Skip to content

Instantly share code, notes, and snippets.

@ssdean

ssdean/wireguard.md

Last active May 4, 2023 23:47
Show Gist options
  • Save ssdean/744d426cde5d5644fecad2a8f366e83f to your computer and use it in GitHub Desktop.
Save ssdean/744d426cde5d5644fecad2a8f366e83f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
wireguard.md

Wireguard setup

Installation

A comprehensive list of installation methods can be found here https://www.wireguard.com/install/

Server

Generate Keys

Create a private and public key.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Allow IP forwarding

For the server to work it will need to be able to forward addresses. If using UFW uncomment the line below in /etc/ufw/sysctl.conf. Otherwise the option may be found in /etc/sysctl.conf. If neither of the previous options exist, add the line to a file called /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward = 1

Config file

The name of the conf file specifies the wireguard inteface name. To create an interface called wg0 place the below config in /etc/wireguard/wg0.conf. The PostUp option adds an iptables rule to allow forwarding on this interface. eth0 specifies the internet facing inteface.

# /etc/wireguard/wg0.conf

# Server

[Interface]
PrivateKey = (Server private key)
Address    = (IP of the wireguard interface for this device E.g. 10.0.0.1/24)
SaveConfig = true (Save any changes to peer connections)
ListenPort = (Port to listen for connections. 51820 is the default but may be anything)

# iptables only.
PostUp     = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# If using UFW use these. Use the port specified by "ListenPort".
PostUp     = ufw allow 51820/udp; ufw route allow in on wg0; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = ufw delete allow 51820/udp;  ufw route delete allow in on wg0; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey  = (CLient public key)
AllowedIPs = (IP addresses allowed from this peer E.g. 10.0.0.2/32)
Endpoint   = (WAN address of the peer [Not required. Initial client connection will autofill this])

Firewalld

if using firewalld create a firewalld service. Add the folowing to /etc/firewalld/services/wireguard.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>Allow WireGuard connections</description>
  <port protocol="udp" port="<*ListenPort goes here>*"/>
</service>

sudo firewall-cmd --permanent --add-service=wireguard --zone=public

sudo firewall-cmd --permanent --zone=public --add-masquerade

sudo firewall-cmd --reload

Client

Create the config file.

# /etc/wireguard/wg0.conf

# Client

[Interface]
PrivateKey = (Client private key)
Address    = (IP of the wireguard interface for this device E.g. 10.0.0.2/24)

[Peer]
PublicKey           = (Server public key)
AllowedIPs          = 0.0.0.0/0 (Allow any IP from the server)
Endpoint            = (WAN address of the server)
PersistentKeepalive = 21 (Keep the server up to date with clients)

Activate interfaces

Activate all the devices

wg-quick up wg0

Devices will now be able to ping any device which has an endpoint specified.

Autostart

To enable on automatically on statup run the following

sudo systemctl enable [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment