This tutorial can be found online on a million different sites. What’s different about this one? It’s so simple it can’t fail. This is written mainly for my own reference and will be updated when I see that changes are needed.
You need to install Wireguard on both the client and on the server. There are apps for all platforms out there. On iOS and macOS it’s on the official Apple store, and on ubuntu (<= 19.10) it’s as simple as:
You need some keys. Generate them with the following command:
This will create two files:
publickey. This is an example of these files:
You don’t need the files, just the content.
Next up, it’s the actual server configuration. There are going to be two iterations on these files during this tutorial. Create a new file on the server -
My VPN server is going to have an IP of
192.168.2.1. Replace the private key with your own.
[Interface] Address = 192.168.2.1 PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA= ListenPort = 51820
Save the file and continue on the client.
Now run the same thing on your client. You can do it on the server as well - it doesn’t matter. Just pay attention not to overwrite the files with the server keys!
This is the output for our client:
Now, this get’s plugged in into the config file. Note that under the
[Interface], you use the client private key, and under
use the server public key. My client will have the address of
10.10.10.10 with the IP from your server in
[Interface] PrivateKey = 4H+4yv74PlXJ4DnsU2BqMQh8bfKxk0CemWhBPzfK1X4= ListenPort = 21841 Address = 192.168.2.2/32 DNS = 126.96.36.199 [Peer] PublicKey = y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo= AllowedIPs = 192.168.2.0/24 Endpoint = 10.10.10.10:51820 PersistentKeepalive = 25
Save the file and back to the server.
On the server edit the
/etc/sysctl.conf file and uncomment the following line:
After this is done open up the
/etc/wg0.conf and add a
[Peer]. Enter the clients public key and set the correct IP (has to be the same on the client and server under it’s peer).
I’ve also added the firewall part right now. Change your interface
eth0 to be the one you use for internet. You can find it out under
[Interface] Address = 192.168.2.1 PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA= ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # Name = Andrei Zvonimir's iPhone 11 PublicKey = Esz42P8fuDfKDxEK0KzwpzK54LmEErgwvjf6Hn5hxlI= AllowedIPs = 192.168.2.2/32
Save the file and we can set it up to work on server boot.
You can test now, connect to the server on the client. If you want to add more clients just add a new
[Peer] with another set of keys.
If you wanna know a status of your connection you can do it with
wg show on the server.
Installing on EdgeRouter X
You can also set it up on your EdgeRouter as well. First you need to install Wireguard. Start by ssh-ing into the router.
Next up is configuring the connection. You’ll need to generate new keys. You can do that anywhere:
This is the output for our client:
Once we have this we can configure our router!
The key located in
peer is the server public key. Don’t forget to replace the
private-key as well. Next up is firewall configuration:
And that’s it! The router is connected to your VPN.