Skip to content

Wireguard

The following steps describe how to set up a Wireguard tunnel between a server and a client.

The server will be available with the address 192.168.200.1, the client will use 192.168.200.2.

Prerequisites

Install Wireguard in Debian or Ubuntu on the server and on the client:

sudo apt install wireguard

Server

Enable IPv4 forwarding in /etc/sysctl.conf by removing the comment for this line:

net.ipv4.ip_forward=1

Then reload the system configuration using:

sysctl -p

Create private/public key for server and client:

cd /etc/wireguard
wg genkey | tee server_private.key | wg pubkey > server_public.key
wg genkey | tee client1_private.key | wg pubkey > client1_public.key
chmod 600 *.key

Note: the first client needs the keypair, but the server only requires the public key.

Create a server interface in /etc/wireguard/wg0.conf with the following content:

[Interface]
Address = 192.168.200.1/24
ListenPort = 51820

PrivateKey = <Server Private-Key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client1
[Peer]
PublicKey = <Client Public-Key>
AllowedIPs = 192.168.200.2/32

Client

Create a client interface /etc/wireguard/client1.conf with the following content:

[Interface]
PrivateKey = <Client Private-Key>
Address = 192.168.200.2/24

[Peer]
PublicKey = <Server Public-Key>
AllowedIPs = 192.168.200.0/24
Endpoint = <Server-FQDN>:51820
PersistentKeepalive = 25

Create a systemd unit to bring up the connection:

systemctl enable wg-quick@client1