It was sometime ago that I setup Wireguard as my VPN server. I have configured my mobile to use it and it works flawlessly.
But, every now and then, I want to add a client and I have to search how to do it every time…
This time I decided to write down some notes to make it easier the next time…
When setting up a Wireguard client and server, the essential part to understand I found was that the client and server need to know each others public keys:
- client encrypts using server’s public key and server decrypts using its private key
- server encrypts using client’s public key and client decrypts using its private key
Another thing to recognize is that a Wireguard client and server are really not that different (if at all). Both configurations are very similar. A server is usually associated to multiple clients, where a client is mostly associated to a single (or few at most) servers.
Three items are needed on each side to configure the VPN connection:
CLIENT: SERVER: [Interface] [Interface] PrivateKey = <CLIENT_PRIVATE_KEY> PrivateKey = <SERVER_PRIVATE_KEY> Address = 10.0.0.5/32 Address = 10.0.0.1 DNS = 10.0.0.1 ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] [Peer] PublicKey = <SERVER_PUBLIC_KEY> PublicKey = <CLIENT_PUBLIC_KEY> EndPoint = <SERVER_IP>:51820 AllowedIPs = 10.0.0.5/32 AllowedIPs = 0.0.0.0/0
- In my situation using my domain name resolves in an IPv6 address, but that is not working. So, I had to use my server’s public IPv4 address instead.
To install on Windows, I found this tutorial and downloaded the Windows client from the Wireguard site.
For installation on Linux, I combined the Windows tutorial with this page with instructions.
On Linux all can be done from the command-line. All commands below are executed as root (
apt install wireguard
Create the private and public keys:
wg genkey | tee client.key | wg pubkey | tee client.key.pub
Create the client configuration (see chapter configuration above):
Wireguard needs to access
resolvconf, but my distribution uses
resolvectl. Using a symbolic link solves this issue:
ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf
Start Wireguard using the configuration just created:
wg-quick up wg0
Check the status of the connection:
Expect something like:
> sudo wg interface: wg0 public key: <CLIENT_PUBLIC_KEY> private key: (hidden) listening port: 60774 fwmark: 0xca6c peer: <SERVER_PUBLIC_KEY> endpoint: <SERVER_IP>:51820 allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 43 seconds ago transfer: 42.59 MiB received, 8.91 MiB sent
Disable the connection:
wg-quick down wgo
To install the server I’m using the
linuxserver/wireguard image with a
version: "2.1" services: wireguard: image: linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Europe/Amsterdam - SERVERURL=<SERVER_URL> - SERVERPORT=51820 - PEERS=4 - PEERDNS=10.0.0.1 - INTERNAL_SUBNET=10.0.0.0 volumes: - ./config:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped
December 22, 2021