Skip to content

Instantly share code, notes, and snippets.

@dhsathiya

dhsathiya/readme.md

Last active February 21, 2024 10:20
Show Gist options
  • Save dhsathiya/dbacb489a64869ce0ee877f0140cd39a to your computer and use it in GitHub Desktop.
Save dhsathiya/dbacb489a64869ce0ee877f0140cd39a to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard Setup
Raw
readme.md

Setup WireGuard

Definitions

Server

Remote server (eg. DigitalOcean, AWS) where the WireGuard Server will be running.

Peer

Client device (Eg. local machine) where the WireGuard Client will be running.

WireGuard client doesn't require any other software to be installed on peer/client devices.

Installation

apt update
apt install wireguard -y

Other OS(s) - https://www.wireguard.com/install/

Server Configuration

add net.ipv4.ip_forward=1 in /etc/sysctl.conf and run sysctl -p

Generate private key and update permissions.

wg genkey | sudo tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Generate public key

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Create the config file - vim /etc/wireguard/wg0.conf

[Interface]
PrivateKey = 8Fgt9gTcBFUjUkozIbVJf6eBg= # Private key generated from command above
Address = 172.72.0.1/24 # IP Range.
ListenPort = 51820
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
# Optional - Only limited to IPv6
# PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Optional - Only limited to IPv6
# PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Turn on the WireGuard server temporarily

wg-quick up wg0

Peer Configuration

Install WireGuard

Generate Private key

wg genkey | sudo tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Generate public key

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Create the config file - vim /etc/wireguard/wg0.conf

[Interface]
PrivateKey = cF0Wno4jGLS64+w= # Peer private key generated from command above.
Address = 172.72.0.2/24 # Peer IP address.
DNS = 8.8.8.8
ListenPort = 51820

[Peer]
PublicKey = o9MoRAffUtRDqP7VbyYJG= # Server public key
Endpoint = 123.123.123.123:51820 # Server IP address.
AllowedIPs = 0.0.0.0/0 # Forward all traffic to server

Update Server Configuration for new peer

Add the following at the end of /etc/wireguard/wg0.conf file on the server

[Peer]
PublicKey= Q4AkeBUE1eXVJvCGi= # Peer public key
AllowedIPs=172.72.0.2/24 # Allocated IP address to the peer

Connect peer to the server

wg-quick up wg0

Configure WireGuard on server to start up at boot

systemctl enable [email protected]

Using reserved IP as outbound IP

DigitalOcean

https://docs.digitalocean.com/products/networking/reserved-ips/how-to/outbound-traffic/

Logging

# 10.0 is IP range.
# If inactivity less then 180 seconds, nothing doing, else appending to a log file
wg show all dump | grep 10.0 | awk 'BEGIN {}; {if (systime()-$6 <180 ) print strftime("%m-%d-%Y %H:%M:%S", systime()),$5, $4, (systime()-$6) "sec" } ; END {}' >> /var/log/wg.log

Referance articles

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04#step-1-installing-wireguard-and-generating-a-key-pair

https://forums.lawrencesystems.com/t/getting-started-building-your-own-wireguard-vpn-server/7425

https://docs.digitalocean.com/products/networking/reserved-ips/how-to/outbound-traffic/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment