Posted on:
First, install Wireguard. For Ubuntu:
sudo apt install wireguard
If you want to forward all traffic from clients, enable IP forwarding in the kernel.
Next, create a config file at /etc/wireguard/wg0.conf
containing the following (you can also choose to allocate v6 addresses to clients):
[Interface]
PrivateKey = <server_private_key_goes_here>
Address = 172.16.1.1/32
ListenPort = 51820
# Use the following for forwarding all traffic from clients:
# Change eth0 to your network interface if it differs
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 172.16.1.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; iptables -A INPUT -s 172.16.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client_public_key_goes_here>
AllowedIPs = 172.16.1.2/32
Next, on the client, create a config file containing this:
[Interface]
PrivateKey = <client_private_key_goes_here>
Address = 172.16.1.2/32
# A DNS server can be specified for the client to use when the tunnel is active, optional
DNS = 172.16.1.1
[Peer]
PublicKey = <server_public_key_goes_here>
# AllowedIPs = 0.0.0.0/0, ::/0 for forwarding all traffic
AllowedIPs = 172.16.1.1/32
Endpoint = <server_ip>:51820
PersistentKeepalive = 25
For each client, add a new [Peer]
block to the server config with their public key and their IP as the allowed IP.
To start the interface on the server and make it persistent on reboots, run:
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
To generate a new keypair use the following command:
wg genkey | tee x_private_key | wg pubkey > x_public_key
Tagged with:
More posts: