💾 Archived View for finn.smol.pub › 1700743208 captured on 2024-05-10 at 10:43:50. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

➡️ Next capture (2024-07-08)

-=-=-=-=-=-=-

Simple Wireguard VPN Setup

(Originally written Friday, 27 August 2021)

First, install Wireguard. For Ubuntu: 

sudo apt install wireguard

If you want to forward all traffic from clients, enable IP forwarding in the kernel.

Next, create a config file at /etc/wireguard/wg0.conf containing the following (you can also choose to allocate v6 addresses to clients): 

[Interface]
PrivateKey = <server_private_key_goes_here>
Address = 172.16.1.1/32
ListenPort = 51820
# Use the following for forwarding all traffic from clients:
# Change eth0 to your network interface if it differs
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 172.16.1.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; iptables -A INPUT -s 172.16.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key_goes_here>
AllowedIPs = 172.16.1.2/32

Next, on the client, create a config file containing this: 

[Interface]
PrivateKey = <client_private_key_goes_here>
Address = 172.16.1.2/32
# A DNS server can be specified for the client to use when the tunnel is active, optional
DNS = 172.16.1.1

[Peer]
PublicKey = <server_public_key_goes_here>
# AllowedIPs = 0.0.0.0/0, ::/0 for forwarding all traffic
AllowedIPs = 172.16.1.1/32
Endpoint = <server_ip>:51820
PersistentKeepalive = 25

For each client, add a new [Peer] block to the server config with their public key and their IP as the allowed IP.

To start the interface on the server and make it persistent on reboots, run: 

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

To generate a new keypair use the following command: 

wg genkey | tee x_private_key | wg pubkey > x_public_key