-
-
Save dryqin/d71b82454f14550477aa0243004c48fc to your computer and use it in GitHub Desktop.
Stupid simple setting up WireGuard - Server and multiple peers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install WireGuard via whatever package manager you use. For me, I use apt. | |
| $ sudo add-apt-repository ppa:wireguard/wireguard | |
| $ sudo apt-get update | |
| $ sudo apt-get install wireguard | |
| MacOS | |
| $ brew install wireguard-tools | |
| Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
| generated on any device, as long as you keep the private key on the source and | |
| place the public on the destination. | |
| $ wg genkey | tee privatekey | wg pubkey > publickey | |
| example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
| example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
| Take the above private key, and place it in the server. And conversely, put the | |
| public key on the peer. Generate a second key pair, and do the opposite, put the | |
| public on the server and the private on the peer. | |
| On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
| so use whatever IP ranges and CIDR blocks that will work for your network. | |
| ################################ | |
| [Interface] | |
| Address = 10.0.0.1/24 | |
| DNS = 1.1.1.1 | |
| PrivateKey = [ServerPrivateKey] | |
| ListenPort = 51820 | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
| [Peer] | |
| #Peer #1 | |
| PublicKey = [Peer#1PublicKey] | |
| AllowedIPs = 10.0.0.3/32 | |
| [Peer] | |
| #Peer #2 | |
| PublicKey = [Peer#2PublicKey] | |
| AllowedIPs = 10.0.0.10/32 | |
| [Peer] | |
| #Peer #3 | |
| PublicKey = [Peer#3PublicKey] | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| #Peer #4 | |
| PublicKey = [Peer#4PublicKey] | |
| AllowedIPs = 10.0.0.11/32 | |
| ################################## | |
| On each client, define a /etc/wireguard/wg0.conf - | |
| ################################### | |
| [Interface] | |
| Address = 10.0.0.3/24 | |
| PrivateKey = [PrivateKeyPeer#1] | |
| [Peer] | |
| PublicKey = [ServerPublicKey] | |
| Endpoint = some.domain.com:51820 | |
| AllowedIPs = 0.0.0.0/0 | |
| # This is for if you're behind a NAT and | |
| # want the connection to be kept alive. | |
| PersistentKeepalive = 25 | |
| ######################################## | |
| sudo wg show | |
| ######################################### | |
| peer: Peer #1 | |
| endpoint: 192.168.2.1:50074 | |
| allowed ips: 10.0.0.2/32 | |
| latest handshake: 4 minutes, 16 seconds ago | |
| transfer: 57.58 KiB received, 113.32 KiB sent | |
| peer: Peer #2 | |
| endpoint: 99.203.28.43:36770 | |
| allowed ips: 10.0.0.10/32 | |
| latest handshake: 5 minutes, 30 seconds ago | |
| transfer: 92.98 KiB received, 495.89 KiB sent | |
| ################################################## | |
| Start/stop interface | |
| wg-quick up wg0 | |
| wg-quick down wg0 | |
| Start/stop service | |
| $ sudo systemctl stop [email protected] | |
| $ sudo systemctl start [email protected] | |
| Instead of having to modify the file for every client you want to add to the | |
| server you could also use the wg tool instead: | |
| # add peer | |
| wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
| # verify connection | |
| wg | |
| # save to config | |
| wg-quick save wg0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment