WireGuard: Difference between revisions

Line 49:

You will find this directory is empty - we will work in this directory which is secure.

=== Generate public/private key pair ===

=== Generate a public/private key pair ===

* Create a private and public key for the server. You can use the following command:

Line 107:

* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>

* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will create a public/private key pair much the same way as we did for the server:

wg genkey | tee client-privatekey | wg pubkey > client-publickey

** The name <code>client</code> for the file name can be changed to anything you like for convenience.

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>

* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>

** Once again, the name <code>client</code> can be anything you like for convenience.

* Insert the following into the file:

[Interface]

PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=

ListenPort = 33333

Address = 10.20.10.2/24

DNS = 1.1.1.1, 1.0.0.1<br>

[Peer]

PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=

AllowedIPs = 0.0.0.0/0

Endpoint = example.com:33333

* Tweak the file to match your server configuration:

** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).

** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.

** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.

** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).

** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.

** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.

** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.

* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>sudo nano wg0.conf</code>

@@ Line 49: / Line 49: @@
 You will find this directory is empty - we will work in this directory which is secure.
-=== Generate public/private key pair ===
+=== Generate a public/private key pair ===
 * Create a private and public key for the server. You can use the following command:
@@ Line 107: / Line 107: @@
 * The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
 * If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>
+== Setting up a client ==
+Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.
+The client configuration file is similar to the server configuration file and remains very simple.
+=== Generate a public/private key pair ===
+* We will create a public/private key pair much the same way as we did for the server:
+ wg genkey | tee client-privatekey | wg pubkey > client-publickey
+** The name <code>client</code> for the file name can be changed to anything you like for convenience.
+* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
+* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.
+=== Creating a configuration file ===
+* Open a new configuration file: <code>sudo nano client.conf</code>
+** Once again, the name <code>client</code> can be anything you like for convenience.
+* Insert the following into the file:
+ [Interface]
+ PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
+ ListenPort = 33333
+ Address = 10.20.10.2/24
+ DNS = 1.1.1.1, 1.0.0.1<br>
+ [Peer]
+ PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
+ AllowedIPs = 0.0.0.0/0
+ Endpoint = example.com:33333
+* Tweak the file to match your server configuration:
+** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
+** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
+** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
+** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
+** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
+** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
+** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
+* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
+* The file can then be transferred to the client and imported into the WireGuard client ready for use.
+=== Adding peers to the server configuration ===
+* Open the server configuration file - <code>sudo nano wg0.conf</code>