Last edit: 2024-10-17
WireGuard quick setup guide.
WireGuard is a simple and secure VPN. In essense, a VPN allows multiple hosts to communicate with one another across the internet like they are on the same switch. It has nothing to do with hiding your public IP address, but it can be used for that as well. For instance, you will be able to access your home desktop computer from your laptop/telephone wherever you go, provided both are connected to the internet.
WireGuard uses a key pair to encrypt the trafic, just like SSH. Invoke wg
genkey | tee privatekey | wg pubkey > publickey
on each device to create them.
Private key never leaves the device, public key is shared.
Server has to have a public IP addres. Save under /etc/wireguard/srv.conf
:
[Interface]
Address = 10.9.0.1/24
Privatekey = SERVER_PRIVATE_KEY_HERE
ListenPort = 51820
[Peer]
PublicKey = HOST_PUBLIC_KEY_HERE
AllowedIPs = 10.9.0.2/32
[Peer]
PublicKey = ANOTHER_HOST_PUBLIC_KEY_HERE
AllowedIPs = 10.9.0.3/32
To make VPN host able to reach one another, not just the server, invoke sysctl
net.ipv4.ip_forward=1
on the server. ListenPort
must be open and packet
forwarding for wg0
interface allowed. AllowedIPs
says which IP addresses
this host (server in this case) is allowed to connect to, only the given peer.
Run wg-quick up srv
to start.
Save under /etc/wireguard/cli.conf
:
[Interface]
Address = 10.9.0.2/24
Privatekey = HOST_PRIVATE_KEY_HERE
# Optional! DNS server to use:
# DNS = 10.9.0.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = SERVER.PUBLIC.IP.HERE:51820
AllowedIPs = 10.9.0.0/24
AllowedIPs
here says this client is allowed to reach all VPN hosts. If you
want the host without a public IP address to be reachable all the time, add
PersistentKeepAlive = 25
to the host config in [Peer]
section. Run
wg-quick up cli
to connect.
It is possible to use WireGuard server as internet gateway to hide your IP address, so that websites you visit will see the server’s public IP address rather than yours.
AllowedIPs
of the host must be set to 0.0.0.0/0
and the server’s
firewall must be configured to do IP masquerading:
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# Masquerade Wireguard traffic.
oifname eth0 ip saddr 10.9.0.0/24 masquerade
}
As soon as you have everything up and running, benchmark your VPN download/upload speeds with iperf. Here is a great performance tuning article.
© 2024
Ivan Kovmir —
CC BY-NC-SA 4.0 License