HxHippy

WireGuard VPN Setup

Configure WireGuard VPN for secure, fast point-to-point connections.

Last updated: 2025-01-15

WireGuard VPN

WireGuard is a modern VPN protocol that is faster and simpler than IPsec and OpenVPN.

Installation

# Debian/Ubuntu
sudo apt install wireguard

# RHEL/CentOS
sudo dnf install wireguard-tools

# Arch Linux
sudo pacman -S wireguard-tools

Generate Keys

# Create directory
sudo mkdir -p /etc/wireguard
cd /etc/wireguard

# Generate private key
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

# Set permissions
sudo chmod 600 privatekey

Server Configuration

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = <CLIENT1_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

[Peer]
# Client 2
PublicKey = <CLIENT2_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32

Client Configuration

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Enable IP Forwarding

# Enable temporarily
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1

# Enable permanently
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start and Manage

# Start interface
sudo wg-quick up wg0

# Stop interface
sudo wg-quick down wg0

# Enable on boot
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg show

# Show detailed status
sudo wg show wg0

Add New Peer

# Generate keys for new client
wg genkey | tee client3_private | wg pubkey > client3_public

# Add to server config
sudo wg set wg0 peer $(cat client3_public) allowed-ips 10.0.0.4/32

# Save running config
sudo wg-quick save wg0

Remove Peer

# Remove peer by public key
sudo wg set wg0 peer <PUBLIC_KEY> remove

Generate QR Code (for Mobile)

# Install qrencode
sudo apt install qrencode

# Generate QR from config
qrencode -t ansiutf8 < client.conf

Firewall Configuration

# Allow WireGuard port
sudo ufw allow 51820/udp

# Or with iptables
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

Split Tunneling

Only route specific traffic through VPN:

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = server.example.com:51820
# Only route internal network
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

Site-to-Site Configuration

Site A (10.0.1.0/24)

[Interface]
PrivateKey = <SITE_A_PRIVATE>
Address = 10.255.0.1/30

[Peer]
PublicKey = <SITE_B_PUBLIC>
Endpoint = siteb.example.com:51820
AllowedIPs = 10.255.0.2/32, 10.0.2.0/24
PersistentKeepalive = 25

Site B (10.0.2.0/24)

[Interface]
PrivateKey = <SITE_B_PRIVATE>
Address = 10.255.0.2/30

[Peer]
PublicKey = <SITE_A_PUBLIC>
Endpoint = sitea.example.com:51820
AllowedIPs = 10.255.0.1/32, 10.0.1.0/24
PersistentKeepalive = 25

Troubleshooting

# Check interface
ip a show wg0

# Watch handshakes
sudo wg show wg0

# Check routing
ip route show table all | grep wg

# Debug logging
echo module wireguard +p | sudo tee /sys/kernel/debug/dynamic_debug/control
dmesg | grep wireguard

Best Practices

  1. Use unique keys - Never share private keys
  2. Limit AllowedIPs - Only what's needed
  3. Enable PersistentKeepalive - Behind NAT
  4. Use DNS over VPN - Prevent DNS leaks
  5. Rotate keys periodically - Regenerate keys
intermediate VPN Updated 2025-01-15
  • wireguard
  • vpn
  • secure tunnel
  • encryption
  • peer-to-peer