Wireguard Setup

21/09/2020

Quick notes on how to setup wireguard on 20..04

Best guide i could find : https://www.linuxbabe.com/ubuntu/wireguard-vpn-server-ubuntu

But still pieces missing so trying to write this and make those pieces sorted

Base OS : ubuntu 20.04

  1. Install software
sudo apt-get install wireguard wireguard-tools

  1. Configure Wireguard Server side

2.1. Configure Public / Private Key pair for server

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

This creates a pair of public and private key we can use as server identity.

2.2 Create Config File /etc/wireguard/wg0.conf

[Interface]
Address = 10.10.10.1/24
SaveConfig = true
PrivateKey = <<INSERT_SERVER_PRIVATE_KEY_HERE>>
ListenPort = 51820

Listen port can be switched around and Address range can be customized but keep the first IP as Server IP.

2.3 Safeguard files by switching the permissions

sudo chmod 600 /etc/wireguard/ -R

2.4 Ensure IP Forwarding is in place on server

Ensure /etc/sysctl.conf contains following line

net.ipv4.ip_forward = 1

Load the config at runtime

sudo sysctl -p

2.5 Configuring MASQUERADE on server

If you are using ufw you can add this in /etc/ufw/before.rules

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens3 -j MASQUERADE

# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT

Otherwise you can run a iptables command and then save the iptables rules

sudo iptables -A POSTROUTING -o ens3 -j MASQUERADE

Double check the configuration

sudo iptables -t nat -L POSTROUTING

2.6 Open port on firewall

sudo ufw allow 51820/udp
  1. Service commands

a. To Start

sudo wg-quick up /etc/wireguard/wg0.conf

b. To Stop

sudo wg-quick down /etc/wireguard/wg0.conf

c. Setup service as a systemd Service

sudo systemctl start wg-quick@wg0.service

d. Enable service for system start

sudo systemctl enable wg-quick@wg0.service

e. Check status of VPN

sudo wg show
  1. Preparing server for client

Sample Template config file

[Interface]
PrivateKey = <<CLIENT_PRIVATE_KEY>>
Address = 10.10.10.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = <<SERVER_PUBLIC_KEY>>
Endpoint = <<SERVER_IP>>:<<SERVER_PORT>>
AllowedIPs = 0.0.0.0/0

For creating this profile we will generate the profile on server directly.

4.1 create public/private keypair

wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

4.2 Fill the right details on the template config file.

4.3 Update the /etc/wireguard/wg0.conf

Ensure you switch off the vpn

sudo wg-quick down /etc/wireguard/wg0.conf

Edit the file and add following section

[Peer]
PublicKey = <<Client Public Key>>
AllowedIPs = 10.10.10.2/32

Remember to update the Public key with the correct key and Allowed IP’s to the specific IP Address you want to allocate

This IP address should match the Interface Address in template config file. And this should match with the range we specified in the server config section.

Switch on the vpn

sudo wg-quick up /etc/wireguard/wg0.conf
  1. Distribution of config file

5.1. Desktop clients can directly use the config file.

a. Share the file with clients and let them use it.

b. We can also look at the option to generate the config file at client side and get the public key from client as thats the only value we need.

5.2. For Mobile clients it would be better to use QR Code based config

We need to generate the qrcode for the config

a. Install QREncode on server

sudo apt-get install qrencode

b. exmaple command will generate the scannable QR code for config.file

qrencode -t ansiutf8 <config.file

I will add more tips as we move forward.

Thats all

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top