WireGuard

Setup

Server

Open a shell on your remote machine and install wireguard-tools, which contains a set of CLI tools.

Generate a private/public pair of keys.

wg genkey | tee privatekey | wg pubkey > publickey

Create an interface file at /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = <your remote private key here>
Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer 1
[Peer]
PublicKey = <your local public key here>
AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128

Test the configuration by running:

sudo wg-quick up wg0

For systemd-capable systems, set WireGuard to run persistently by starting and enabling [email protected].

Peer 1

Install wireguard-tools and generate a pair of keys, as above.

Create an interface file at /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = <your local private key here>
Address = 10.0.0.2/24, fd86:ea04:1115::2/64
ListenPort = <your local port number>

[Peer]
PublicKey = <your remote public key here>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <your remote host>
PersistentKeepalive = 25

The WireGuard interface can be set live or killed using:

wg-quick up wg0
wg-quick down wg0

CategoryRicottone