If you’ve ever set up an VPN service such as OpenVPN before then you know that it can get complicated because of all the steps you have to go through such as generating certificate authorities, issuing server and client keys and certificates, setting up multiple configuration files, configuring firewall rules, setting up route traffic forwarding, etc. which can either be dreadful or daunting. WireGuard is changing all that by simplifying the process of getting up and running in no time and allowing for easy configuration to connect multiple clients (peers).
A VPN helps protect you from man in the middle attacks.
Protect your privacy against ISPs that snoop into your traffic.
- Get around internet censorship in countries. Advantages of WireGuard over other VPNs: It’s kernel-based; improved performance.
- Establishes connections in less than (ms.
- Small footprint; can be ran in virtually any device, ie. embedded devices. Easy to configure and deploy as SSH; reduces attack surface since there’s less complexity. Uses modern and improved
cryptographic standards [0..10] (Simple handshake occurring every few minutes to ensure connection secrecy.) IP roaming support meaning you can change wifi networks or disconnect from wifi or celluar and the VPN tunnel connection won’t be lost. It just works! What we’ll be going over
This post assumes that you’ve never installed a VPN service before and we’ll be using an Ubuntu machine since it’s the most popular distro.
The steps outlined in this post are: Setting up a server
- Installing WireGuard on server
Starting WireGuard service on client
EC2 → Launch Instance → t2.micro with Ubuntu → Review and Launch → Launch [
sudo add-apt-repository ppa: wireguard / wireguard
sudo apt-get update
(sudo apt-get install wireguard)
If your server is using a different distro then look at the WireGuard (installation instructions) . ubuntu @ ip – 48 – 0 – : ~ $ sudo add-apt-repository ppa: wireguard / wireguard WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for
WireGuard. More info may be found at its website, listed below. More info: https://www.wireguard.com/ Packages: wireguard wireguard-tools wireguard-dkms Install with: $ apt install wireguard More info: https://launchpad.net/~wireguard/ archive/ubuntu/wireguard Press [ENTER] (to) (continue) or Ctrl-c to cancel adding it. Fetched .5 MB in 4s ( (kB / s) ubuntu @ ip - - - 0 - 823: ~ $ sudo apt-get update Hit: 1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease Hit: 2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit: 3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease Hit: 4 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit: 5 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease Reading package lists ... Done ubuntu @ ip - - - 0 - : ~ $ sudo apt-get install wireguard Reading package lists ... Done Building dependency tree Reading state information ... Done The following additional packages will be installed: update-alternatives: using / usr / bin / g to provide / usr / bin / c ( (c ) ) in auto mode Setting up build-essential
( 25. 4ubuntu1 ) ... Setting up wireguard-dkms ( (1.0.) - 1ubuntu1 ~ . ... Loading new wireguard-1.0. DKMS files ... Building for (4.) . 0 - - aws Building initial module for (4.) . 0 - - aws Done. wireguard: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4. 0- - aws / updates / dkms / depmod ... DKMS: install completed. Setting up wireguard ( (1.0.) - 0ppa1 ~ 28. ) ... Processing triggers (for (libc-bin) ( (2.) - 3ubuntu1 ) ... Processing triggers (for (man-db) ( (2.8.3-2ubuntu0.1) ) .. . Let's launch a shell as root with (sudo -s) to avoid having to type sudo every time from now on: ubuntu @ ip - - 47 - 0 - : ~ $ sudo -s root @ ip - - - 0 - : ~ # Run (wg) to check if installation was successful which should (not output anything if everything is OK: root @ ip - - (0-) : / etc / wireguard / keys # wg root @ ip - - - 0 - 823: / etc / wireguard / keys # The two Wire Guards commands we'll be using are: (wg) (for configuring WireGuard interfaces. wg-quick (for starting and stopping WireGuard VPN tunnels.) Generating server keys (WireGuard configuration files will live under) / etc / wireguard / so let's create a directory named (keys) (there to store the keys we'll generate: () root @ ip - 225 - - 0 - : ~ # mkdir / etc / wireguard / keys Go into the / etc / wireguard / keys / directory: root @ ip - 524 - (-0 - : ~ # (cd) / etc / wireguard / keys Set the directory user mask to [Cloud prompt] by running umask 90 . A umask of 92 allows read, write, and execute permissions for the file's owner (root in this case), but prohibits read, write, and execute permissions for everyone else and makes sure credentials don 't leak in a race condition: root @ ip - - - 0 - : / etc / wireguard / keys # (umask) WireGuard uses asymmetric public / private Curve [
0..10]. key pairs for authentication between client and server. (Use the) (wg genkey) command to generate a private key. We can generate both the private and public key at once by piping the private key output to (tee) to save it to file but also to forward the private key to wg publickey (which derives the public key from a private key and the save it to a file.) So the command to run is [ 10730]. wg genkey | tee privatekey | wg pubkey> publickey to generate the key pair at once: root @ ip - - - 0 - : / etc / wireguard / keys # wg genkey | tee privatekey | wg pubkey> publickey If we do an (ls) we see there's a (privatekey) and (publickey) (file: root @ ip - 524 - 35 - 0 - 638: / etc / wireguard / keys # ls privatekey publickey Outputting the contents of the private key file shows us the random key it generated in base format: [0..10] root @ ip- - - 0 - 638: / etc / wireguard / keys # cat privatekey wIObajifv6U2emcZsAGNZbbWzkyrs (EEyr bgmlB3M) (= Likewise the public key it derived from the private key is in base (format: [0..10] () root @ ip - 233 - - 0 - : / etc / wireguard / keys # cat publickey H6StMJOYIjfqhDvG9v (DSX9UlQl) hOoUm7F3COxC4= We'll be needing the private key for the WireGuard server configuration, and the public key for the client configuration. Creating server configuration file Go to the / etc / wireguard / directory and create a new file (wg0.conf) . WireGuard will create a new network interface named the same as the filename so it's common convention to denote the first WireGuard network interface as (wg0) for context: root @ ip - 233 - - 0 - : / etc / wireguard # touch /etc/wireguard/wg0.conf
Open up the server configuration file [Cloud prompt] / etc / wireguard / wg0.conf in your favorite editor: root @ ip - - 47 - 0 - 638 / etc / wireguard # vim /etc/wireguard/wg0.conf (ListenPort) (= The config files are in standard INI format. (Replace the) (PrivateKey) value with the private key content you generated earlier: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= The address 0.0.1 was chosen because it's an available private subnet on the server. If your server is using that IP range already, then pick a different address like 9001. (. 2.1) to avoid conflicts. (The) [Interface]
section is for configuration the new WireGuard interface we are creating.
(PrivateKey) (is your server's private key.) (Address) is the private network IP address range that we're assigning to for this network interface.
(ListenPort) is the host port to run the service on. This port will need to be publicly accessible. The port is the default port.
Make sure to enable the port (for (UDP) traffic. If using EC2 then you should allow it under the Security Group for the EC2 instance. [Cloud prompt] EC2 instance → Security groups → Click on security group → Edit inbound rules → Add rules → Custom UDP → Port range: → Source Anywhere → Save rules : The rules immediately take effect. If your server is behind a NAT (which in our case it is because it's on EC2 behind a VPC) then all traffic needs to be forwarded from the default interface to the WireGuard interface.
To find out the name of the default interface run (ip route) : root @ ip - - -0 - : / etc / wireguard / keys # ip route | grep default | awk
'{print $ 5}' eth0
Now add forwarding rules for forwarding in the server configuration file using the (PostUp) and PostDown (config settings where) (PostUp) value command is ran when the WireGuard service starts and (PostDown) value command runs when the service is shutting down. [root@archlinux keys] [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
The three iptable rules are:
iptables -A FORWARD -i% i -j ACCEPT for allowing inbound traffic received by the interface.
(iptables -A FORWARD -o% i -j ACCEPT) for allowing outbound traffic from the interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
for masking the private IP address of the interface with the external IP address of t he default interface. (Enabling IP forwarding on server) by default IP forwarding is disabled meaning that if the interface receives a packet that was not intended for it then it'll reject it. Since we need to pass on packets from one interface to another then we need to allow IP forwarding.
Open up the file
/ etc / sysctl.conf (for editing: ) root @ ip - (-) - 0 - 823: / etc / wireguard # vim /etc/sysctl.conf
Allow forwarding of IP packets by uncommenting out the line (net.ipv4.ip_forward=1) near line :
(# Uncomment the next line to enable packet forwarding for IPv4) net.ipv4.ip_forward =(1) Run
(sysctl -p) for the changes to take effect without requiring a reboot:
root @ ip - - 52 - 0 - 638: / etc / wireguard # sysctl -p net.ipv4.ip_forward
=(1) Confirm that IP forwarding is enabled by outputting the contents of / proc / sys / net / ipv4 / ip_forward which should return (1) : root @ ip - - - 0 - 1000: / etc / wireguard # cat / proc / sys / net / ipv4 / ip_forward (1) The server is almost fully configured. It's only now missing information about the client so let's set up the client next. Installing WireGuard on client
Jump back to your client machine and install WireGuard. My client machine is running Arch linux but the process will be the same for most linux distros. If you're running Ubuntu on the client then do the same install steps you did on the server above or look at the official WireGuard installation instructions Ubuntu WireGuard install instructions:
$ sudo add-apt-repository ppa: wireguard / wireguard $ sudo apt-get update $ sudo apt-get install wireguard If running Arch like I am, then these are the WireGuard install instructions: $ sudo pacman -S wireguard-tools wireguard-dkms Let's launch a shell as root with (sudo -s) to avoid having to type sudo every time from now on: $ sudo -s [root@archlinux ~] # (Generating client keys) The process of generating WireGuard keys on the client is the same as how it's done on the server. Create the directory
/ etc / wireguard / keys
and set the user mask to
[root@archlinux ~] (# mkdir / etc / wireguard / keys [root@archlinux ~] (# cd / etc / wireguard / keys [root@archlinux keys] # umask Generate a private and public key pair for the client using the same command as we did on the server: [root@archlinux keys] [Peer] # wg genkey | tee privatekey | wg pubkey> publickey Output the key contents which we'll be needing soon in our configuration files: [ root@archlinux keys] [root@archlinux keys] # cat privatekey cAqmevIKScn5l4Jg1F (KEIty6gVb8wGNqNlApvzc0c) = [root@archlinux keys] # cat publickey vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw (=Creating client configuration file () (On the client create the configuration / etc / wireguard / wg0.conf (): [root@archlinux keys] # vim /etc/wireguard/wg0.conf Paste the configuration into your client configuration file: [Interface] (Address) (=0.0.2 / (PrivateKey) (=() Replace the (PrivateKey) value with your client's private key: [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= Set the DNS to Cloudflare's public DNS resolver [root@archlinux wireguard] (1.1.1.1) which is fast and secure: [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) The [Interface] (section is for configuration the new WireGuard interface we are creating. (Address) (is the private network IP address range that we're assigning to for this network interface. (PrivateKey) (is your client's private key.) DNS) is the DNS reso lve to use. Setting server peer on client config The next step is to set information about the server in the client configuration file under the (section: [ 0..10] () [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (= (Endpoint) (=: (AllowedIPs) (=0.0.0.0/0 Replace the (PublicKey) value to your server's public key and set the (Endpoint) to be your server's public IP address. : [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 Because our server is behind a NAT, we'll also need to set PersistentKeepalive to keep the connection alive:
(Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 The [ 10730] section is for configuration information about the peer it's connecting to , which in this case it's the client connection to the server. (PublicKey) (is the public key of the server.) (Endpoint) is your server's public IP and port the server's interface is listening, configured with (ListenPort) in the server's config. (AllowedIPs) is the IP range to allow forwarding from. Setting it to (0.0.0.0/0) will forward all traffic over the tunnel. (PersistentKeepalive) is the interval to periodically send keepalive packets to the server. If you're not sure what your server's public address is, you can do an IP lookup by doing a DNS query request to myip.opendns.com : (root @ ip - - - 0 - : / etc / wireguard # dig short myip.opendns.com @ resolver1.opendns.com . . If your server is an EC2 instance, you get query the metadata endpoint to get the public IP address: root @ ip - - 46 - 0 - 526: / etc / wireguard # curl http: // 1097. 254. / latest / meta-data / public-ipv4 . . (Setting client peer on server config Go back into the server and edit the config. We're going to add information about the client so that the server and client can authenticate with each other. [root@archlinux keys] root @ ip - 225 - - 0 - 524: / etc / wireguard / keys # vim /etc/wireguard/wg0.conf (Add the [Peer] (section to the server config: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= (AllowedIPs) (=0.0.2 / Replace the (PublicKey) value with your client's public key: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw= (AllowedIPs) (=0.0.2 / The [ 10730] section is for configuration information about the peer it's connecting to , which in this case it's the servers connection to the client. (PublicKey) (is the client's public key.) (AllowedIPs) are allowed client IP addresses. Starting WireGuard service on server server Now that the server has the client peer information we can start the WireGuard service with (wg-quick up wg0) on the server:
(root @ ip - - (- 0 - : / etc / wireguard / keys # wg- quick up wg0 [ #] ip link add wg0 type wireguard [#] wg setconf wg0 / dev / fd / [#] ip -4 address add 19. 0.0.1 / (dev wg0) [#] ip link set mtu (up dev wg0) [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Depending on your Ubuntu installation, you might need to install additional kernel modules. If you got the error “RNETLINK answers: Operation not supported” trying to start the wg0 interface then install the following packages on the server: root @ ip - (-) - 0 - : / etc / wireguard # apt-get install wireguard-dkms wireguard-tools linux-headers - ($) (uname -r) ) to start WireGuard across reboots you'll need to (enable the service to add it to the systemd init system by running systemctl enable wg-quick @ wg0 .service : root @ ip - - 46 - 0 - : / etc / wireguard / keys # systemctl (enable) [email protected] Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected]. Check the status by running (systemctl status [email protected] (and if you see) Active: active (exited) then if everything is good so far: root @ ip - - 47 - 0 - 823: / etc / wireguard / keys # systemctl status [email protected] ● [email protected] - WireGuard via wg-quick () (8) [0..10] for wg0 Loaded: loaded ( / lib / systemd / system / wg-quick @ .service; indirect; vendor preset: enabled Active: active ( (exited) ) since Thu 10730 - 19 - [0..10] : [0..10] UTC; 1s ago Docs: man: wg-quick ( (8) ) man: wg ( (8) ) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: (ExecStart) ()= / usr / bin / wg-quick up wg0 ( code [
0..10] [root@archlinux keys]= exited, (status) =(0 / SUCCESS Main PID:
code (=(exited, (status) =0 / SUCCESS ) Apr () : : 33 ip - 254 - - 0 - (systemd [
1] : Starting WireGuard via wg-quick (
(8) ) (for wg0. .. Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] :
[
#] ip link add wg0 type wireguard Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] : [#] wg setconf wg0 / dev / fd / Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] :
[
#] ip -4 address add 0.0.1 / (dev wg0) Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] : ([#] ip link set mtu up dev wg0 Apr
() : : 34 ip - 255 - - 0 - wg-quick [
10730] :
[
#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ipt Apr
() : : 34 ip - 255 - - 0 - systemd [
1] : Started WireGuard via wg-quick () (8) ) for wg0.
Verify that new iproute rules have been applied with (iptables -L -n) :
root @ ip - - 52 - 0 - 638: / etc / wireguard # iptables -L -n Chain INPUT
( (policy ACCEPT) ) target prot opt (source) destination Chain FORWARD ( (policy ACCEPT) ) target prot opt (source) destination ACCEPT all - 0.0.0.0/0 0.0.0.0/0 ACCEPT all - 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT ( (policy ACCEPT) ) target prot opt (source) destination
Running the command (ifconfig shows the new network interface [
root@archlinux wireguard] (wg0) with the internal IP address we specified [0..10] . 0.0.1 : (root @ ip - - (0-) : / etc / wireguard # ifconfig eth0: (flags) (=25519 (mtu) inet 0. (netmask) . 0 broadcast (.0.) inet6 fe :: :: (5bff: fe) : d (prefixlen) (scopeid 0x) ether [0..10] : 5b: : 0d: (txqueuelen) [0..10] (
(Ethernet) ) RX packets
(bytes)
( 1022229. 6 MB
) RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets (bytes) ()
( 1000. 3 MB ) TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) lo: (flags) (=(mtu) inet (0.0.0 netmask) . 0.0.0 inet6 :: 1 prefixlen 209 (scopeid 0x) loop txqueuelen [
0..10] (( (Local Loopback) ) RX packets bytes [
0..10] . 7 KB RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets bytes
[
0..10] . 7 KB TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) wg0: (flags) (=(mtu) inet 22 0.0.1 netmask . 0 destination 22 .0.1.1 unspec - - - - - - - - - - - 15 - 15 - - - (txqueuelen) ( UNSPEC ) RX packets (0) (bytes) (0) ( (0.0 B) () RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets (0) (bytes) (0) ( (0.0 B) () TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) Starting WireGuard service on client
First take note of your current public IP address on the client machine:
# dig short myip.opendns.com @ resolver1.opendns .com . 4 After we start the WireGuard service on the client then the public IP address will be resolved to the server's public IP address. Start the WireGuard service using (wg-quick) just like we did previously on the server: [root@archlinux wireguard] (# wg-quick up wg0) Now that WireGuard is running, check the public IP address again of the client and it should now be the public IP address of the server: [ (Connecting a mobile client to server) Download the WireG uard app for (iOS) or (Android) on your device. [ Cloud prompt] For this example we'll create a second client (an iPhone) to connect to the WireGuard server. The same steps will need to be followed from when we setup the first client. We can generate keys directly on the device and set up the configuration manually but that's not quick and ideal. Instead we can generate the keys and configuration on the server and then securely transfer the information into the WireGuard app. (Run) (wg genkey) but specify different filenames this time to distinguish them from the server keys:
root @ ip - 225 - - 0 - 638: / etc / wireguard # (cd) / etc / wireguard / keys root @ ip - - - 0 - 823: / etc / wireguard / keys # wg genkey | tee iphone_privatekey | wg pubkey> iphone_publickey root @ ip - - - 0 - : / etc / wireguard / keys # cat iphone_privatekey kFnMqMSiAluwb / xWgemXhjLh / II / sb (OoYCbh7yaWw)=root @ ip - - - 0 - : / etc / wireguard / keys # cat iphone_publickey cKIxzfp5ESpdM (vT2Qk / S7yvprOff6Le4YnyOTI4B8)=
Open up the server config / etc / wireguard / wg0.conf in your favorite editor: (root @ ip - - 48 - 0 - 255: / etc / wireguard / keys # vim /etc/wireguard/wg0.conf (
Add the second peer section and include the client's public key and IP address: [root@archlinux keys] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(AllowedIPs) (=0.0.2 / [Peer] (PublicKey) (=(cKIxzfp5ESpdM) vT2Qk / S7yvprOff6Le4YnyOTI4B8= (AllowedIPs) (=0.0.3 / Create a new configuration file for the iPhone client on the server. We'll name it wgo-iphone.conf
: root @ ip - - - 0 - 638: / etc / wireguard / keys # vim /etc/wireguard/wg0-iphone.conf
Paste client configuration but remember to use a different private IP that differs from the first client. [
0..10] [Interface] (PrivateKey) (=(kFnMqMSiAluwb / xWgemXhjLh / II / sb) (OoYCbh7yaWw=(Address) (=0.0.3 / (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 (
Install (qrencode) on the server to generate a QRCode from the configuration file.
You'll be scanning this qrcode in the WireGuard app to download the configuration . This is a safer way to transport credentials since the keys and configuration files don't need to be zipped and moved.
Generate the text based qrcode image in your terminal with (qrencode -t ansiutf8
root @ ip - 233 - - 0 - 524: / etc / wireguard # qrencode -t ansiutf8
In the WireGuard app go to: Add a tunnel → Create from QRCode
Scan the qrcode code generated in the terminal and make sure to (Allow) the VPN configuration in the settings popup. Enable the VPN by togling on the switch. Visit (ipchicken.com ) in the browser to verify the public iP address has changed.
Generating vanity addresses
It's easy to lose track of which keys belong to which devices since they all look like random strings. To make it easier to associate keys to devices you can use this vanity address generator to generate public keys that contain a custom array of characters.
For example, we'll generate a key pair where the public key starts with “iPho” to denote that it's a key pair to be used on the iPhone client. First install the vanity address generator with (cargo) : $ cargo install wireguard-vanity-address
Now just specify the list of characters that you want in the public key base output: $ wireguard-vanity-address ipho searching for ('ipho') in pubkey [0..10] , one of every
keys should match one trial takes 92. 6 us, CPU cores available: (8) est yield: 1.6 seconds per key, . e-3 keys / s hit Ctrl-C to stop private YPpudjAoVCnaPUJdcEVhj5Ttedq7WP1ozL ZdtuTC1g =(public) cHklbipHoMS9CA8XlRdKMBOOIfQC (Ut8SVyYsqmox0) (=private
kD6FSIZehv1DKJ (MKJQcmSDdd) U3s4s (ymtP1Ekc) [
0..10] (= public iPHoaaQye7 OJNq / TfOvXjMr 169 pq9ADDDlGynRQ6KQ 8
= private (aEJ) LXCeipouhiAoQjfMjtwrHPfZDvKLguE8XlawnY [
0..10]=(public iPHoEoUy4WgkUXr4e) (IkA) (IZqVI / AqHNS2RZlGhHM)=
^ C
It'll keep generating until you manually stop it when you see a key pair that you like. (Automation)
A nice tool to automate the process of setting up a WireGuard VPN is (Algo) . [Cloud prompt] Algo is a set of (Ansible) scripts to help you set up and configure WireGuard on the remote server from your local machine.
To get started, clone the algo repository and install th e python dependencies: ~ $ git clone https://github.com/trailofbits/algo. git ~ $ (cd) algo / ~ / algo $ pip install virtualenv ~ / algo $ python3 -m virtualenv --python=
($)
command -v python3 .env && source .env / bin / activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt Now run the algo executable file to start the walkthough of deploying an Algo server to the cloud : . env ~ / algo $ ./algo [Cloud prompt] What provider would you like to use? 1. DigitalOcean 2. Amazon Lightsail 3. Amazon EC2 4. Microsoft Azure 5. Google Compute Engine 6. Hetzner Cloud 7. Vultr 8. Scaleway 9. OpenStack ( (DreamCompute optimized) . CloudStack ( (Exoscale optimized) . Install to existing Ubuntu . or
(server) (
for more advanced users ) Enter the number of your desired provider :
(TLDR;) Here's a summary of the server and client configuration and commands used in this post: Server Server commands: sudo -s apt-get install wireguard mkdir -p / etc / wireguard / keys (cd) / etc / wireguard / keys (umask) wg genkey | tee privatekey | wg pubkey> publickey vim /etc/wireguard/wg0.conf # see server config below vim /etc/sysctl.conf
# uncomment line "net.ipv4.ip_forward=1" sysctl -p wg-quick up wg0 systemctl enable [email protected] Server config / etc / wireguard / wg0.conf : [Interface] (PrivateKey) (=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= (AllowedIPs) (=0.0.2 / (Client) Client commands: sudo -s apt-get install wireguard mkdir -p / etc / wireguard / keys (cd) / etc / wireguard / keys (umask) wg genkey | tee privatekey | wg pubkey> publickey vim /etc/wireguard/wg0.conf # see client config below wg-quick up wg0 Client config / etc / wireguard / wg0.conf : [Interface] (PrivateKey) (=() (Address) (=0.0.2 / (DNS) (=(1.1.1.1) [Peer] (PublicKey) (= (Endpoint) (=: (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 (Resources) WireGuard site
sudo apt-get update
If your server is using a different distro then look at the WireGuard (installation instructions) . ubuntu @ ip – 48 – 0 – : ~ $ sudo add-apt-repository ppa: wireguard / wireguard WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for
(kB / s) ubuntu @ ip - - - 0 - 823: ~ $ sudo apt-get update Hit: 1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease Hit: 2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit: 3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease Hit: 4 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit: 5 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease Reading package lists ... Done ubuntu @ ip - - - 0 - : ~ $ sudo apt-get install wireguard Reading package lists ... Done Building dependency tree Reading state information ... Done The following additional packages will be installed: update-alternatives: using / usr / bin / g to provide / usr / bin / c ( (c ) ) in auto mode Setting up build-essential
( 25. 4ubuntu1 ) ... Setting up wireguard-dkms ( (1.0.) - 1ubuntu1 ~ . ... Loading new wireguard-1.0. DKMS files ... Building for (4.) . 0 - - aws Building initial module for (4.) . 0 - - aws Done. wireguard: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4. 0- - aws / updates / dkms / depmod ... DKMS: install completed. Setting up wireguard ( (1.0.) - 0ppa1 ~ 28. ) ... Processing triggers (for (libc-bin) ( (2.) - 3ubuntu1 ) ... Processing triggers (for (man-db) ( (2.8.3-2ubuntu0.1) ) .. . Let's launch a shell as root with (sudo -s) to avoid having to type sudo every time from now on: ubuntu @ ip - - 47 - 0 - : ~ $ sudo -s root @ ip - - - 0 - : ~ # Run (wg) to check if installation was successful which should (not output anything if everything is OK: root @ ip - - (0-) : / etc / wireguard / keys # wg root @ ip - - - 0 - 823: / etc / wireguard / keys # The two Wire Guards commands we'll be using are: (wg) (for configuring WireGuard interfaces. wg-quick (for starting and stopping WireGuard VPN tunnels.) Generating server keys (WireGuard configuration files will live under) / etc / wireguard / so let's create a directory named (keys) (there to store the keys we'll generate: () root @ ip - 225 - - 0 - : ~ # mkdir / etc / wireguard / keys Go into the / etc / wireguard / keys / directory: root @ ip - 524 - (-0 - : ~ # (cd) / etc / wireguard / keys Set the directory user mask to [Cloud prompt] by running umask 90 . A umask of 92 allows read, write, and execute permissions for the file's owner (root in this case), but prohibits read, write, and execute permissions for everyone else and makes sure credentials don 't leak in a race condition: root @ ip - - - 0 - : / etc / wireguard / keys # (umask) WireGuard uses asymmetric public / private Curve [
0..10]. key pairs for authentication between client and server. (Use the) (wg genkey) command to generate a private key. We can generate both the private and public key at once by piping the private key output to (tee) to save it to file but also to forward the private key to wg publickey (which derives the public key from a private key and the save it to a file.) So the command to run is [ 10730]. wg genkey | tee privatekey | wg pubkey> publickey to generate the key pair at once: root @ ip - - - 0 - : / etc / wireguard / keys # wg genkey | tee privatekey | wg pubkey> publickey If we do an (ls) we see there's a (privatekey) and (publickey) (file: root @ ip - 524 - 35 - 0 - 638: / etc / wireguard / keys # ls privatekey publickey Outputting the contents of the private key file shows us the random key it generated in base format: [0..10] root @ ip- - - 0 - 638: / etc / wireguard / keys # cat privatekey wIObajifv6U2emcZsAGNZbbWzkyrs (EEyr bgmlB3M) (= Likewise the public key it derived from the private key is in base (format: [0..10] () root @ ip - 233 - - 0 - : / etc / wireguard / keys # cat publickey H6StMJOYIjfqhDvG9v (DSX9UlQl) hOoUm7F3COxC4= We'll be needing the private key for the WireGuard server configuration, and the public key for the client configuration. Creating server configuration file Go to the / etc / wireguard / directory and create a new file (wg0.conf) . WireGuard will create a new network interface named the same as the filename so it's common convention to denote the first WireGuard network interface as (wg0) for context: root @ ip - 233 - - 0 - : / etc / wireguard # touch /etc/wireguard/wg0.conf
Open up the server configuration file [Cloud prompt] / etc / wireguard / wg0.conf in your favorite editor: root @ ip - - 47 - 0 - 638 / etc / wireguard # vim /etc/wireguard/wg0.conf (ListenPort) (= The config files are in standard INI format. (Replace the) (PrivateKey) value with the private key content you generated earlier: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= The address 0.0.1 was chosen because it's an available private subnet on the server. If your server is using that IP range already, then pick a different address like 9001. (. 2.1) to avoid conflicts. (The) [Interface]
section is for configuration the new WireGuard interface we are creating.
(PrivateKey) (is your server's private key.) (Address) is the private network IP address range that we're assigning to for this network interface.
(ListenPort) is the host port to run the service on. This port will need to be publicly accessible. The port is the default port.
Make sure to enable the port (for (UDP) traffic. If using EC2 then you should allow it under the Security Group for the EC2 instance. [Cloud prompt] EC2 instance → Security groups → Click on security group → Edit inbound rules → Add rules → Custom UDP → Port range: → Source Anywhere → Save rules : The rules immediately take effect. If your server is behind a NAT (which in our case it is because it's on EC2 behind a VPC) then all traffic needs to be forwarded from the default interface to the WireGuard interface.
To find out the name of the default interface run (ip route) : root @ ip - - -0 - : / etc / wireguard / keys # ip route | grep default | awk
'{print $ 5}' eth0
Now add forwarding rules for forwarding in the server configuration file using the (PostUp) and PostDown (config settings where) (PostUp) value command is ran when the WireGuard service starts and (PostDown) value command runs when the service is shutting down. [root@archlinux keys] [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
The three iptable rules are:
iptables -A FORWARD -i% i -j ACCEPT for allowing inbound traffic received by the interface.
(iptables -A FORWARD -o% i -j ACCEPT) for allowing outbound traffic from the interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
for masking the private IP address of the interface with the external IP address of t he default interface. (Enabling IP forwarding on server) by default IP forwarding is disabled meaning that if the interface receives a packet that was not intended for it then it'll reject it. Since we need to pass on packets from one interface to another then we need to allow IP forwarding.
Open up the file
/ etc / sysctl.conf (for editing: ) root @ ip - (-) - 0 - 823: / etc / wireguard # vim /etc/sysctl.conf
Allow forwarding of IP packets by uncommenting out the line (net.ipv4.ip_forward=1) near line :
(# Uncomment the next line to enable packet forwarding for IPv4) net.ipv4.ip_forward =(1) Run
(sysctl -p) for the changes to take effect without requiring a reboot:
root @ ip - - 52 - 0 - 638: / etc / wireguard # sysctl -p net.ipv4.ip_forward
=(1) Confirm that IP forwarding is enabled by outputting the contents of / proc / sys / net / ipv4 / ip_forward which should return (1) : root @ ip - - - 0 - 1000: / etc / wireguard # cat / proc / sys / net / ipv4 / ip_forward (1) The server is almost fully configured. It's only now missing information about the client so let's set up the client next. Installing WireGuard on client
Jump back to your client machine and install WireGuard. My client machine is running Arch linux but the process will be the same for most linux distros. If you're running Ubuntu on the client then do the same install steps you did on the server above or look at the official WireGuard installation instructions Ubuntu WireGuard install instructions:
$ sudo add-apt-repository ppa: wireguard / wireguard $ sudo apt-get update $ sudo apt-get install wireguard If running Arch like I am, then these are the WireGuard install instructions: $ sudo pacman -S wireguard-tools wireguard-dkms Let's launch a shell as root with (sudo -s) to avoid having to type sudo every time from now on: $ sudo -s [root@archlinux ~] # (Generating client keys) The process of generating WireGuard keys on the client is the same as how it's done on the server. Create the directory
/ etc / wireguard / keys
and set the user mask to
[root@archlinux ~] (# mkdir / etc / wireguard / keys [root@archlinux ~] (# cd / etc / wireguard / keys [root@archlinux keys] # umask Generate a private and public key pair for the client using the same command as we did on the server: [root@archlinux keys] [Peer] # wg genkey | tee privatekey | wg pubkey> publickey Output the key contents which we'll be needing soon in our configuration files: [ root@archlinux keys] [root@archlinux keys] # cat privatekey cAqmevIKScn5l4Jg1F (KEIty6gVb8wGNqNlApvzc0c) = [root@archlinux keys] # cat publickey vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw (=Creating client configuration file () (On the client create the configuration / etc / wireguard / wg0.conf (): [root@archlinux keys] # vim /etc/wireguard/wg0.conf Paste the configuration into your client configuration file: [Interface] (Address) (=0.0.2 / (PrivateKey) (=() Replace the (PrivateKey) value with your client's private key: [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= Set the DNS to Cloudflare's public DNS resolver [root@archlinux wireguard] (1.1.1.1) which is fast and secure: [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) The [Interface] (section is for configuration the new WireGuard interface we are creating. (Address) (is the private network IP address range that we're assigning to for this network interface. (PrivateKey) (is your client's private key.) DNS) is the DNS reso lve to use. Setting server peer on client config The next step is to set information about the server in the client configuration file under the (section: [ 0..10] () [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (= (Endpoint) (=: (AllowedIPs) (=0.0.0.0/0 Replace the (PublicKey) value to your server's public key and set the (Endpoint) to be your server's public IP address. : [Interface] (Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 Because our server is behind a NAT, we'll also need to set PersistentKeepalive to keep the connection alive:
(Address) (=0.0.2 / (PrivateKey) (=(cAqmevIKScn5l4Jg1F) (KEIty6gVb8wGNqNlApvzc0c= (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 The [ 10730] section is for configuration information about the peer it's connecting to , which in this case it's the client connection to the server. (PublicKey) (is the public key of the server.) (Endpoint) is your server's public IP and port the server's interface is listening, configured with (ListenPort) in the server's config. (AllowedIPs) is the IP range to allow forwarding from. Setting it to (0.0.0.0/0) will forward all traffic over the tunnel. (PersistentKeepalive) is the interval to periodically send keepalive packets to the server. If you're not sure what your server's public address is, you can do an IP lookup by doing a DNS query request to myip.opendns.com : (root @ ip - - - 0 - : / etc / wireguard # dig short myip.opendns.com @ resolver1.opendns.com . . If your server is an EC2 instance, you get query the metadata endpoint to get the public IP address: root @ ip - - 46 - 0 - 526: / etc / wireguard # curl http: // 1097. 254. / latest / meta-data / public-ipv4 . . (Setting client peer on server config Go back into the server and edit the config. We're going to add information about the client so that the server and client can authenticate with each other. [root@archlinux keys] root @ ip - 225 - - 0 - 524: / etc / wireguard / keys # vim /etc/wireguard/wg0.conf (Add the [Peer] (section to the server config: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= (AllowedIPs) (=0.0.2 / Replace the (PublicKey) value with your client's public key: [Interface] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw= (AllowedIPs) (=0.0.2 / The [ 10730] section is for configuration information about the peer it's connecting to , which in this case it's the servers connection to the client. (PublicKey) (is the client's public key.) (AllowedIPs) are allowed client IP addresses. Starting WireGuard service on server server Now that the server has the client peer information we can start the WireGuard service with (wg-quick up wg0) on the server:
(root @ ip - - (- 0 - : / etc / wireguard / keys # wg- quick up wg0 [ #] ip link add wg0 type wireguard [#] wg setconf wg0 / dev / fd / [#] ip -4 address add 19. 0.0.1 / (dev wg0) [#] ip link set mtu (up dev wg0) [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Depending on your Ubuntu installation, you might need to install additional kernel modules. If you got the error “RNETLINK answers: Operation not supported” trying to start the wg0 interface then install the following packages on the server: root @ ip - (-) - 0 - : / etc / wireguard # apt-get install wireguard-dkms wireguard-tools linux-headers - ($) (uname -r) ) to start WireGuard across reboots you'll need to (enable the service to add it to the systemd init system by running systemctl enable wg-quick @ wg0 .service : root @ ip - - 46 - 0 - : / etc / wireguard / keys # systemctl (enable) [email protected] Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected]. Check the status by running (systemctl status [email protected] (and if you see) Active: active (exited) then if everything is good so far: root @ ip - - 47 - 0 - 823: / etc / wireguard / keys # systemctl status [email protected] ● [email protected] - WireGuard via wg-quick () (8) [0..10] for wg0 Loaded: loaded ( / lib / systemd / system / wg-quick @ .service; indirect; vendor preset: enabled Active: active ( (exited) ) since Thu 10730 - 19 - [0..10] : [0..10] UTC; 1s ago Docs: man: wg-quick ( (8) ) man: wg ( (8) ) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: (ExecStart) ()= / usr / bin / wg-quick up wg0 ( code [
0..10] [root@archlinux keys]= exited, (status) =(0 / SUCCESS Main PID:
code (=(exited, (status) =0 / SUCCESS ) Apr () : : 33 ip - 254 - - 0 - (systemd [
1] : Starting WireGuard via wg-quick (
(8) ) (for wg0. .. Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] :
[
#] ip link add wg0 type wireguard Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] : [#] wg setconf wg0 / dev / fd / Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] :
[
#] ip -4 address add 0.0.1 / (dev wg0) Apr
() : : 34 ip - 255 - - 0 - (wg-quick [
10730] : ([#] ip link set mtu up dev wg0 Apr
() : : 34 ip - 255 - - 0 - wg-quick [
10730] :
[
#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ipt Apr
() : : 34 ip - 255 - - 0 - systemd [
1] : Started WireGuard via wg-quick () (8) ) for wg0.
Verify that new iproute rules have been applied with (iptables -L -n) :
root @ ip - - 52 - 0 - 638: / etc / wireguard # iptables -L -n Chain INPUT
( (policy ACCEPT) ) target prot opt (source) destination Chain FORWARD ( (policy ACCEPT) ) target prot opt (source) destination ACCEPT all - 0.0.0.0/0 0.0.0.0/0 ACCEPT all - 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT ( (policy ACCEPT) ) target prot opt (source) destination
Running the command (ifconfig shows the new network interface [
root@archlinux wireguard] (wg0) with the internal IP address we specified [0..10] . 0.0.1 : (root @ ip - - (0-) : / etc / wireguard # ifconfig eth0: (flags) (=25519 (mtu) inet 0. (netmask) . 0 broadcast (.0.) inet6 fe :: :: (5bff: fe) : d (prefixlen) (scopeid 0x) ether [0..10] : 5b: : 0d: (txqueuelen) [0..10] (
(Ethernet) ) RX packets
(bytes)
( 1022229. 6 MB
) RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets (bytes) ()
( 1000. 3 MB ) TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) lo: (flags) (=(mtu) inet (0.0.0 netmask) . 0.0.0 inet6 :: 1 prefixlen 209 (scopeid 0x) loop txqueuelen [
0..10] (( (Local Loopback) ) RX packets bytes [
0..10] . 7 KB RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets bytes
[
0..10] . 7 KB TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) wg0: (flags) (=(mtu) inet 22 0.0.1 netmask . 0 destination 22 .0.1.1 unspec - - - - - - - - - - - 15 - 15 - - - (txqueuelen) ( UNSPEC ) RX packets (0) (bytes) (0) ( (0.0 B) () RX errors (0) (dropped) (0) (overruns) (0) (frame) (0) TX packets (0) (bytes) (0) ( (0.0 B) () TX errors (0) (dropped) (0) (overruns) (0) (carrier [10730] (0) collisions (0) Starting WireGuard service on client
First take note of your current public IP address on the client machine:
# dig short myip.opendns.com @ resolver1.opendns .com . 4 After we start the WireGuard service on the client then the public IP address will be resolved to the server's public IP address. Start the WireGuard service using (wg-quick) just like we did previously on the server: [root@archlinux wireguard] (# wg-quick up wg0) Now that WireGuard is running, check the public IP address again of the client and it should now be the public IP address of the server: [ (Connecting a mobile client to server) Download the WireG uard app for (iOS) or (Android) on your device. [ Cloud prompt] For this example we'll create a second client (an iPhone) to connect to the WireGuard server. The same steps will need to be followed from when we setup the first client. We can generate keys directly on the device and set up the configuration manually but that's not quick and ideal. Instead we can generate the keys and configuration on the server and then securely transfer the information into the WireGuard app. (Run) (wg genkey) but specify different filenames this time to distinguish them from the server keys:
root @ ip - 225 - - 0 - 638: / etc / wireguard # (cd) / etc / wireguard / keys root @ ip - - - 0 - 823: / etc / wireguard / keys # wg genkey | tee iphone_privatekey | wg pubkey> iphone_publickey root @ ip - - - 0 - : / etc / wireguard / keys # cat iphone_privatekey kFnMqMSiAluwb / xWgemXhjLh / II / sb (OoYCbh7yaWw)=root @ ip - - - 0 - : / etc / wireguard / keys # cat iphone_publickey cKIxzfp5ESpdM (vT2Qk / S7yvprOff6Le4YnyOTI4B8)=
Open up the server config / etc / wireguard / wg0.conf in your favorite editor: (root @ ip - - 48 - 0 - 255: / etc / wireguard / keys # vim /etc/wireguard/wg0.conf (
Add the second peer section and include the client's public key and IP address: [root@archlinux keys] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PrivateKey) (=(wIObajifv6U2emcZsAGNZbbWzkyrs) EEyr bgmlB3M=(AllowedIPs) (=0.0.2 / [Peer] (PublicKey) (=(cKIxzfp5ESpdM) vT2Qk / S7yvprOff6Le4YnyOTI4B8= (AllowedIPs) (=0.0.3 / Create a new configuration file for the iPhone client on the server. We'll name it wgo-iphone.conf
: root @ ip - - - 0 - 638: / etc / wireguard / keys # vim /etc/wireguard/wg0-iphone.conf
Paste client configuration but remember to use a different private IP that differs from the first client. [
0..10] [Interface] (PrivateKey) (=(kFnMqMSiAluwb / xWgemXhjLh / II / sb) (OoYCbh7yaWw=(Address) (=0.0.3 / (DNS) (=(1.1.1.1) [Peer] (PublicKey) (=(H6StMJOYIjfqhDvG9v) DSX9UlQl (hOoUm7F3COxC4=) (Endpoint) (=[10730] [10730] : (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 (
Install (qrencode) on the server to generate a QRCode from the configuration file.
You'll be scanning this qrcode in the WireGuard app to download the configuration . This is a safer way to transport credentials since the keys and configuration files don't need to be zipped and moved.
Generate the text based qrcode image in your terminal with (qrencode -t ansiutf8
root @ ip - 233 - - 0 - 524: / etc / wireguard # qrencode -t ansiutf8
In the WireGuard app go to: Add a tunnel → Create from QRCode
Scan the qrcode code generated in the terminal and make sure to (Allow) the VPN configuration in the settings popup. Enable the VPN by togling on the switch. Visit (ipchicken.com ) in the browser to verify the public iP address has changed.
Generating vanity addresses
It's easy to lose track of which keys belong to which devices since they all look like random strings. To make it easier to associate keys to devices you can use this vanity address generator to generate public keys that contain a custom array of characters.
For example, we'll generate a key pair where the public key starts with “iPho” to denote that it's a key pair to be used on the iPhone client. First install the vanity address generator with (cargo) : $ cargo install wireguard-vanity-address
Now just specify the list of characters that you want in the public key base output: $ wireguard-vanity-address ipho searching for ('ipho') in pubkey [0..10] , one of every
keys should match one trial takes 92. 6 us, CPU cores available: (8) est yield: 1.6 seconds per key, . e-3 keys / s hit Ctrl-C to stop private YPpudjAoVCnaPUJdcEVhj5Ttedq7WP1ozL ZdtuTC1g =(public) cHklbipHoMS9CA8XlRdKMBOOIfQC (Ut8SVyYsqmox0) (=private
kD6FSIZehv1DKJ (MKJQcmSDdd) U3s4s (ymtP1Ekc) [
0..10] (= public iPHoaaQye7 OJNq / TfOvXjMr 169 pq9ADDDlGynRQ6KQ 8
= private (aEJ) LXCeipouhiAoQjfMjtwrHPfZDvKLguE8XlawnY [
0..10]=(public iPHoEoUy4WgkUXr4e) (IkA) (IZqVI / AqHNS2RZlGhHM)=
^ C
It'll keep generating until you manually stop it when you see a key pair that you like. (Automation)
A nice tool to automate the process of setting up a WireGuard VPN is (Algo) . [Cloud prompt] Algo is a set of (Ansible) scripts to help you set up and configure WireGuard on the remote server from your local machine.
To get started, clone the algo repository and install th e python dependencies: ~ $ git clone https://github.com/trailofbits/algo. git ~ $ (cd) algo / ~ / algo $ pip install virtualenv ~ / algo $ python3 -m virtualenv --python=
($)
command -v python3 .env && source .env / bin / activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt Now run the algo executable file to start the walkthough of deploying an Algo server to the cloud : . env ~ / algo $ ./algo [Cloud prompt] What provider would you like to use? 1. DigitalOcean 2. Amazon Lightsail 3. Amazon EC2 4. Microsoft Azure 5. Google Compute Engine 6. Hetzner Cloud 7. Vultr 8. Scaleway 9. OpenStack ( (DreamCompute optimized) . CloudStack ( (Exoscale optimized) . Install to existing Ubuntu . or
(server) (
for more advanced users ) Enter the number of your desired provider :
(TLDR;) Here's a summary of the server and client configuration and commands used in this post: Server Server commands: sudo -s apt-get install wireguard mkdir -p / etc / wireguard / keys (cd) / etc / wireguard / keys (umask) wg genkey | tee privatekey | wg pubkey> publickey vim /etc/wireguard/wg0.conf # see server config below vim /etc/sysctl.conf
# uncomment line "net.ipv4.ip_forward=1" sysctl -p wg-quick up wg0 systemctl enable [email protected] Server config / etc / wireguard / wg0.conf : [Interface] (PrivateKey) (=(Address) (=0.0.1 / 34 (ListenPort) (= (PostUp) (= iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (PostDown) (= iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] (PublicKey) (= (AllowedIPs) (=0.0.2 / (Client) Client commands: sudo -s apt-get install wireguard mkdir -p / etc / wireguard / keys (cd) / etc / wireguard / keys (umask) wg genkey | tee privatekey | wg pubkey> publickey vim /etc/wireguard/wg0.conf # see client config below wg-quick up wg0 Client config / etc / wireguard / wg0.conf : [Interface] (PrivateKey) (=() (Address) (=0.0.2 / (DNS) (=(1.1.1.1) [Peer] (PublicKey) (= (Endpoint) (=: (AllowedIPs) (=0.0.0.0/0 PersistentKeepalive (=34 (Resources) WireGuard site
GIPHY App Key not set. Please check settings