WireGuard: Difference between revisions

(4 intermediate revisions by the same user not shown)

Line 51:

=== Generate a public/private key pair ===

* ~~Create~~ a private and public key for the server. You can use the following command:

* Generate a private and public key for the server. You can use the following command:

wg genkey | tee server-privatekey | wg pubkey > server-publickey

**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

Line 116:

Line 117:

=== Generate a public/private key pair ===

* We will ~~create~~ a public/private key pair much the same way as we did for the server:

* We will generated a public/private key pair much the same way as we did for the server:

wg genkey | tee client-privatekey | wg pubkey > client-publickey

** The name <code>client</code> for the file name can be changed to anything you like for convenience.

Line 136:

Line 137:

AllowedIPs = 0.0.0.0/0

Endpoint = example.com:33333

* Tweak the file to match your ~~server~~ configuration:

* Tweak the file to match your client configuration:

** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).

** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.

Line 149:

Line 150:

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>~~sudo~~ nano wg0.conf</code>

* Open the server configuration file - <code>nano wg0.conf</code>

* Add the <code>[Peer]</code> section, marked in italics, as follows:

[Interface]

## Local Address : A private IP address for wg0 interface.

Address = 10.20.10.1/24

ListenPort = 33333<br>

## local server privatekey

PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>

## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.

## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.

## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT

PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>

''[Peer]''

''# one client which will be setup to use 10.20.10.2 IP''

''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''

''AllowedIPs = 10.20.10.2/32''

* Tweak the file to match your client configuration:

** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.

** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.

* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:

systemctl reload wg-quick@wg0

or

systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.

* Create a configuration with the new public/private key pair generated.

* Copy the configuration to the respective client.

* Add another <code>[Peer]</code> section to the server configuration.

* Reload the WireGuard server.

== See also ==

Thank you to "Mark Liversedge" at [https://markliversedge.blogspot.com/2023/09/wireguard-setup-for-dummies.html Wireguard setup for dummeies] with his comprehensive guide that made this possible for me

@@ Line 51: / Line 51: @@
 === Generate a public/private key pair ===
-* Create a private and public key for the server. You can use the following command:
+* Generate a private and public key for the server. You can use the following command:
   wg genkey | tee server-privatekey | wg pubkey > server-publickey
 **<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.
@@ Line 116: / Line 117: @@
 === Generate a public/private key pair ===
-* We will create a public/private key pair much the same way as we did for the server:
+* We will generated a public/private key pair much the same way as we did for the server:
   wg genkey | tee client-privatekey | wg pubkey > client-publickey
 ** The name <code>client</code> for the file name can be changed to anything you like for convenience.
@@ Line 136: / Line 137: @@
   AllowedIPs = 0.0.0.0/0
   Endpoint = example.com:33333
-* Tweak the file to match your server configuration:
+* Tweak the file to match your client configuration:
 ** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
 ** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
@@ Line 149: / Line 150: @@
 === Adding peers to the server configuration ===
-* Open the server configuration file - <code>sudo nano wg0.conf</code>
+* Open the server configuration file - <code>nano wg0.conf</code>
+* Add the <code>[Peer]</code> section, marked in italics, as follows:
+ [Interface]
+ ## Local Address : A private IP address for wg0 interface.
+ Address = 10.20.10.1/24
+ ListenPort = 33333<br>
+ ## local server privatekey
+ PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
+ ## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
+ ## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
+ ## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
+ PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
+ PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
+ PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
+ PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
+ ''[Peer]''
+ ''# one client which will be setup to use 10.20.10.2 IP''
+ ''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''
+ ''AllowedIPs = 10.20.10.2/32''
+* Tweak the file to match your client configuration:
+** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
+** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
+* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
+== Reloading the server ==
+For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
+ systemctl reload wg-quick@wg0
+or
+ systemctl restart wg-quick@wg0
+At this point, the WireGuard VPN is ready to go!
+== Adding further clients ==
+* Generate a public/private key pair as explained under the client section.
+* Create a configuration with the new public/private key pair generated.
+* Copy the configuration to the respective client.
+* Add another <code>[Peer]</code> section to the server configuration.
+* Reload the WireGuard server.
+== See also ==
+Thank you to "Mark Liversedge" at [https://markliversedge.blogspot.com/2023/09/wireguard-setup-for-dummies.html Wireguard setup for dummeies] with his comprehensive guide that made this possible for me