WireGuard VPN
WireGuard is a modern VPN protocol that is faster and simpler than IPsec and OpenVPN.
Installation
# Debian/Ubuntu
sudo apt install wireguard
# RHEL/CentOS
sudo dnf install wireguard-tools
# Arch Linux
sudo pacman -S wireguard-toolsGenerate Keys
# Create directory
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
# Generate private key
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey
# Set permissions
sudo chmod 600 privatekeyServer Configuration
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Client 1
PublicKey = <CLIENT1_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32
[Peer]
# Client 2
PublicKey = <CLIENT2_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32Client Configuration
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25Enable IP Forwarding
# Enable temporarily
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Enable permanently
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pStart and Manage
# Start interface
sudo wg-quick up wg0
# Stop interface
sudo wg-quick down wg0
# Enable on boot
sudo systemctl enable wg-quick@wg0
# Check status
sudo wg show
# Show detailed status
sudo wg show wg0Add New Peer
# Generate keys for new client
wg genkey | tee client3_private | wg pubkey > client3_public
# Add to server config
sudo wg set wg0 peer $(cat client3_public) allowed-ips 10.0.0.4/32
# Save running config
sudo wg-quick save wg0Remove Peer
# Remove peer by public key
sudo wg set wg0 peer <PUBLIC_KEY> removeGenerate QR Code (for Mobile)
# Install qrencode
sudo apt install qrencode
# Generate QR from config
qrencode -t ansiutf8 < client.confFirewall Configuration
# Allow WireGuard port
sudo ufw allow 51820/udp
# Or with iptables
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPTSplit Tunneling
Only route specific traffic through VPN:
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = server.example.com:51820
# Only route internal network
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24Site-to-Site Configuration
Site A (10.0.1.0/24)
[Interface]
PrivateKey = <SITE_A_PRIVATE>
Address = 10.255.0.1/30
[Peer]
PublicKey = <SITE_B_PUBLIC>
Endpoint = siteb.example.com:51820
AllowedIPs = 10.255.0.2/32, 10.0.2.0/24
PersistentKeepalive = 25Site B (10.0.2.0/24)
[Interface]
PrivateKey = <SITE_B_PRIVATE>
Address = 10.255.0.2/30
[Peer]
PublicKey = <SITE_A_PUBLIC>
Endpoint = sitea.example.com:51820
AllowedIPs = 10.255.0.1/32, 10.0.1.0/24
PersistentKeepalive = 25Troubleshooting
# Check interface
ip a show wg0
# Watch handshakes
sudo wg show wg0
# Check routing
ip route show table all | grep wg
# Debug logging
echo module wireguard +p | sudo tee /sys/kernel/debug/dynamic_debug/control
dmesg | grep wireguardBest Practices
- Use unique keys - Never share private keys
- Limit AllowedIPs - Only what's needed
- Enable PersistentKeepalive - Behind NAT
- Use DNS over VPN - Prevent DNS leaks
- Rotate keys periodically - Regenerate keys
- wireguard
- vpn
- secure tunnel
- encryption
- peer-to-peer