This guide is a short howto on a single server and single client, and will not be a too technical one. It will consist of mostly the two config files should be for simple case and explaining where it needs to be.
Simply install wireguard-dkms and wireguard-tools
pacman -S wireguard-dkms wireguard-tools
Note: for now wireguard-dkms is needed until wireguard is in the kernel officially.
You will need to setup port forwarding and set a static IP for the Wireguard server.
Follow the guide for the model of router you have. You need static IP for the server so that the IP never changes and cause a possible Wireguard connection issue.
Also follow the guide for your router to set port forwarding up for Wireguard. The typical
port for Wireguard is
The basic concept is to forward the chosen port to the static IP setup earlier.
wg genkey | tee privatekey | wg pubkey > publickey
wg genkey | tee clientprivatekey | wg pubkey > clientpublickey
The following is how my server's
/etc/wireguard/wg0.conf is configured.
[Interface] Address = 192.168.2.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE ListenPort = 51820 PrivateKey = <Server's private key> [Peer] PublicKey = <Client's private key> AllowedIPs = 192.168.2.2/32
Address = you will need to use a different subnet than the what the server is currently on. For example:
Server's current IP is 192.168.1.x, then the
Address = will need to be something like
ListenPort = is the port that Wireguard will listen on and also needs to be the port used in port forwarding.
AllowedIPs = sets the client's IP to an available address.
Configuration is fairly similar to how the server is setup. For example, the following could be a client's config file
[Interface] Address = 192.168.2.2/32 PrivateKey = <Client's private key> ListenPort = 21841 [Peer] PublicKey = <Server's public key> Endpoint = <Public side IP>:51820 AllowedIPs = 0.0.0.0/0 DNS = 184.108.40.206 PersistentKeepalive = 25
Address = you will need to use the
AllowedIPs = from the server's config here.
Endpoint = Needs to be set to a public accessible IP, the address your ISP assigns you.
AllowedIPs = 0.0.0.0/0 ensures all traffic goes through Wireguard.
DNS must be set since we are using
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 Helps keep connection when behind a NAT firewall.
wg-quick up INTERFACE
qrencode creates a QR code, so you can easily import a client configuration file
pacman -S qrencode
You can use
qrencode -t ansiutf8 < client.conf
You will need to extract the hash from the created private/public key files and place them in the correct placeholders in each configuration.
The client config file can be placed anywhere as it won't need to be forever stored on the computer.
Make sure to use qrencode on the client configuration and not the server's configuration.
Create an init file to run
wg-quick up INTERFACE