Notes: Same use case. (Discuss in Talk:WireGuard)
Note: Usage of the terms "server" and "client" were purposefully chosen in this section specifically to help new users/existing OpenVPN users become familiar with the construction of WireGuard's configuration files. WireGuard documentation simply refers to both of these concepts as "peers."
The purpose of this section is to set up a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like OpenVPN and others. The "server" runs on Linux and the "clients" can run on any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project install link for more.
Tip: Instead of using wireguard-tools for server/client configuration, one may also use systemd-networkd native WireGuard support.
Notes: Same use case. (Discuss in Talk:WireGuard)
On the peer that will act as the "server", first enable IPv4 forwarding.
If the server has a public IP configured, be sure to:
- Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on
51820/UDP). - Setup the forwarding policy for the firewall if it is not included in the WireGuard configuration for the interface itself
/etc/wireguard/wg0.conf. The example below should have the iptables rules and work as-is.
If the server is behind NAT, be sure to forward the specified port(s) on which WireGuard will be running (for example, 51820/UDP) from the router to the WireGuard server.
Generate key pairs for the server and for each client as explained in #Key generation.
Create the "server" configuration file:
/etc/wireguard/wg0.conf
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = *SERVER_PRIVATE_KEY*
# substitute *eth0* in the following lines to match the Internet-facing interface
# the FORWARD rules will always be needed since traffic needs to be forwarded between the WireGuard
# interface and the other interfaces on the server.
# if the server is behind a router and receives traffic via NAT, specify static routing back to the
# 10.200.200.0/24 subnet, the NAT iptables rules are not needed but the FORWARD rules are needed.
# if the server is behind a router and receives traffic via NAT but one cannot specify static routing back to
# 10.200.200.0/24 subnet, both the NAT and FORWARD iptables rules are needed.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# foo
PublicKey = *PEER_FOO_PUBLIC_KEY*
PresharedKey = *PRE-SHARED_KEY*
AllowedIPs = 10.200.200.2/32
[Peer]
# bar
PublicKey = *PEER_BAR_PUBLIC_KEY*
PresharedKey = *PRE-SHARED_KEY*
AllowedIPs = 10.200.200.3/32
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the PublicKey to be set. However, specifying PresharedKey is optional.
Notice that the Address has a netmask of /24 and the clients on AllowedIPs /32. The clients only use their IP and the server only sends back their respective addresses.
The interface can be managed manually using wg-quick(8) or using a systemd service managed via systemctl(1).
The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@*interface*.service, e.g. [email protected]. To close the interface use wg-quick down wg0 respectively stop wg-quick@*interface*.service.
Create the corresponding "client" configuration file(s):
foo.conf
[Interface]
Address = 10.200.200.2/32
PrivateKey = *PEER_FOO_PRIVATE_KEY*
DNS = 10.200.200.1
[Peer]
PublicKey = *SERVER_PUBLICKEY*
PresharedKey = *PRE-SHARED_KEY*
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
bar.conf
[Interface]
Address = 10.200.200.3/32
PrivateKey = *PEER_BAR_PRIVATE_KEY*
DNS = 10.200.200.1
[Peer]
PublicKey = *SERVER_PUBLICKEY*
PresharedKey = *PRE-SHARED KEY*
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN.
Note: Users of NetworkManager, may need to enable the NetworkManager-wait-online.service and users of systemd-networkd may need to enable the systemd-networkd-wait-online.service to wait until devices are network-ready before attempting a WireGuard connection.