--- title: "wireguard" tags: [ "Documentation", "Networking", "VPN" ] --- ## On Server Install `wireguard-tools` on the server. ```bash sudo -i ``` ```bash cd /etc/wireguard ``` umask 077 ```bash wg genkey | tee server_private_key | wg pubkey > server_public_key ``` ```bash wg genkey | tee client_private_key | wg pubkey > client_public_key ``` ```bash echo " [Interface] Address = 10.0.0.1/24 SaveConfig = true PrivateKey = $(cat server_private_key) ListenPort = 51900 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = $(cat client_public_key) AllowedIPs = 10.0.0.2/32 " > /etc/wireguard/wg0.conf ``` ```bash echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/wg.conf ``` ```bash systemctl enable --now wg-quiqck@wg0 ``` ```bash chown -R root:root /etc/wireguard/ ``` ```bash chmod -R og-rwx /etc/wireguard/\* ``` Forward traffic from port 51900 to the server. ## Client Be root. Install `wireguard-tools` on the client. Copy the client private key and server public key to the server (or just fill in the variables). > server_ip=*your server's public ip* echo " [Interface] Address = 10.0.0.2/32 PrivateKey = $(cat client_private_key) DNS = 9.9.9.9 [Peer] PublicKey = $(cat server_public_key) Endpoint = $(echo $server_ip:51900) AllowedIPs = 0.0.0.0/0, ::/0 " > /etc/wireguard/wg0-client.conf > wg-quick up wg0-client ## Extras ### Multiple Peers Add multiple peers by copying the `[peer]` section (they each get called `peer`). ### Make a QR Code for Mobile Users Make a standard client configuration, then: ```bash qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf ```