Setting up Wireguard based VPN is quite easy. Depending on your distribution you install kernel headers (as Wireguard is loaded kernel module), install Wireguard and configure it and you’re off to the races.
With Linux kernel 5.6 Wireguard will be built in so this process will be even simpler.
Installation
Currently on my Ubuntu (18.04) based server, I had to do the following:
apt-get update
apt-get install linux-headers-$(uname -r)
add-apt-repository ppa:wireguard/wireguard
apt-get install wireguardSince that automatically built kernel module, loading it with:
modprobe wireguardShould be enough. As I also had some kernel version discrepancies on this VPS I had to reboot server to load into newer kernel.
Configuration
To configure server I had basically done the following.
Enable IPv4 address forwarding
sysctl -w net.ipv4.ip_forward=1Generate private/public key
cd /etc/wireguard/
wg genkey > private-key
wg pubkey > public-key < private-keyWhile configuring Wireguard I’ve also added peer immediately since I’ve already generated key on client and sent its public key to this server.
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWAR
D -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORW
ARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = REDACTED_SERVER_PRIVATE_KEY
[Peer]
PublicKey = REDACTED_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32Of course you need to replace:
- REDACTED_SERVER_PRIVATE_KEY with contents of that private-key file we’ve generated previously
- REDACTED_CLIENT_PUBLIC_KEY with contents of the public key on the client side
- You also need to configure client with contents of the public-key file
Once everything is in place start up the service on the server:
wg-quick up wg0Then on the client you can also toggle connection.