Wireguard Setup

Introduction

This walks you through setting up Wireguard. It is focused towards a traditional Server/Client VPN structure, however if you understand how it works you can make other configurations.

Good unofficial docs Arch wiki, good info but I had issues with their configs

Understanding AllowedIPs

This is a confusing option, since it seems like it means two things depending on client or server. Really it’s one thing, but it’s complicated. On the client under [Peer], AllowedIPs is the IP’s that will be routed through this Wireguard tunnel. On the server, it is the IPs that the clients will be allowed to use

net.ipv4.ip_forward

Sometimes it’s necessary to enable this to actually connect to devices on the remote LAN. Temporarily enable with this command: sysctl -w net.ipv4.ip_forward=1 Permenantly enable by adding a file /etc/sysctl.d/98-wireguard.conf (name is for organization purposes) with contents: net.ipv4.ip_forward=1

Client config

[Interface]
Address = 192.168.30.12/24 (IP you want the client to have. Corresponds to server AllowedIPs but notice different CIDR)
PrivateKey = [key content]

[Peer]
PublicKey = [key content]
PresharedKey = [key content] (Optional - use wg genpsk)
AllowedIPs = 192.168.0.0/16 (See Above)
Endpoint = [Server IP]:51820 (Server IP with port to connect on)
PersistentKeepAlive = 25

Server config

[Interface]
Address = 192.168.30.1/24 (VPN gateway and subnet)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE (Replace enp4s0 with your interface)
ListenPort = 51820
PrivateKey = [key content]

[Peer]
# Nickname
AllowedIPs = 192.168.30.12/32 (IP you want the client to have)
PublicKey = [key content]
PresharedKey = [key content] (Optional - use wg genpsk)
PersistentKeepAlive = 25