WireGuard: Difference between revisions

Line 136:

AllowedIPs = 0.0.0.0/0

Endpoint = example.com:33333

* Tweak the file to match your ~~server~~ configuration:

* Tweak the file to match your client configuration:

** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).

** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.

Line 149:

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>~~sudo~~ nano wg0.conf</code>

* Open the server configuration file - <code>nano wg0.conf</code>

* Add the <code>[Peer]</code> section as follows:

[Interface]

## Local Address : A private IP address for wg0 interface.

Address = 10.20.10.1/24

ListenPort = 33333<br>

## local server privatekey

PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>

## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.

## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.

## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT

PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>

[Peer]

# one client which will be setup to use 10.20.10.2 IP

PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=

AllowedIPs = 10.20.10.2/32

* Tweak the file to match your client configuration:

** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.

** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.

* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:

systemctl reload wg-quick@wg0

or

systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.

* Create a configuration with the new public/private key pair generated.

* Copy the configuration to the respective client.

* Add another <code>[Peer]</code> section to the server configuration.

* Reload the WireGuard server.

@@ Line 136: / Line 136: @@
   AllowedIPs = 0.0.0.0/0
   Endpoint = example.com:33333
-* Tweak the file to match your server configuration:
+* Tweak the file to match your client configuration:
 ** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
 ** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
@@ Line 149: / Line 149: @@
 === Adding peers to the server configuration ===
-* Open the server configuration file - <code>sudo nano wg0.conf</code>
+* Open the server configuration file - <code>nano wg0.conf</code>
+* Add the <code>[Peer]</code> section as follows:
+[Interface]
+ ## Local Address : A private IP address for wg0 interface.
+ Address = 10.20.10.1/24
+ ListenPort = 33333<br>
+ ## local server privatekey
+ PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
+ ## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
+ ## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
+ ## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
+ PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
+ PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
+ PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
+ PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
+ [Peer]
+ [Peer]
+ # one client which will be setup to use 10.20.10.2 IP
+ PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=
+ AllowedIPs = 10.20.10.2/32
+* Tweak the file to match your client configuration:
+** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
+** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
+* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
+== Reloading the server ==
+For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
+ systemctl reload wg-quick@wg0
+or
+ systemctl restart wg-quick@wg0
+At this point, the WireGuard VPN is ready to go!
+== Adding further clients ==
+* Generate a public/private key pair as explained under the client section.
+* Create a configuration with the new public/private key pair generated.
+* Copy the configuration to the respective client.
+* Add another <code>[Peer]</code> section to the server configuration.
+* Reload the WireGuard server.