Client side on Ubuntu/Debian
On a client computer, install wireguard
sudo apt-get install wireguard
Generate a new key pair
wg genkey | tee privatekey | wg pubkey > publickey
Restrict the access for the privatekey
chmod o-r privatekey
Create a new configuration file in the /etc/wireguard directory
- Set DNS server (that resolves hostnames in the VPN network)
- Set the client IP placeholder XXX (i.e. 2-254)
- Set your private key
cat privatekey - Sent your publickey to the WireGuard server's admin
cat publickey - Ask the WireGuard server's admin for the server's public key and set it
- Set the WireGuard server's hostname or public IP address
sudo tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 192.168.2.XXX/24
PrivateKey = <contents-of-client-privatekey>
DNS = 10.0.0.1
[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-hostname-or-ip>:51820
AllowedIPs = 10.0.0.0/16, 192.168.2.0/24
EOF
Note that setting AllowedIPs to 0.0.0.0/0 will forward all traffic over the WireGuard VPN connection. Traffic can be restricted to specific networks only
Create QR code of the configuration install qrencode
sudo apt install qrencode
Generate the QR code
qrencode -t png -o foo-android.png -r wg0.conf
Display the image
xdg-open foo-android.png
Use the system command to start WireGuard as a service
sudo systemctl start wg-quick@wg0
To disconnect
sudo systemctl stop wg-quick@wg0
See the status of the WireGuard
systemctl status wg-quick@wg0
In case of an error resolvconf not found, install openresolv
sudo apt install openresolv
Enable to start VPN after the boot
sudo systemctl enable wg-quick@wg0
Repeat these steps on each client you want to connect to the WireGuard server
Folow this guide https://www.makeuseof.com/how-to-install-wireguard-vpn-client/ to configure VPN clients on different systems such as
- Windows
- MacOS
- Other Linux distros
- iOS
- Android
Server side
Install wireguard
sudo apt-get install wireguard
If you want to allow VPN clients to be able to access the Internet (they can choose not to using AllowedIPs) allow IP forward
Open the system variables file for editing
sudo nano /etc/sysctl.conf
Then uncomment the following line by removing the # at the beginning of the line
net.ipv4.ip_forward=1
Then apply the new option with the command below
sudo sysctl -p
Setup Wireguard server
Generate a new key pair
wg genkey | tee privatekey | wg pubkey > publickey
Restrict the access for the privatekey
chmod o-r privatekey
Create a new configuration file in the /etc/wireguard directory
- Set DNS server (that resolves hostnames in the VPN network)
- Set your server's private key
- Ask users for their public keys and add for each a
[peer]section - Set the client IP placeholder XXX (i.e. 2-254)
- Set the WireGuard server's hostname or public IP address
sudo tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 192.168.2.1/24
ListenPort = 51820
PrivateKey = <contents-of-server-privatekey>
PostUp = ufw allow 51820/udp
PostUp = iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE
[Peer]
# foo's android phone
PublicKey = <contents-of-client-publickey>
AllowedIPs = 192.168.2.XXX/32
PersistentKeepalive = 25
Note that setting PostUp and PostDown is only neccessary to allow client to forward internet traffic over the WireGuard server
Use the system command to start WireGuard as a service
sudo systemctl start wg-quick@wg0
To disconnect
sudo systemctl stop wg-quick@wg0
See the status of the WireGuard
systemctl status wg-quick@wg0
Enable to start VPN after the boot
sudo systemctl enable wg-quick@wg0