Skip to main content

WireGuard VPN Server, Linux and Windows peers

695 words·
Wireguard VPN Linux Windows
Table of Contents

WireGuard Server
#

Setup & preparatory work
#

Install WireGuard
sudo apt update Update packages
sudo apt install wireguard Install wireguard

Enable IP forwarding on VPN Server:
sudo vi /etc/sysctl.conf Open sysctl.conf
net.ipv4.ip_forward=1 Uncomment IPv4 forwarding
sudo sysctl -p Reload config file

Private and Public Keys
#

Create private key: wg genkey | sudo tee /etc/wireguard/private.key
Set rw permissions for root only:
sudo chmod go= /etc/wireguard/private.key or
sudo chmod 600 /etc/wireguard/private.key
Create public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Example private key: GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Example public key: SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo=

WireGuard Config
#

Create and edit the config file: sudo vi /etc/wireguard/wg0.conf

[Interface]
PrivateKey = GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Address = 192.168.100.1/24 # define IP range
ListenPort = 51820 # Standard WireGuard Port
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Fine public network interface: ip route list default
and replace the interface eth0 in the firwall PostUp / PreDown settings.

Start WireGuard Server
#

sudo systemctl enable wg-quick@wg0.service Enable script
sudo systemctl start wg-quick@wg0.service Start WireGuard
sudo systemctl status wg-quick@wg0.service Check Status

WireGuard Peers
#

Windows
#

Download: https://www.wireguard.com/install/

The WireGuard Client for Windows automatically creats private and public keys for each config. 

[Interface]
PrivateKey = QElxGSh6//fFZXDZbY6UfbM6IwXPSW1q39F0wtmsPFc= # Peer Private Key
Address = 192.168.100.2/24 # Define IP for Peer

[Peer]
PublicKey = keySXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo= # Server Public Key
AllowedIPs = 0.0.0.0/0 # Define IP range that's allowed through the tunnel
Endpoint = 3.72.3.199:51820 # WireGuard Server IP

Add Peer to Server:
sudo wg set wg0 peer nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM= allowed-ips 192.168.100.2

Check if peer was added: sudo wg
Should look like this:

interface: wg0
  public key: SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo=
  private key: (hidden)
  listening port: 51820

peer: nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM=
  allowed ips: 192.168.100.2/32

Save new peer to config file:
sudo wg-quick save wg0

Config should now look like this: sudo cat /etc/wireguard/wg0.conf

[Interface]
PrivateKey = GA6mXW0TgtaFObWbkTk1o7ic7Imflo5SwJBVFh6DPl4=
Address = 192.168.100.1/24
ListenPort = 51820
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM=
AllowedIPs = 192.168.100.2/32

Optional: Remove the Peer from the WireGuard Server:
sudo wg set wg0 peer nGPbK3k172X2ARE9eRIS9/RsVm8k0pV+OxuH8tdMIEM= remove

Linux (Ubuntu)
#

sudo apt update Update packages
sudo apt install wireguard Install wireguard

Create private key: wg genkey | sudo tee /etc/wireguard/private.key
Set rw permissions for root only:
sudo chmod go= /etc/wireguard/private.key or
sudo chmod 600 /etc/wireguard/private.key
Create public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Private Key: +E55XrwlIKL8ZFNOxpufzMFcTROCxRIdUgySx+KiOkM=
Public Key: /jUUxavPLRQOSfSSCY4kkB/a5aH1eVRFj+gWa9yJZxw=

Create and edit the config file:
sudo vi /etc/wireguard/wg0.conf

[Interface]
PrivateKey = +E55XrwlIKL8ZFNOxpufzMFcTROCxRIdUgySx+KiOkM=y # Peer Private Key
Address = 192.168.100.3/24 # Define IP for Peer

[Peer]
PublicKey = SXMxh6Q/tEjdzMtYSZx67D1tRdQt3cjMELKdXKljUwo= # Server Public Key
AllowedIPs = 0.0.0.0/0 # Define IP range that's allowed through the tunnel
Endpoint = 3.72.3.199:51820 # WireGuard Server IP

Add Peer to Server:
sudo wg set wg0 peer /jUUxavPLRQOSfSSCY4kkB/a5aH1eVRFj+gWa9yJZxw= allowed-ips 192.168.100.3
sudo wg-quick up wg0 Start WireGuard
sudo wg-quick down wg0 Stop WireGuard

WireGuard Commands
#

WG
# 

# Install wireguard
sudo apt install wireguard

# Add peer to server
sudo wg set wg0 peer <pub-key> allowed-ips <IP>

# Remove peer from server
sudo wg set wg0 peer <pub-key> remove

# Check for new peer
sudo wg

# Save mew peer to config
sudo wg-quick save wg0

# Standard config file
sudo vi /etc/wireguard/wg0.conf

# Start WireGuard interface
wg-quick up wg0

# Stop WireGuard interface
wg-quick down wg0

NMCLI
#

The following commands can be used to add a Wireguard VPN configuration to Ubuntu and Mint Linux desktops:

# Add WireGuard VPN connection
nmcli connection import type wireguard file /path/to/wg0.conf

# Delete WireGuardVPN Connection
nmcli connection delete wg0

# Disable autoconnect
nmcli connection modify wg0 connection.autoconnect no

# List active connections
nmcli connection show --active

# Start WireGuard connection
nmcli connection up wg0

# Stop WireGuard connection
nmcli connection down wg0