Basic guide to Wireguard

This guide is a short howto on a single server and single client, and will not be a too technical one. It will consist of mostly the two config files should be for simple case and explaining where it needs to be.

Initial packages needed.

Simply install wireguard-dkms and wireguard-tools

 pacman -S wireguard-dkms wireguard-tools

Note: for now wireguard-dkms is needed until wireguard is in the kernel officially.

Router setup

You will need to setup port forwarding and set a static IP for the Wireguard server.

Static IP

Follow the guide for the model of router you have. You need static IP for the server so that the IP never changes and cause a possible Wireguard connection issue.

Port forwarding

Also follow the guide for your router to set port forwarding up for Wireguard. The typical port for Wireguard is 15280.
The basic concept is to forward the chosen port to the static IP setup earlier.

IP Forwarding



Server configuration

Generate keys
 wg genkey | tee privatekey | wg pubkey > publickey
  wg genkey | tee clientprivatekey | wg pubkey > clientpublickey

The following is how my server's /etc/wireguard/wg0.conf is configured.

 Address =
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
 ListenPort = 51820
 PrivateKey = <Server's private key>

 PublicKey = <Client's private key>
 AllowedIPs =
Explanation for server configuration

For Address = you will need to use a different subnet than the what the server is currently on. For example: Server's current IP is 192.168.1.x, then the Address = will need to be something like

ListenPort = is the port that Wireguard will listen on and also needs to be the port used in port forwarding.
AllowedIPs =, ::/0 runs all connections through Wireguard

Client configuration

Configuration is fairly similar to how the server is setup. For example, the following could be a client's config file /etc/wireguard/wg0.conf:

 Address =
 PrivateKey = <Client's private key>
 ListenPort = 21841

 PublicKey = <Server's public key>
 Endpoint = <Public side IP>:51820
 AllowedIPs =
 DNS =
 PersistentKeepalive = 25
Explanation of client configuration

Address = you will need to use the AllowedIPs = from the server's config here.
Endpoint = Needs to be set to a public accessible IP, the address your ISP assigns you.
AllowedIPs = ensures all traffic goes through Wireguard.
DNS must be set since we are using AllowedIPs =
PersistentKeepalive = 25 Helps keep connection when behind a NAT firewall.

Start Wireguard server
 wg-quick up INTERFACE


qrencode creates a QR code, so you can easily import a client configuration file

 pacman -S qrencode

You can use qrencode -t ansiutf8 < client.conf


Private/Public keys

You will need to extract the hash from the created private/public key files and place them in the correct placeholders in each configuration.


The client config file can be placed anywhere as it won't need to be forever stored on the computer.
Make sure to use qrencode on the client configuration and not the server's configuration.

Router port forwarding guide


Restart Wireguard after boot

Create an init file to run wg-quick up INTERFACE