Wireguard Setup Example

March 2019 ยท 2 minute read

Wireguard aims to misbehave, wanting to outperform both IPsec and OpenVPN as well as beeing simpler and leaner. So what’s not to like about that. The folks behind Mullvad, my VPN provider of choice, are huge fans of WG, so I decided to give it a run for it’s money since I already have an account there.123

And it’s good. In fact it’s so good that I’ve replaced my private OpenVPN server with Wireguard. This does of course require some research on how to set things up correctly. I’ve compiled my notes into a - sparse - step by step guide (not really) on how to get it up and running on an Ubuntu 18 server below.4567

Server

Install the required packages.

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install wireguard wireguard-dkms wireguard-tools linux-headers-$(uname -r)

Activate IPv4 forwarding in /etc/sysctl.conf and then reboot:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Generate keys:

mkdir $HOME/wg-keys
cd $HOME/wg-keys
wg genkey | tee server.privatekey | wg pubkey > server.publickey
wg genkey | tee peer1.privatekey | wg pubkey > peer1.publickey

/etc/wireguard/wg0.conf (don’t forget to change interface name in the Post{Up,Down} section):

# Server interface
[Interface]
Address = 192.168.10.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER PRIVATEKEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


# First client
[Peer]
PublicKey = PEER PRIVATEKEY
AllowedIPs = 192.168.10.2/32

The iptables rules above is for NAT. You can also allow routing. Note: do not enable this on a public interface.

ufw route allow in on wg0 out on eth0
ufw route allow in on eth0 out on enp1s0

Start/enable service:

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Open incoming TCP port 51820.

sudo ufw allow 51820/udp # Or whatever software you use

Client

You will need to install the wireguard packages. If you’re on an Ubuntu client you can use the same commands as on the server.

The following client configuration /etc/wireguard/wg0.conf. CIDR 0.0.0.0/0 will route all traffic through wireguard.

[Interface]
Address = 192.168.10.2/24
PrivateKey = PEER PRIVATEKEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER PUBLICKEY
AllowedIPs = 0.0.0.0/0
Endpoint = FQDN:51820

QR:

qrencode -t ansiutf8 < $HOME/wg/client.conf
ff131c005833443eab6def767333d9ae619c496c