Skip to content

Instantly share code, notes, and snippets.

@amanjuman

amanjuman/WireGuard Complete Installation

Last active April 6, 2024 22:51
Show Gist options
  • Save amanjuman/8c01cc37f1008715a4586fd160134cad to your computer and use it in GitHub Desktop.
Save amanjuman/8c01cc37f1008715a4586fd160134cad to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard Complete Installation
Raw
WireGuard Complete Installation
sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get autoremove -y
## For Regular Linux Server/PC
sudo apt install software-properties-common && sudo apt install linux-headers-$(uname -r)
## Raspberry Pi
sudo apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git -y
## Install WireGuard and WireGuard Tools
sudo apt install wireguard wireguard-tools resolvconf -y
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
ifconfig
sudo nano /etc/wireguard/wg0.conf
## WireGuard VPN Server Config File
#Server:
[Interface]
Address = 10.26.26.1/24, fd26:26:26::1/64
ListenPort = 51820
PrivateKey = SERVER-PRIVATE-KEY
SaveConfig = true
## Firewall Rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o YOUR-IPv4-INTERFACE-NAME -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o YOUR-IPv6-INTERFACE-NAME -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o YOUR-IPv4-INTERFACE-NAME -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o YOUR-IPv6-INTERFACE-NAME -j MASQUERADE
#Client Profile
#Laptop:
[Peer]
Public Key = CLIENT-1-PUBLIC-KEY
AllowedIPs = 10.26.26.2/32, fd26:26:26::2/128
#Android:
[Peer]
Public Key = CLIENT-2-PUBLIC-KEY
AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128
## Start WireGuard Interface
sudo wg-quick up wg0
## Check WireGuard Interface
sudo wg show wg0
## Auto Start WireGuard Interface after boot
sudo systemctl enable wg-quick@wg0
## Enable System IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
## Allow Firewall to Accept SSH and WireGuard Traffic
ufw alliow 22/tcp
sudo ufw allow 51820/udp
## Edit WireGuard Configuration
sudo nano /etc/wireguard/wg0.conf
## WireGuard VPN Client Config File
[Interface]
PrivateKey = CLIENT-PRIVATE-KEY
Address = 10.26.26.2/24, fd26:26:26::2/64
ListenPort = 51820
DNS = 1.1.1.1, 2606:4700:4700::1111
MTU = 1370
## VPN Server Public Key
[Peer]
PublicKey = SERVER-PUBLIC-KEY
Endpoint = SERVER-IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
## To add a new Peer, here is an example.
sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15
## To remove a existing peer, here is an example.
sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15 remove
## WireGuard with Port Forwarding
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 45678,56789 -j DNAT --to-destination 10.26.26.2; iptables -t nat -A POSTROUTING -d 10.26.26.2 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 45678,56789 -j DNAT --to-destination 10.26.26.2; iptables -t nat -D POSTROUTING -d 10.26.26.2 -j MASQUERADE;
@amanjuman
Copy link
Author

Thank you. But brother I am trying this on an azure vm which i can not normally ping even though it has a real ip. The service does not work although I have followed all the steps. Will it work and can you please tell me what type of aws server of vm you are using?. It would be really helpful. Thanks

On Sat, Aug 19, 2023 at 9:15 PM Aman Juman @.> wrote: @.* commented on this gist. ------------------------------ @amanjuman https://github.com/amanjuman sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15 why are we allowing this ip this was not used any where? AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128 why are we using /32 it was given /24? Comments added, hope it would be easier to understand now. You can use /32 or /24, Up to you. This is just an example, feel free to customize. — Reply to this email directly, view it on GitHub https://gist.github.com/amanjuman/8c01cc37f1008715a4586fd160134cad#gistcomment-4665679 or unsubscribe https://github.com/notifications/unsubscribe-auth/AMR6AIKU6DGBKRYKZBFGHNTXWDKCTBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTANJSHE4TAOJUU52HE2LHM5SXFJTDOJSWC5DF . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

You need to allow ICMP traffic in order to perform Ping from outside.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment