Frequently Asked Question

Wireguard
Last Updated 5 years ago

WireGuard is an extremely simple, yet fast and modern VPN that utilises state of the art cryptography. It aims to be faster, simpler, leaner, and more useful than any of the alternatives. It's been described by many experts as likely the most secure VPN solution ever in existence, originally developed on Linux, it also runs with those principles on Windows, macOS, BSD, iOS, and Android.

In this example, we configure Wireguard on a Linux server, and 3 peers (remote clients), this shows how it works with one or multiple peers.

Our Wireguard VPN will use the IP range of 10.10.10.0/24, the server tunnel address will be 10.10.10.1, and different to the servers day to day LAN address 10.10.0.254.

If your Wireguard server is behind NAT, don't forget to port forward UDP 51820 to the internal server running Wireguard, and adjust that servers firewall accordingly.

It is also imperative you ensure each server and peer has a unique key pair, do not re-use keys (or IP's), and keep these secret and secure.


Generate Key Pairs

Wireguard works by using key pairs not passwords or pass phrases, similar to how SSH works.

The first thing you need to do is generate your server key pairs. Since the key pairs are just that, key pairs, they can be generated on any device, as long as you keep the private key on the source and the public on the destination (just like SSH keys).

wg genkey | tee sprivate.key | wg pubkey > spublic.key

cat sprivate.key  ULPpNIq+AlnCqf0wSh55Fi+r7SMuzDtmPagkfSneDGc=

cat spublic.key   3Ai06Mul3VVaiiwBxFbvmcDdKlcC/RQgGl7xPi98NEQ=

Remember - private key stays on the server,  public key on the peer (remote client)


Next we generate each peers key pairs, as touched on above, it's simpler and faster if we do this on the server, it's also more convenient doing it this way, we can also create all the peers config files and send it over to them securely, so I'd give them a unique name to avoid overwriting any existing, especially your own.

wg genkey | tee peer1.pvt | wg pubkey > peer1.pub

cat peer1.pvt    2LWcUUALoJWSlTvvsBA8QHQI7+rNe427kYLvwYAu31M=

cat peer1.pub    yt0Y/rkoJ+qeQweyFqe4Mevgce3jKdqtXR/g7uiXvhg=


wg genkey | tee peer2.pvt | wg pubkey > peer2.pub

cat peer2.pvt    0M4CzD3/WeOjG6R8O/n/JTgrI649GgdfK9yjlmwKanI=
cat peer2.pub    VCEb564h21B6txLr33WTNCfMcCTE+ehJjcvQCX2dMRw=


wg genkey | tee peer3.pvt | wg pubkey > peer3.pub

cat peer3.pvt    eIW7e4nZ5NFOxFym6ZdVWVWNJgsQbHcAnoUWh3lpg2o=
cat peer3.pub    06oo2+ypKCzddV0kUAUH71a5+TxR58fdidi7Gw2mNiY=

...and so on...


Creating Servers Config File

To create the Servers config file that will default route for all of your VPN peers (10.10.10.0/24) to access the LAN and the Internet, create and edit /etc/wireguard/wg0.conf and use this [Interface] example

[Interface]
Address = 10.10.10.1/24
PrivateKey = ULPpNIq+AlnCqf0wSh55Fi+r7SMuzDtmPagkfSneDGc=
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


If you're in a corporate world, you might only want to let some of your peers default route over you, eg: the management team, with all other staff accessing only the corporate Intranet, in this case, assign them a different subnet, in our example below, 10.10.10.0/25 (10.10.10.1-127) can route anywhere over the VPN, but 10.10.10.128/25 (10.10.10.128-255) can only access the Intranet LAN, to complete the restrictions replace the above PostUp and PostDown POSTROUTING lines with

PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.128/25 -d 10.10.0.0/24 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 ! -s 10.10.10.128/25 -d 0.0.0.0/0 -j MASQUERADE

PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.10.10.128/25 -d 10.10.0.0/24 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 ! -s 10.10.10.128/25 -d 0.0.0.0/0 -j MASQUERADE

This way if a general staffer tries to use the corporate LAN for their normal internet traffic, it will fail.

Next configure the Servers [Peer] section, you can have as many peer entries as you want, place their public key and the IP you assign to them here, I suggest using a comment line too, so you know which is which. 

[Peer]
#Peer1
PublicKey = yt0Y/rkoJ+qeQweyFqe4Mevgce3jKdqtXR/g7uiXvhg=
AllowedIPs = 10.10.10.2/32

[Peer]
#Peer2
PublicKey = VCEb564h21B6txLr33WTNCfMcCTE+ehJjcvQCX2dMRw=
AllowedIPs = 10.10.10.3/32

[Peer]
#Peer3
PublicKey = 06oo2+ypKCzddV0kUAUH71a5+TxR58fdidi7Gw2mNiY=
AllowedIPs = 10.10.10.4/32


Note that in the [Peer] section on the server, AllowedIPs indicates the IP address that is accepted and routed to for this peer you assigned, if they try present a different remote IP than this, no traffic will reach them.

That's all the configuring we need to do on the server.


Creating Remote Peers Config File

Next we need to create the peers /etc/wireguard/wg0.conf

* As touched on earlier we can do this on the server, in such cases, call them peer1.conf, peer2.conf, etc, (this ensures you don't overwrite your servers or another peers conf), and when you pass the configs to linux users, have them change the file to wg0.conf on their system. For Windows and Mobile users, they can simply start Wireguard and click import the file.

* The Peers [Interface] PrivateKey is Peers private key, the [Peer] PublicKey, is the Servers public key. We also tell the client which DNS server to use

* AllowedIPs option in the peers [Peer] section, sets what traffic the client sends over the VPN, here we use 0.0.0.0/0 which means any and all IPv4 traffic gets routed over Wireguard, and ::/0 means all IPv6 traffic over Wireguard.  If we only want to use the VPN for one LAN (eg: work network), we would put in their IP/Mask instead, then no other traffic will use Wireguard, I also suggest in such cases you may not want to use the DNS setting either, that's going to be trial and error.

Moving along, we are going to route everything over Wireguard on the peers, so we use -

[Interface]
Address = 10.10.10.2/24
DNS = 9.9.9.9
PrivateKey = 2LWcUUALoJWSlTvvsBA8QHQI7+rNe427kYLvwYAu31M=

[Peer]
PublicKey = 3Ai06Mul3VVaiiwBxFbvmcDdKlcC/RQgGl7xPi98NEQ=
Endpoint = vpn.server.net:51820
AllowedIPs = 0.0.0.0/0, ::/0 
PersistentKeepalive = 30

That's it, send the peer config over to the peer to use or for Win/Mobile to import.


I recommend using qrencode on Linux to create a QR code for Mobiles, super fast and no fuss, grab each Mobile Device peers config and run, for eg peer2,

qrencode -r peer2.conf -l H -o peer2.png

All they need to do is scan the image and they're done.



Start/Stop Wireguard on Linux 

wg-quick up wg0 
wg-quick down wg0

If using Slackware, I provide an rc.d and /etc/default scripts in download attachments (top right)

Reloading Config on Linux 

Warning: The only method I recommend is edit your conf file and restart Wireguard, this way you wont destroy any existing configs or remove comments. If you need to make  substantial changes, I'd say backup first :)


To reload a running VPN in the case of you adding or deleting peers, you have a couple of choices.

Using the following methods will wipe out any comments you leave in the file, including any to identify each peer, so I really don't recommend these methods. But if you're feeling game, before using either, backup your wg0.conf somewhere safe, and in the Servers [Interface] section add "SaveConfig = true".

To add a peer and reload without stopping, edit wg0.conf, then -

wg addconf wg0 LESS_THAN_SYMBOL(wg-quick strip wg0)
wg-quick save wg0

You need to replace the LESS_THAN_SYMBOL obviously with, well the less than symbol :) osticket at present does not permit that symbol, it actually wipes out everything after it, nasty I know (there exists a bug ticket)

The second alternative is to add a peer on-the-fly using wg itself 

wg set wg0 peer CLIENTS_PUBLIC_KEY allowed-ips 10.10.10.5/32
wg-quick save wg0



Verify Connections...

wg show

peer: Peer #1
  endpoint: 1.129.7.103:50074
  allowed ips: 10.10.10.2/32
  latest handshake: 4 minutes, 16 seconds ago
  transfer: 57.58 KiB received, 113.32 KiB sent

peer: Peer #2
  endpoint: 1.132.10.6:36770
  allowed ips: 10.10.10.3/32
  latest handshake: 5 minutes, 30 seconds ago
  transfer: 92.98 KiB received, 495.89 KiB sent


Installing Wireguard Client on Mobile Devices

This is as easy as go to your App store, install it, and follow on screen instructions, with Android (and I presume Apple) clicking plus symbol offers you a few ways to setup this VPN tunnel, you can import from file, eg: the peer2.conf we created earlier, or as mentioned above, scan a QR code,no matter the method make sure you pass it on securely and have them immediately delete the transferred file/code after confirming setup! To run, open the App and select your VPN.

* Word of caution if you restart your device, on Android at least, Wireguard starts automatically, you'll need to click on it to Disconnect if this is not desired (eg: your home or employers network).


Installing Wireguard on Windows 10 or MacOS

Download Wireguard and install, as above, send the peer3.conf file to your Windows PC user, again, securely, eg: secure file copy, USB key, or a secure corporate network file share, run Wireguard, and click on Import tunnel from file, select peer3.conf



Start/Stop Wireguard Win/Mobile

Run Wireguard from the Windows desktop icon, and click Activate.

Run Wireguard app click the slide button so it turns blue.

To stop, click on the respective icons and disable.


Congrats

Now you should be up and running with the best privacy available when using public Internet connections/hotspots.

Lastly, I hope it doesn't need saying, but all the keys used here in these examples, although actually generated for the strict purpose of these examples, are not, never have been, and never will be, in use on my Wireguard network ;)

Attachments:

Please Wait!

Please wait... it will take a second!