# Client side on Ubuntu/Debian On a client computer, install wireguard `sudo apt-get install wireguard` Generate a new key pair `wg genkey | tee privatekey | wg pubkey > publickey` Restrict the access for the privatekey `chmod o-r privatekey` Create a new configuration file in the `/etc/wireguard` directory - Set DNS server (that resolves hostnames in the VPN network) - Set the client IP placeholder XXX (i.e. 2-254) - Set your private key `cat privatekey` - Sent your publickey to the WireGuard server's admin `cat publickey` - Ask the WireGuard server's admin for the server's public key and set it - Set the WireGuard server's hostname or public IP address ```bash sudo tee /etc/wireguard/wg0.conf < DNS = 10.0.0.1 [Peer] PublicKey = Endpoint = :51820 AllowedIPs = 10.0.0.0/16, 192.168.2.0/24 EOF ``` Note that setting AllowedIPs to `0.0.0.0/0` will forward all traffic over the WireGuard VPN connection. Traffic can be restricted to specific networks only Create QR code of the configuration install qrencode `sudo apt install qrencode` Generate the QR code `qrencode -t png -o foo-android.png -r wg0.conf` Display the image `xdg-open foo-android.png` Use the system command to start WireGuard as a service `sudo systemctl start wg-quick@wg0` To disconnect `sudo systemctl stop wg-quick@wg0` See the status of the WireGuard `systemctl status wg-quick@wg0` In case of an error `resolvconf not found`, install `openresolv` `sudo apt install openresolv` Enable to start VPN after the boot `sudo systemctl enable wg-quick@wg0` Repeat these steps on each client you want to connect to the WireGuard server Folow this guide https://www.makeuseof.com/how-to-install-wireguard-vpn-client/ to configure VPN clients on different systems such as - Windows - MacOS - Other Linux distros - iOS - Android # Server side Install wireguard `sudo apt-get install wireguard` ## If you want to allow VPN clients to be able to access the Internet (they can choose not to using AllowedIPs) allow IP forward Open the system variables file for editing `sudo nano /etc/sysctl.conf` Then uncomment the following line by removing the # at the beginning of the line `net.ipv4.ip_forward=1` Then apply the new option with the command below `sudo sysctl -p` ## Setup Wireguard server Generate a new key pair `wg genkey | tee privatekey | wg pubkey > publickey` Restrict the access for the privatekey `chmod o-r privatekey` Create a new configuration file in the `/etc/wireguard` directory - Set DNS server (that resolves hostnames in the VPN network) - Set your server's private key - Ask users for their public keys and add for each a `[peer]` section - Set the client IP placeholder XXX (i.e. 2-254) - Set the WireGuard server's hostname or public IP address ```bash sudo tee /etc/wireguard/wg0.conf < PostUp = ufw allow 51820/udp PostUp = iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE [Peer] # foo's android phone PublicKey = AllowedIPs = 192.168.2.XXX/32 PersistentKeepalive = 25 ``` Note that setting PostUp and PostDown is only neccessary to allow client to forward internet traffic over the WireGuard server Use the system command to start WireGuard as a service `sudo systemctl start wg-quick@wg0` To disconnect `sudo systemctl stop wg-quick@wg0` See the status of the WireGuard `systemctl status wg-quick@wg0` Enable to start VPN after the boot `sudo systemctl enable wg-quick@wg0`