added client and server side config

README.md

@@ -1,2 +1,128 @@
-# wireguard-with-systemd
+# Client side on Ubuntu/Debian
 
+On a client computer, install wireguard  
+`sudo apt-get install wireguard`
+
+Generate a new key pair  
+`wg genkey | tee privatekey | wg pubkey > publickey`
+
+Restrict the access for the privatekey  
+`chmod o-r privatekey`
+
+Create a new configuration file in the `/etc/wireguard` directory
+- Set DNS server (that resolves hostnames in the VPN network)
+- Set the client IP placeholder XXX (i.e. 2-254)
+- Set your private key `cat privatekey`
+- Sent your publickey to the WireGuard server's admin `cat publickey`
+- Ask the WireGuard server's admin for the server's public key and set it
+- Set the WireGuard server's hostname or public IP address
+
+```bash
+sudo tee /etc/wireguard/wg0.conf <<EOF
+[Interface]
+Address = 192.168.2.XXX/24
+PrivateKey = <contents-of-client-privatekey>
+DNS = 10.0.0.1
+
+[Peer]
+PublicKey = <contents-of-server-publickey>
+Endpoint = <server-public-hostname-or-ip>:51820
+AllowedIPs = 10.0.0.0/16, 192.168.2.0/24
+EOF
+```
+
+Note that setting AllowedIPs to `0.0.0.0/0` will forward all traffic over the WireGuard VPN connection. Traffic can be restricted to specific networks only
+
+Create QR code of the configuration install qrencode  
+`sudo apt install qrencode`
+
+Generate the QR code  
+`qrencode -t png -o foo-android.png -r wg0.conf`
+
+Display the image  
+`xdg-open foo-android.png`
+
+Use the system command to start WireGuard as a service  
+`sudo systemctl start wg-quick@wg0`
+
+To disconnect  
+`sudo systemctl stop wg-quick@wg0`
+
+See the status of the WireGuard  
+`systemctl status wg-quick@wg0`
+
+In case of an error `resolvconf not found`, install `openresolv`  
+`sudo apt install openresolv`
+
+Enable to start VPN after the boot  
+`sudo systemctl enable wg-quick@wg0`
+
+Repeat these steps on each client you want to connect to the WireGuard server
+
+Folow this guide https://www.makeuseof.com/how-to-install-wireguard-vpn-client/ to configure VPN clients on different systems such as
+- Windows
+- MacOS
+- Other Linux distros
+- iOS
+- Android
+
+# Server side
+
+Install wireguard  
+`sudo apt-get install wireguard`
+
+## If you want to allow VPN clients to be able to access the Internet (they can choose not to using AllowedIPs) allow IP forward
+Open the system variables file for editing  
+`sudo nano /etc/sysctl.conf`
+
+Then uncomment the following line by removing the # at the beginning of the line  
+`net.ipv4.ip_forward=1`
+
+Then apply the new option with the command below  
+`sudo sysctl -p`
+
+## Setup Wireguard server
+
+Generate a new key pair  
+`wg genkey | tee privatekey | wg pubkey > publickey`
+
+Restrict the access for the privatekey  
+`chmod o-r privatekey`
+
+Create a new configuration file in the `/etc/wireguard` directory
+- Set DNS server (that resolves hostnames in the VPN network)
+- Set your server's private key
+- Ask users for their public keys and add for each a `[peer]` section
+- Set the client IP placeholder XXX (i.e. 2-254)
+- Set the WireGuard server's hostname or public IP address
+
+```bash
+sudo tee /etc/wireguard/wg0.conf <<EOF
+[Interface] 
+Address = 192.168.2.1/24
+ListenPort = 51820 
+PrivateKey = <contents-of-server-privatekey>
+PostUp = ufw allow 51820/udp
+PostUp = iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE
+PostDown = iptables -t nat -D POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE
+
+[Peer]
+# foo's android phone
+PublicKey = <contents-of-client-publickey>
+AllowedIPs = 192.168.2.XXX/32
+PersistentKeepalive = 25
+```
+
+Note that setting PostUp and PostDown is only neccessary to allow client to forward internet traffic over the WireGuard server
+
+Use the system command to start WireGuard as a service  
+`sudo systemctl start wg-quick@wg0`
+
+To disconnect  
+`sudo systemctl stop wg-quick@wg0`
+
+See the status of the WireGuard  
+`systemctl status wg-quick@wg0`
+
+Enable to start VPN after the boot  
+`sudo systemctl enable wg-quick@wg0`