WireGuard

Just a snippset for myself

Note
This article was last updated on 2024-06-22, the content may be out of date.

bash

sudo pacman -S wireguard-tools
Note
Users of kernels < 5.6 may also choose wireguard-lts or wireguard-dkms + linux-headers, depending on which kernel is used.

bash

sudo apt install wireguard
Info
For other distros, please head over to WireGuard’s official installation document

Download from F-Droid

Download from Play Store

bash

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

In /etc/wireguard/wg0.conf:

bash

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0

[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional

bash

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE

[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32
Note
Replace PUBLIC_INTERFACE with your interface, such as eth0.

In /etc/sysctl.d/99-sysctl.conf, uncomment line #net.ipv4.ip_forward=1.

To apply, reboot or run sudo sysctl -p.

Replace wg0 with the filename (without extension) you have in /etc/wireguard/.

bash

sudo systemctl enable --now wg-quick@wg0

bash

wg-quick down wg0 && wg-quick up wg0

bash

nmcli connection import type wireguard file /etc/wireguard/wg0.conf
Note
Note: nmcli can create a WireGuard connection profile, but it does not support configuring WireGuard peers.

bash

# Enable
nmcli connection up wg0
# Disable
nmcli connection down wg0

bash

nmcli connection modify your_network_interface ipv6.method "disabled"