Configure WireGuard VPN

This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles. See Wiki workflow and Wikipedia:Stub for more details on this process. See all the stubs in Category:Stubs

We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.

Server

Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see Configure DNS for details.

First install WireGuard which is in the default Debian repositories.

sudo apt install wireguard

Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Create a config file called /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24, fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on DEFAULT_INTERFACE
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on DEFAULT_INTERFACE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE

• SERVER_PRIVATE_KEY is the content of the /etc/wireguard/privatekey file.
• The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
• The port can be anything you prefer, the default for WireGuard is 51820
• DEFAULT_INTERFACE is the ethernet interface connected to the internet, if you don't know this you can see it with the ip route list default command.
• Only include the ufw rules in PostUp and PreDown if you're running ufw.

Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 1 in /etc/sysctl.conf and then force the configuration to update immediately:

sudo sysctl -p

Clients

First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf.

sudo apt install wireguard

Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0

Set permissions of the files.

sudo chmod 600 /etc/wireguard/*
sudo chmod 644 /etc/wireguard/publickey

See also

• Configure OpenVPN
• Digital Ocean's WireGuard setup procedure
• Angristan's WireGuard installer script
• Michael Tremer, the main WireGuard critic in the field