Quick notes on how to setup wireguard on 20..04
Best guide i could find : https://www.linuxbabe.com/ubuntu/wireguard-vpn-server-ubuntu
But still pieces missing so trying to write this and make those pieces sorted
Base OS : ubuntu 20.04
- Install software
sudo apt-get install wireguard wireguard-tools
- Configure Wireguard Server side
2.1. Configure Public / Private Key pair for server
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
This creates a pair of public and private key we can use as server identity.
2.2 Create Config File /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
PrivateKey = <<INSERT_SERVER_PRIVATE_KEY_HERE>>
ListenPort = 51820
Listen port can be switched around and Address range can be customized but keep the first IP as Server IP.
2.3 Safeguard files by switching the permissions
sudo chmod 600 /etc/wireguard/ -R
2.4 Ensure IP Forwarding is in place on server
Ensure /etc/sysctl.conf
contains following line
net.ipv4.ip_forward = 1
Load the config at runtime
sudo sysctl -p
2.5 Configuring MASQUERADE on server
If you are using ufw you can add this in /etc/ufw/before.rules
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens3 -j MASQUERADE
# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT
Otherwise you can run a iptables
command and then save the iptables rules
sudo iptables -A POSTROUTING -o ens3 -j MASQUERADE
Double check the configuration
sudo iptables -t nat -L POSTROUTING
2.6 Open port on firewall
sudo ufw allow 51820/udp
- Service commands
a. To Start
sudo wg-quick up /etc/wireguard/wg0.conf
b. To Stop
sudo wg-quick down /etc/wireguard/wg0.conf
c. Setup service as a systemd Service
sudo systemctl start wg-quick@wg0.service
d. Enable service for system start
sudo systemctl enable wg-quick@wg0.service
e. Check status of VPN
sudo wg show
- Preparing server for client
Sample Template config file
[Interface]
PrivateKey = <<CLIENT_PRIVATE_KEY>>
Address = 10.10.10.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = <<SERVER_PUBLIC_KEY>>
Endpoint = <<SERVER_IP>>:<<SERVER_PORT>>
AllowedIPs = 0.0.0.0/0
For creating this profile we will generate the profile on server directly.
4.1 create public/private keypair
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
4.2 Fill the right details on the template config file.
4.3 Update the /etc/wireguard/wg0.conf
Ensure you switch off the vpn
sudo wg-quick down /etc/wireguard/wg0.conf
Edit the file and add following section
[Peer]
PublicKey = <<Client Public Key>>
AllowedIPs = 10.10.10.2/32
Remember to update the Public key with the correct key and Allowed IP’s to the specific IP Address you want to allocate
This IP address should match the Interface Address in template config file. And this should match with the range we specified in the server config section.
Switch on the vpn
sudo wg-quick up /etc/wireguard/wg0.conf
- Distribution of config file
5.1. Desktop clients can directly use the config file.
a. Share the file with clients and let them use it.
b. We can also look at the option to generate the config file at client side and get the public key from client as thats the only value we need.
5.2. For Mobile clients it would be better to use QR Code based config
We need to generate the qrcode for the config
a. Install QREncode on server
sudo apt-get install qrencode
b. exmaple command will generate the scannable QR code for config.file
qrencode -t ansiutf8 <config.file
I will add more tips as we move forward.
Thats all