Configuration of WireGuard Server on Linux

Способ №1

The below is just a short introduction to give an understanding how it works on Ubuntu. For other Linux distributions please have a look at the official WireGuard installation instructions.

First install the wireguard package.

add-apt-repository ppa:wireguard/wireguard && \
apt-get update && apt-get install wireguard

Create a public and private keypair for the server using the wg(8) tool.

wg genkey | tee server_private | wg pubkey > server_public

Then create a keypair for the client:

wg genkey | tee client_private | wg pubkey > client_public

The keys are just short strings that can be easily copied and pasted from the terminal.

cat client_private client_public
sAHRG4iRj8JekFDgNuevjNwMPuNDIVbTfFuZu9dBY1o=
T/DjhrM8hkbqYnOYQvHExF0HI/Csi6DktQth5ijcpDI=

Load the kernel module and create a WireGuard network interface using ip-link(8).

ip link add dev wg0 type wireguard

Configure an IP address of the server using ip-address(8).

ip address add dev wg0 192.168.2.1/24

Configure the private key of the server and add the client's public key using the wg(8) tool. In this example we use UDP port 8040 but you may choose a port of your liking. Ensure this port is properly mapped through your router if you want to access your WireGuard server from the Internet.

wg set wg0 listen-port 8040 private-key server_private
wg set wg0 peer `cat client_public` allowed-ips 192.168.2.0/24          

Activate the newly configured network interface using ip-link(8).

ip link set up dev wg0

All done, verify that WireGuard is properly configured with the wg(8) tool. It should look similar to this.

Способ №2

Generate server config

Create a file called /etc/wireguard/wg0.conf on the server and add the following content.

[Interface]
Address = 192.168.2.1/24 
SaveConfig = true
PrivateKey = <insert server_private_key>
ListenPort = 8040

[Peer]
PublicKey = <insert client_public_key>
AllowdIPs = 192.168.2.2/24

wg0.conf will result in an interface named wg0 therefore you can rename the file if you fancy something different.

AllowedIPs = 192.168.2.2/32 provides enhanced security by ensuring that only that a client with the IP 10.200.200.2 and the correct private key will be allowed to authenticate on the VPN tunnel .

ListenPort is the udp port to listen on. A different one can be used.

Generate client config

Create a file called wg0-client.conf on the client and add the following content.

[Interface]
Address = 192.168.2.2/24 
PrivateKey = <insert client_private_key>
#DNS = 192.168.2.1
PostUp = echo nameserver 8.8.8.8 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i

[Peer]
PublicKey = <insert server_public_key>
Endpoint = <insert vpn_server_address>:8040
AllowdIPs = 0.0.0.0/24
PersistentKeepalive = 21

Similar to the server case, wg0-client.conf will result in an interface named wg0-client so you can rename the file if you fancy something different.

AllowedIPs = 0.0.0.0/0 will allow and route all traffic on the client through the VPN tunnel. This can be narrowed down if you only want some traffic to go over VPN.

DNS = 192.168.2.1 will set the DNS resolver IP to our VPN server. This is important to prevent DNS leaks when on the VPN.

Enable the WireGuard interface on the server

chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service

Enable IP forwarding on the server

vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward

More here: https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/