Note: Tested on Debian!
Server >
Run as root
sudo -i
Enable Port Forwarding
vi /etc/sysctl.d/70-wireguard-routing.conf
# Add: net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.d/70-wireguard-routing.conf
Install Wireguard
apt update -y && apt install wireguard -y
Generate Keys
cd /etc/wireguard/
umask 077; wg genkey | tee private.key | wg pubkey > public.key
Create config
vi wg0.conf
Add de following content:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [Server private key from private.key]
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # check if eth0 is your interface
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # check if eth0 is your interface
[Peer]
# Client public key
PublicKey = [Client public key (generated on the client side) content from public.key]
AllowedIPs = 10.0.0.2/32
If want other client, add other peer like the following
[Peer]
# Client 2 public key [ This one is only needed if want other client ]
PublicKey = [Client 2 public key (generated on the client side) content from public.key]
AllowedIPs = 10.0.0.3/32 # this ip is different
Start Wireguard
wg-quick up wg0
Stop Wireguard (When want to stop it)
wg-quick down wg0
Open Port (When need it)
ufw allow 22/tcp # needed because you can lose your ssh connection
ufw allow 51820/udp
ufw enable
ufw status
Client >
Run as root
sudo -i
Install Wireguard ( like on the server side )
Generate Keys ( like on the server side )
Create config ( like on the server side )
Add de following content:
[Interface]
PrivateKey = [Client private key from private.key]
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
# Server Public key
PublicKey = [Server public key (generated on the server side) content from public.key]
AllowedIPs = 0.0.0.0/0
Endpoint = [serverIpAddress:serverPort]
PersistentKeepalive = 15
Start Wireguard ( like on the server side )
Stop Wireguard ( like on the server side )
