This walks you through setting up Wireguard. It is focused towards a traditional Server/Client VPN structure, however if you understand how it works you can make other configurations.
This is a confusing option, since it seems like it means two things depending on client or server. Really it’s one thing, but it’s complicated.
On the client under
[Peer], AllowedIPs is the IP’s that will be routed through this Wireguard tunnel.
On the server, it is the IPs that the clients will be allowed to use
Sometimes it’s necessary to enable this to actually connect to devices on the remote LAN. Temporarily enable with this command:
sysctl -w net.ipv4.ip_forward=1
Permenantly enable by adding a file
/etc/sysctl.d/98-wireguard.conf (name is for organization purposes) with contents:
[Interface] Address = 192.168.30.12/24 (IP you want the client to have. Corresponds to server AllowedIPs but notice different CIDR) PrivateKey = [key content] [Peer] PublicKey = [key content] PresharedKey = [key content] (Optional - use wg genpsk) AllowedIPs = 192.168.0.0/16 (See Above) Endpoint = [Server IP]:51820 (Server IP with port to connect on) PersistentKeepAlive = 25
[Interface] Address = 192.168.30.1/24 (VPN gateway and subnet) PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE (Replace enp4s0 with your interface) ListenPort = 51820 PrivateKey = [key content] [Peer] # Nickname AllowedIPs = 192.168.30.12/32 (IP you want the client to have) PublicKey = [key content] PresharedKey = [key content] (Optional - use wg genpsk) PersistentKeepAlive = 25