This tutorial can be found online on a million different sites. What’s different about this one? It’s so simple it can’t fail. This is written mainly for my own reference and will be updated when I see that changes are needed.
Installing wireguard
You need to install Wireguard on both the client and on the server. There are apps for all platforms out there. On iOS and macOS it’s on the official Apple store, and on ubuntu (<= 19.10) it’s as simple as:
| |
Server setup
You need some keys. Generate them with the following command:
| |
This will create two files: privatekey and publickey. This is an example of these files:
privatekey:
| |
publickey:
| |
You don’t need the files, just the content.
Next up, it’s the actual server configuration. There are going to be two iterations on these files during this tutorial. Create a new file on the server - /etc/wireguard/wg0.conf.
My VPN server is going to have an IP of 192.168.2.1. Replace the private key with your own.
[Interface]
Address = 192.168.2.1
PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA=
ListenPort = 51820
Save the file and continue on the client.
Client setup
Now run the same thing on your client. You can do it on the server as well - it doesn’t matter. Just pay attention not to overwrite the files with the server keys!
| |
This is the output for our client:
privatekey:
| |
publickey:
| |
Now, this get’s plugged in into the config file. Note that under the [Interface], you use the client private key, and under [Peer], you
use the server public key. My client will have the address of 192.168.2.2.
Replace 10.10.10.10 with the IP from your server in Endpoint.
[Interface]
PrivateKey = 4H+4yv74PlXJ4DnsU2BqMQh8bfKxk0CemWhBPzfK1X4=
ListenPort = 21841
Address = 192.168.2.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = y7iU+GDrLqsz4Unu1Xsg7Ae7LT3TgHeMZzWoy3RhCAo=
AllowedIPs = 192.168.2.0/24
Endpoint = 10.10.10.10:51820
PersistentKeepalive = 25
Save the file and back to the server.
Last part
On the server edit the /etc/sysctl.conf file and uncomment the following line:
net.ipv4.ip_forward=1
After this is done open up the /etc/wg0.conf and add a [Peer]. Enter the clients public key and set the correct IP (has to be the same on the client and server under it’s peer).
I’ve also added the firewall part right now. Change your interface eth0 to be the one you use for internet. You can find it out under ip link.
[Interface]
Address = 192.168.2.1
PrivateKey = YB1LOPPwg1SrDjCdbZ94AD5Pa2xG0xbHLk0Q8XXJDWA=
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Name = Andrei Zvonimir's iPhone 11
PublicKey = Esz42P8fuDfKDxEK0KzwpzK54LmEErgwvjf6Hn5hxlI=
AllowedIPs = 192.168.2.2/32
Save the file and we can set it up to work on server boot.
| |
You can test now, connect to the server on the client. If you want to add more clients just add a new [Peer] with another set of keys.
Status
If you wanna know a status of your connection you can do it with wg show on the server.
| |
Installing on EdgeRouter X
You can also set it up on your EdgeRouter as well. First you need to install Wireguard. Start by ssh-ing into the router.
| |
Next up is configuring the connection. You’ll need to generate new keys. You can do that anywhere:
| |
This is the output for our client:
privatekey:
| |
publickey:
| |
Once we have this we can configure our router!
| |
The key located in peer is the server public key. Don’t forget to replace the private-key as well. Next up is firewall configuration:
| |
And that’s it! The router is connected to your VPN.