{"id":1380,"date":"2021-03-14T15:56:10","date_gmt":"2021-03-14T15:56:10","guid":{"rendered":"https:\/\/dft.wiki\/?p=1380"},"modified":"2025-07-02T15:34:55","modified_gmt":"2025-07-02T19:34:55","slug":"setting-up-wireguard-vpn-client-and-server","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1380","title":{"rendered":"Setting Up WireGuard VPN Client and Server"},"content":{"rendered":"

Modern, lightweight, and high-performance VPN protocol.<\/p>\n

\n

SERVER SIDE<\/strong><\/p>\n

On Ubuntu \/ Debian-based systems.<\/p>\n

apt install wireguard -y\r\nwg genkey | tee \/etc\/wireguard\/server_private.key | wg pubkey > \/etc\/wireguard\/server_public.key\r\nchmod 600 \/etc\/wireguard\/server_private.key\r\nnano \/etc\/wireguard\/wg0.conf<\/pre>\n
Copy both private and public keys and insert the server private key<\/strong> on the configuration file \/etc\/wireguard\/wg0.conf<\/strong>:<\/p>\n
[Interface]\r\nAddress = 10.100.100.1\/24\r\nSaveConfig = true\r\nPrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT\/ulM=<\/strong>\r\nListenPort = 51820\r\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\r\n[Peer]\r\nPublicKey = \r\nAllowedIPs = 10.100.100.2\/32<\/pre>\n
Allow IPv4 forwarding on \/etc\/sysctl.conf<\/strong> then restart.<\/p>\n
...\r\nnet.ipv4.ip_forward=1\r\n...<\/pre>\n
Then, apply:<\/p>\n
sysctl -p\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
\n
CLIENT SIDE<\/strong><\/p>\n
sudo apt-add-repository ppa:wireguard\/wireguard && sudo apt update\r\nsudo apt install wireguard-dkms wireguard-tools linux-headers-$(uname -r)\r\numask 077\r\nwg genkey | tee client_private_key | wg pubkey > client_public_key \r\ncat client_public_key\r\ncat client_private_key<\/pre>\n
Copy both private and public keys and insert the client private key<\/strong> and server public key<\/strong> in the configuration file \/etc\/wireguard\/wg0-client.conf<\/strong>:<\/p>\n
[Interface]\r\nAddress = 10.100.100.2\/32\r\nPrivateKey = oCd8EOqR1fezGQrKg2Z+6PgsrmNMGkmFJFLwt80raWU=<\/strong>\r\n[Peer]\r\nPublicKey = 2MC67m4cXW0Byn7oieWp6CTCUyF2UDXaIfzTxjaypx0=<\/strong>\r\nEndpoint = 192.168.134.169:51820\r\nAllowedIPs = 0.0.0.0\/0\r\nPersistentKeepalive = 21<\/pre>\n
Start the wg-quick:<\/p>\n
wg-quick up wg0-client\r\nwg<\/pre>\n
Optionally, enable it to start on boot:<\/p>\n
systemctl enable --now wg-quick@wg0-client<\/pre>\n
\n
SERVER SIDE AGAIN<\/strong><\/p>\n
Go back to the server configuration<\/strong> and add the client public key<\/strong> to the configuration file \/etc\/wireguard\/wg0.conf<\/strong>:<\/p>\n
[Interface]\r\nAddress = 10.100.100.1\/24\r\nSaveConfig = true\r\nPrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT\/ulM=\r\nListenPort = 51820\r\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\r\n[Peer]\r\nPublicKey = YnHktthA5EibYaiKEyNTYPpsV40tnKEOrT1opdWiylA=<\/strong>\r\nAllowedIPs = 10.100.100.2\/32<\/pre>\n
Issue the commands:<\/p>\n
chmod -v 600 \/etc\/wireguard\/wg0.conf\r\nwg-quick up wg0\r\nsystemctl enable wg-quick@wg0.service<\/pre>\n
\n
CLIENT SIDE AGAIN<\/strong><\/p>\n
Start the service!<\/p>\n
wg-quick up wg0-client\r\nwg<\/pre>\n
\n
BONUS IPv6-OVER-IPv4<\/strong><\/p>\n
Server Side<\/strong><\/p>\n
nano \/etc\/wireguard\/wg6.conf<\/pre>\n
[Interface]\r\nPrivateKey = OFSQt8EsapBiIR8xdcX7qJrNxc+w5NsdrZE2AlT\/ulM=<\/strong>\r\nAddress = fd42:42:42::1\/64\r\nListenPort = 51820\r\n#PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\n#PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\r\nPostUp = ip6tables -t nat -A POSTROUTING -j MASQUERADE\r\nPostDown = ip6tables -t nat -D POSTROUTING -j MASQUERADE\r\n\r\n[Peer]\r\nPublicKey = YnHktthA5EibYaiKEyNTYPpsV40tnKEOrT1opdWiylA=<\/strong>\r\nAllowedIPs = fd42:42:42::2\/128<\/pre>\n
chmod -v 600 \/etc\/wireguard\/wg6.conf\r\nsystemctl enable wg-quick@wg6.service<\/pre>\n
Client Side<\/strong><\/p>\n
nano \/etc\/wireguard\/wg6.conf<\/pre>\n
[Interface]\r\nPrivateKey = oCd8EOqR1fezGQrKg2Z+6PgsrmNMGkmFJFLwt80raWU=<\/strong>\r\nAddress = fd42:42:42::2\/128\r\nDNS = 2606:4700:4700::1111\r\nPostUp = ip -6 route add default via fd42:42:42::1 dev wg6\r\nPostDown = ip -6 route del default via fd42:42:42::1 dev wg6\r\n[Peer]\r\nPublicKey = 2MC67m4cXW0Byn7oieWp6CTCUyF2UDXaIfzTxjaypx0=<\/strong>\r\nEndpoint = 10.1.1.169:51820\r\nAllowedIPs = ::\/0\r\nPersistentKeepalive = 25<\/pre>\n
chmod -v 600 \/etc\/wireguard\/wg6.conf\r\nsystemctl enable wg-quick@wg6.service<\/pre>\n
\n
READ ALSO<\/strong><\/p>\n
Performance OpenVPN vs WireGuard [Link<\/a>]<\/p>\n
OpenVPN Server + Monitoring [Link<\/a>]<\/p>\n
pfSense with OpenVPN Client [Link<\/a>]<\/p>\n
GRE VPN Tunnel on Cisco [Link<\/a>]<\/p>\n","protected":false},"excerpt":{"rendered":"
Modern, lightweight, and high-performance VPN protocol. SERVER SIDE On Ubuntu \/ Debian-based systems. apt install […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-1380","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1380"}],"version-history":[{"count":17,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions"}],"predecessor-version":[{"id":5036,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions\/5036"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}