Wireguard

23 Feb 2020 in Dev. Log on Linux Last modified at: 2023-05-30

Wireguard config tutorial.

This is a repost from my old blog. I want to keep it here for the sake of nostalgia. I will update this post from time to time to keep it up-to-date. You can find the original post here.

• Installation
  • Arch linux
  • Debian
  • Android
• Generate Keys
• Client configuration
• Server configuration
• Enable IPv4 packet forwarding
• Daemonizing
• Restarting
• Using networkmanager to manage wireguard
  • Import configuration file
  • Usage
  • Disable ipv6
• Futher reading

Installation

Arch linux

sudo pacman -S wireguard-tools

Users of kernels < 5.6 may also choose wireguard-lts or wireguard-dkms + linux-headers, depending on which kernel is used.

Debian

sudo apt install wireguard

For other distros, please head over to WireGuard’s official installation document

Android

F-Droid Playstore

Generate Keys

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Client configuration

In /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0

[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional

Server configuration

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE

[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32

Replace `` with your interface, such as eth0.

Enable IPv4 packet forwarding

In /etc/sysctl.d/99-sysctl.conf, uncomment line #net.ipv4.ip_forward=1.

To apply, reboot or run sudo sysctl -p.

Daemonizing

Replace wg0 with the filename (without extension) you have in /etc/wireguard/.

sudo systemctl enable --now wg-quick@wg0

Restarting

wg-quick down wg0 && wg-quick up wg0

Using networkmanager to manage wireguard

Import configuration file

nmcli connection import type wireguard file /etc/wireguard/wg0.conf

nmcli can create a WireGuard connection profile, but it does not support configuring WireGuard peers.

Usage

# Enable
nmcli connection up wg0
# Disable
nmcli connection down wg0

Disable ipv6

nmcli connection modify your_network_interface ipv6.method "disabled"

Futher reading

• Quick start
• WireGuard on wiki.archlinux.org