Note to self on setting up Wireguard VPN service.
# Enable wireguard PPA (not required on Ubuntu Eoan)
sudo add-apt-repository ppa:wireguard/wireguard -y
sudo apt-get update -y
# Install dependencies and wireguard
sudo apt-get install linux-headers-$(uname -r) -y
sudo apt-get install wireguard -y
## IP Forwarding
sudo sed -i -e 's/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sed -i -e 's/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf
sudo sysctl -p
## Firewall
sudo ufw allow 51820/udp
sudo ufw allow 22/tcp
sudo ufw enable
# Use the key generated here below
wg genkey
sudo vim /etc/wireguard/wg0.conf
Add the following to /etc/wireguard/wg0.conf
[Interface]
Address = 10.14.0.0/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <output from wg genkey>
[Peer]
PublicKey = <from your client>
# This should match that of the client's configuration. Ensure it is in the same subet as defined in the 'Address' field of the [Interface] section above
AllowedIPs = 10.14.0.10/32
## WireGuard Service
wg-quick up wg0
sudo systemctl enable wg-quick@wg0
On the client, use configurations as this one.
[Interface]
PrivateKey = <client's private key, auto generated by most clients; else use 'wg genkey'>
Address = 10.14.0.10/32
DNS = <Your preferred DNS or router Gateway IP address>
[Peer]
PublicKey = <Server's public key; listed on running 'sudo wg' on the server, after setting up the server config as above, with a private key included>
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = <server-dns-name>:52121
On the server, repeat the [Peer]
section(s) as needed, one for each additional client. Remember to provide unique IPs to each client, ensuring the address fall in the subnet range provided in the server’s Address
field in the [Interface]
section.