820 is the default but may be anything)

# iptables only.
PostUp     = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# If using UFW use these. Use the port specified by "ListenPort".
PostUp     = ufw allow 51820/udp; ufw route allow in on wg0; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = ufw delete allow 51820/udp;  ufw route delete allow in on wg0; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey  = (CLient public key)
AllowedIPs = (IP addresses allowed from this peer E.g. 10.0.0.2/32)
Endpoint   = (WAN address of the peer [Not required. Initial client connection will autofill this])

Firewalld

if using firewalld create a firewalld service. Add the folowing to /etc/firewalld/services/wireguard.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>Allow WireGuard connections</description>
  <port protocol="udp" port="<*ListenPort goes here>*"/>
</service>

sudo firewall-cmd --permanent --add-service=wireguard --zone=public

sudo firewall-cmd --permanent --zone=public --add-masquerade

sudo firewall-cmd --reload

Client

Create the config file.

# /etc/wireguard/wg0.conf

# Client

[Interface]
PrivateKey = (Client private key)
Address    = (IP of the wireguard interface for this device E.g. 10.0.0.2/24)

[Peer]
PublicKey           = (Server public key)
AllowedIPs          = 0.0.0.0/0 (Allow any IP from the server)
Endpoint            = (WAN address of the server)
PersistentKeepalive = 21 (Keep the server up to date with clients)

Activate interfaces

Activate all the devices

wg-quick up wg0

Devices will now be able to ping any device which has an endpoint specified.

Autostart

To enable on automatically on statup run the following

sudo systemctl enable wg-quick@wg0.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment