Skip to content

Instantly share code, notes, and snippets.

@kalaspuffar

kalaspuffar/wireguard.md

Last active January 4, 2024 15:56
Show Gist options
  • Save kalaspuffar/128e5acb34c1d95b1ca562a54ab6683c to your computer and use it in GitHub Desktop.
Save kalaspuffar/128e5acb34c1d95b1ca562a54ab6683c to your computer and use it in GitHub Desktop.
Download ZIP
How to setup wireguard tunnel
Raw
wireguard.md

How to setup wireguard tunnel

Installation on both machines

echo 'deb http://ftp.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/buster-backports.list
sudo apt update
sudo apt install wireguard

Generate keys on both machines

(umask 077 && wg genkey > wg-private.key)
wg pubkey < wg-private.key > wg-public.key

Configuring server.

On server side add an wireguard configuration file /etc/wireguard/wg0.conf

# define the WireGuard service
[Interface]
# contents of file wg-private.key that was recently created
PrivateKey = SERVER_PRIVATE_KEY

# UDP service port; 51820 is a common choice for WireGuard
ListenPort = 51820

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.2.2/32

Next up we configure the interface for the network in /etc/network/interfaces.d/wg0

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # static IP address
        address 10.0.2.1/24

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

When this is done we can easily enable the network by running

sudo ifup wg0

If we need to remove the network again we can run

sudo ip link delete wg0

You can also allow clients dynamicly to connect we can add an allowed peer with a specific client key

sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.2.2

Configuring client

On client side add an wireguard configuration file /etc/wireguard/wg0.conf

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = 192.168.6.6:51820
AllowedIPs = 0.0.0.0/0

Next up we configure the interface for the network in /etc/network/interfaces.d/wg0

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # static IP address
        address 10.0.2.2/24

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

When this is done we can easily enable the network by running

sudo ifup wg0

If we need to remove the network again we can run

sudo ip link delete wg0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment