Wireguard Setup
Introduction
This walks you through setting up Wireguard. It is focused towards a traditional Server/Client VPN structure, however if you understand how it works you can make other configurations.
Good unofficial docs Arch wiki, good info but I had issues with their configs
Understanding AllowedIPs
This is a confusing option, since it seems like it means two things depending on client or server. Really it’s one thing, but it’s complicated.
On the client under [Peer]
, AllowedIPs is the IP’s that will be routed through this Wireguard tunnel.
On the server, it is the IPs that the clients will be allowed to use
net.ipv4.ip_forward
Sometimes it’s necessary to enable this to actually connect to devices on the remote LAN. Temporarily enable with this command:
sysctl -w net.ipv4.ip_forward=1
Permenantly enable by adding a file /etc/sysctl.d/98-wireguard.conf
(name is for organization purposes) with contents:
net.ipv4.ip_forward=1
Client config
[Interface]
Address = 192.168.30.12/24 (IP you want the client to have. Corresponds to server AllowedIPs but notice different CIDR)
PrivateKey = [key content]
[Peer]
PublicKey = [key content]
PresharedKey = [key content] (Optional - use wg genpsk)
AllowedIPs = 192.168.0.0/16 (See Above)
Endpoint = [Server IP]:51820 (Server IP with port to connect on)
PersistentKeepAlive = 25
Server config
[Interface]
Address = 192.168.30.1/24 (VPN gateway and subnet)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE (Replace enp4s0 with your interface)
ListenPort = 51820
PrivateKey = [key content]
[Peer]
# Nickname
AllowedIPs = 192.168.30.12/32 (IP you want the client to have)
PublicKey = [key content]
PresharedKey = [key content] (Optional - use wg genpsk)
PersistentKeepAlive = 25