WireGuard VPN Server, Linux and Windows peers

WireGuard Server

#

Setup & preparatory work

#

Install WireGuard

Enable IP forwarding on VPN Server:

Private and Public Keys

#

Create private key: wg genkey | sudo tee /etc/wireguard/private.key
Set rw permissions for root only:
sudo chmod go= /etc/wireguard/private.key or
sudo chmod 600 /etc/wireguard/private.key
Create public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Example private key: GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Example public key: SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo=

WireGuard Config

#

Create and edit the config file: sudo vi /etc/wireguard/wg0.conf

[Interface]
PrivateKey = GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Address = 192.168.100.1/24 # define IP range
ListenPort = 51820 # Standard WireGuard Port
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Fine public network interface: ip route list default
and replace the interface eth0 in the firwall PostUp / PreDown settings.

Start WireGuard Server

#

WireGuard Peers

#

Windows

#

Download: https://www.wireguard.com/install/

The WireGuard Client for Windows automatically creats private and public keys for each config.

[Interface]
PrivateKey = QElxGSh6//fFZXDZbY6UfbM6IwXPSW1q39F0wtmsPFc= # Peer Private Key
Address = 192.168.100.2/24 # Define IP for Peer

[Peer]
PublicKey = keySXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo= # Server Public Key
AllowedIPs = 0.0.0.0/0 # Define IP range that's allowed through the tunnel
Endpoint = 3.72.3.199:51820 # WireGuard Server IP

Add Peer to Server:
sudo wg set wg0 peer nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM= allowed-ips 192.168.100.2

Check if peer was added: sudo wg
Should look like this:

interface: wg0
  public key: SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo=
  private key: (hidden)
  listening port: 51820

peer: nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM=
  allowed ips: 192.168.100.2/32

Save new peer to config file:
sudo wg-quick save wg0

Config should now look like this: sudo cat /etc/wireguard/wg0.conf

[Interface]
PrivateKey = GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Address = 192.168.100.1/24
ListenPort = 51820
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM=
AllowedIPs = 192.168.100.2/32

Optional: Remove the Peer from the WireGuard Server:
sudo wg set wg0 peer nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM= remove

Linux (Ubuntu)

#

Create private key: wg genkey | sudo tee /etc/wireguard/private.key
Set rw permissions for root only:
sudo chmod go= /etc/wireguard/private.key or
sudo chmod 600 /etc/wireguard/private.key
Create public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Private Key: +E55XrwlIKL8ZFNOxpufzMFcTROCxRIdUgySx+KiOkM=
Public Key: /jUUxavPLRQOSfSSCY4kkB/a5aH1eVRFj+gWa9yJZxw=

Create and edit the config file:
sudo vi /etc/wireguard/wg0.conf

[Interface]
PrivateKey = +E55XrwlIKL8ZFNOxpufzMFcTROCxRIdUgySx+KiOkM=y # Peer Private Key
Address = 192.168.100.3/24 # Define IP for Peer

[Peer]
PublicKey = SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo= # Server Public Key
AllowedIPs = 0.0.0.0/0 # Define IP range that's allowed through the tunnel
Endpoint = 3.72.3.199:51820 # WireGuard Server IP

Add Peer to Server:
sudo wg set wg0 peer /jUUxavPLRQOSfSSCY4kkB/a5aH1eVRFj+gWa9yJZxw= allowed-ips 192.168.100.3

WireGuard Commands Overview

#