WireGuard

Installation

Install the wireguard and wireguard-tools packages from your package manager of choice.

Setup

FreeBSD Server

Use pf(4) to tunnel network traffic from the wg0 interface to the external interface. See pf.conf(5) for details on this basic configuration.

ext_if="genet0"
int_if="wg0"
private_net="{ 10.0.0.0/8 }"

nat on $ext_if from $private_net to any -> ($ext_if)

wireguard_enable="YES"
wireguard_interfaces="wg0"
pf_enable="YES"
pf_rules="/usr/local/etc/pf.conf"

Linux Server

Generate a private/public pair of keys.

wg genkey | tee privatekey | wg pubkey > publickey

Create an interface file at /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = <your remote private key here>
Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer 1
[Peer]
PublicKey = <your local public key here>
AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128

Test the configuration by running:

sudo wg-quick up wg0

For systemd-capable systems, set !WireGuard to run persistently by starting and enabling [email protected].

Linux Peer

Generate a pair of keys, as above. Create an interface file at /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = <your local private key here>
Address = 10.0.0.2/24, fd86:ea04:1115::2/64
ListenPort = <your local port number>

[Peer]
PublicKey = <your remote public key here>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <your remote host>
PersistentKeepalive = 25

wg0, the !WireGuard interface, can be set live or killed using:

wg-quick up wg0
wg-quick down wg0

Android Peer

CategoryRicottone