Modern, lightweight, and high-performance VPN protocol.
SERVER SIDE
On Ubuntu / Debian-based systems.
apt install wireguard -y wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key chmod 600 /etc/wireguard/server_private.key nano /etc/wireguard/wg0.conf
Copy both private and public keys and insert the server private key on the configuration file /etc/wireguard/wg0.conf:
[Interface] Address = 10.100.100.1/24 SaveConfig = true PrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT/ulM= ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = AllowedIPs = 10.100.100.2/32
Allow IPv4 forwarding on /etc/sysctl.conf then restart.
... net.ipv4.ip_forward=1 ...
Then, apply:
sysctl -p echo 1 > /proc/sys/net/ipv4/ip_forward
CLIENT SIDE
sudo apt-add-repository ppa:wireguard/wireguard && sudo apt update sudo apt install wireguard-dkms wireguard-tools linux-headers-$(uname -r) umask 077 wg genkey | tee client_private_key | wg pubkey > client_public_key cat client_public_key cat client_private_key
Copy both private and public keys and insert the client private key and server public key in the configuration file /etc/wireguard/wg0-client.conf:
[Interface] Address = 10.100.100.2/32 PrivateKey = oCd8EOqR1fezGQrKg2Z+6PgsrmNMGkmFJFLwt80raWU= [Peer] PublicKey = 2MC67m4cXW0Byn7oieWp6CTCUyF2UDXaIfzTxjaypx0= Endpoint = 192.168.134.169:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 21
Start the wg-quick:
wg-quick up wg0-client wg
Optionally, enable it to start on boot:
systemctl enable --now wg-quick@wg0-client
SERVER SIDE AGAIN
Go back to the server configuration and add the client public key to the configuration file /etc/wireguard/wg0.conf:
[Interface] Address = 10.100.100.1/24 SaveConfig = true PrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT/ulM= ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = YnHktthA5EibYaiKEyNTYPpsV40tnKEOrT1opdWiylA= AllowedIPs = 10.100.100.2/32
Issue the commands:
chmod -v 600 /etc/wireguard/wg0.conf wg-quick up wg0 systemctl enable [email protected]
CLIENT SIDE AGAIN
Start the service!
wg-quick up wg0-client wg
BONUS IPv6-OVER-IPv4
Server Side
nano /etc/wireguard/wg6.conf
[Interface] PrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT/ulM= Address = fd42:42:42::1/64 ListenPort = 51820 #PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -A POSTROUTING -j MASQUERADE PostDown = ip6tables -t nat -D POSTROUTING -j MASQUERADE [Peer] PublicKey = YnHktthA5EibYaiKEyNTYPpsV40tnKEOrT1opdWiylA= AllowedIPs = fd42:42:42::2/128
chmod -v 600 /etc/wireguard/wg6.conf systemctl enable [email protected]
Client Side
nano /etc/wireguard/wg6.conf
[Interface] PrivateKey = oCd8EOqR1fezGQrKg2Z+6PgsrmNMGkmFJFLwt80raWU= Address = fd42:42:42::2/128 DNS = 2606:4700:4700::1111 PostUp = ip -6 route add default via fd42:42:42::1 dev wg6 PostDown = ip -6 route del default via fd42:42:42::1 dev wg6 [Peer] PublicKey = 2MC67m4cXW0Byn7oieWp6CTCUyF2UDXaIfzTxjaypx0= Endpoint = 10.1.1.169:51820 AllowedIPs = ::/0 PersistentKeepalive = 25
chmod -v 600 /etc/wireguard/wg6.conf systemctl enable [email protected]
READ ALSO
Performance OpenVPN vs WireGuard [Link]
OpenVPN Server + Monitoring [Link]
pfSense with OpenVPN Client [Link]
GRE VPN Tunnel on Cisco [Link]