~andreicek


Wireguard server

Monday, December 16, 2019; Reading time 5 minutes.

This tutorial can be found online on a million different sites. What’s different about this one? It’s so simple it can’t fail. This is written mainly for my own reference and will be updated when I see that changes are needed.

Installing wireguard

You need to install Wireguard on both the client and on the server. There are apps for all platforms out there. On iOS and macOS it’s on the official Apple store, and on ubuntu (<= 19.10) it’s as simple as:

apt install wireguard-tools

Server setup

You need some keys. Generate them with the following command:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

This will create two files: privatekey and publickey. This is an example of these files:

privatekey:

YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA=

publickey:

y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo=

You don’t need the files, just the content.

Next up, it’s the actual server configuration. There are going to be two iterations on these files during this tutorial. Create a new file on the server - /etc/wireguard/wg0.conf.

My VPN server is going to have an IP of 192.168.2.1. Replace the private key with your own.

[Interface]
Address = 192.168.2.1
PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA=
ListenPort = 51820

Save the file and continue on the client.

Client setup

Now run the same thing on your client. You can do it on the server as well - it doesn’t matter. Just pay attention not to overwrite the files with the server keys!

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

This is the output for our client:

privatekey:

4H+4yv74PlXJ4DnsU2BqMQh8bfKxk0CemWhBPzfK1X4=

publickey:

Esz42P8fuDfKDxEK0KzwpzK54LmEErgwvjf6Hn5hxlI=

Now, this get’s plugged in into the config file. Note that under the [Interface], you use the client private key, and under [Peer], you use the server public key. My client will have the address of 192.168.2.2. Replace 10.10.10.10 with the IP from your server in Endpoint.

[Interface]
PrivateKey = 4H+4yv74PlXJ4DnsU2BqMQh8bfKxk0CemWhBPzfK1X4=
ListenPort = 21841
Address = 192.168.2.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo=
AllowedIPs = 192.168.2.0/24
Endpoint = 10.10.10.10:51820
PersistentKeepalive = 25

Save the file and back to the server.

Last part

On the server edit the /etc/sysctl.conf file and uncomment the following line:

net.ipv4.ip_forward=1

After this is done open up the /etc/wg0.conf and add a [Peer]. Enter the clients public key and set the correct IP (has to be the same on the client and server under it’s peer).

I’ve also added the firewall part right now. Change your interface eth0 to be the one you use for internet. You can find it out under ip link.

[Interface]
Address = 192.168.2.1
PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA=
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Name = Andrei Zvonimir's iPhone 11
PublicKey = Esz42P8fuDfKDxEK0KzwpzK54LmEErgwvjf6Hn5hxlI=
AllowedIPs = 192.168.2.2/32

Save the file and we can set it up to work on server boot.

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

You can test now, connect to the server on the client. If you want to add more clients just add a new [Peer] with another set of keys.

Status

If you wanna know a status of your connection you can do it with wg show on the server.

interface: wg0
	public key: y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo=
	private key: (hidden)
	listening port: 51820

peer: Esz42P8fuDfKDxEK0KzwpzK54LmEErgwvjf6Hn5hxlI=
	endpoint: 10.10.10.1:21841
	allowed ips: 192.168.2.2/32
	latest handshake: 17 seconds ago
	transfer: 9.30 KiB received, 8.56 KiB sent

Installing on EdgeRouter X

You can also set it up on your EdgeRouter as well. First you need to install Wireguard. Start by ssh-ing into the router.

ssh ubnt@192.168.1.1
sudo su
cd /config/scripts
curl -o edgeos_install_wireguard.sh https://gist.githubusercontent.com/damianhodgkiss/a25db0c554ea0af4d3082a3207e2813f/raw/ec7ec0943a4bb86399e39bba4f2386fbf0aaa1ce/edgeos_install_wireguard.sh
chmod 755 edgeos_install_wireguard.sh
./edgeos_install_wireguard.sh

Next up is configuring the connection. You’ll need to generate new keys. You can do that anywhere:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

This is the output for our client:

privatekey:

QHrL+6BcnGVvRnWN0laNNDPDjlqTSQmVeJ6Eb6wVpn4=

publickey:

ThGUWCfGYvl06Vk1JtaQi9TiPf6RC+eObhAo6BIayGI=

Once we have this we can configure our router!

configure
edit interfaces wireguard wg0
set address 192.168.2.7/32
set route-allowed-ips true

set peer y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo= endpoint 10.10.10.10:51820
set peer y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo= allowed-ips 192.168.2.0/24

set private-key QHrL+6BcnGVvRnWN0laNNDPDjlqTSQmVeJ6Eb6wVpn4=
exit
commit
save
exit

The key located in peer is the server public key. Don’t forget to replace the private-key as well. Next up is firewall configuration:

edit service nat rule 5222
set description "masquerade for wg0"
set outbound-interface wg0
set type masquerade
exit
commit
save
exit

And that’s it! The router is connected to your VPN.


Go back to homepage