I’ve extracted what I needed to do from the clearest article I found on setting up WireGuard - How To Set Up WireGuard on Ubuntu 22.04 | DigitalOcean
Server
Install WireGuard & Extras
sudo apt update
sudo apt install ufw wireguard wireguard-tools
Generate Public & Private Key
Private Key
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
Public Key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Create WireGuard Server Configuration File
Create a WireGuard configuration file at /etc/wireguard/wg0.conf
.
[Interface]
PrivateKey = <private-key-goes-here>
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
Enable IP Forwarding
Uncomment the below line in /etc/sysctl.conf
.
net.ipv4.ip_forward=1
Reload sysctl.
sudo sysctl -p
Update WireGuard Server Configuration with Firewall Rules
Add the below rules to your wg0.conf
, and make sure that eth0
is your primary network interface’s name.
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Open Up Firewall Ports
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
Start WireGuard on the Server
The server’s wg0.conf
should now look like the below.
[Interface]
PrivateKey = <private-key-goes-here>
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
You can now start it using systemd
.
sudo systemctl enable --now wg-quick@wg0.service
Peer
Install WireGuard
Install WireGuard on the peer.
Generate Public & Private Key
Private Key
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
Public Key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Create WireGuard Server Configuration File
Create a WireGuard configuration file at /etc/wireguard/wg0.conf
.
[Interface]
PrivateKey = <peer-private-key>
Address = 10.8.0.2/24
DNS = 10.19.90.5
[Peer]
PublicKey = <servers-public-key>
AllowedIPs = 10.8.0.0/24
Endpoint = <server-ip-or-hostname>:51820
Add Peer’s Public Key to WireGuard Server
Copy the contents of the peer’s public key.
sudo cat /etc/wireguard/public.key
Then from the WireGuard server, run the following.
sudo wg set wg0 peer <peers-public-key> allowed-ips 10.8.0.2
Restart the WireGuard service if running, and then check the peer has been added, either by cat /etc/wireguard/wg0.conf
or wg show
.
Connect from Peer to Server
On the peer, you can bring the WireGuard tunnel up, by running wg-quick
.
wg-quick up wg0
To bring the tunnel down, run the below.
wg-quick down wg0