This guide is a short howto on a single server and single client, and will not be a too technical one. It will consist of mostly the two config files should be for simple case and explaining where it needs to be.
Simply install and wireguard-tools
pacman -S wireguard-tools
You will need to setup port forwarding and set a static IP for the Wireguard server.
Follow the guide for the model of router you have. You need static IP for the server so that the IP never changes and cause a possible Wireguard connection issue.
Also follow the guide for your router to set port forwarding up for Wireguard. The typical
port for Wireguard is
The basic concept is to forward the chosen port to the static IP setup earlier.
Since the configuration files hold secrets, they should be only readable and writable by the root user.
The files will be located under
/etc/wireguard so this directory must be owned by
root:root and have permissions set to
0700 so that no one can even see what are the used interfaces.
After creating the needed files they should be only readable by root so they should have
0400 permissions and also owned by
In the following guide, files containing private keys will be generated, you MUST remove them after the data they contain has been used in the configuration files. These information MUST be kept private to make the connection secure.
wg genkey | tee server.private | wg pubkey > server.public
wg genkey | tee client.private | wg pubkey > client.public
The pre-shared key allows an additional layer of symmetric encryption.
The key needs to be exchanged securely between the peers to be considered effective and, as the private key, it has to be considered a secret only known by the two peers.
wg genpsk > common.psk
# /etc/wireguard/wg0.conf [Interface] Address = 192.168.2.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE ListenPort = 51820 PrivateKey = <Server's private key> [Peer] PublicKey = <Client's public key> PreSharedKey = <Common key> AllowedIPs = 192.168.2.2/32
Address: IP address of the server (that will act as a gateway here) and its subnet mask. It should be ensure that the used subnet is different from the ones devices are connected. Common used subnets for VPNs are
PostUp: Firewall rules to be added after the server has been started, it allows to forward traffic. The ip6tables part can be removed if using only IPv4.
PostDown: Firewall rules to be removed after the server has been stopped, it has to be the same rules as in
PostUp. The ip6tables part can be removed if using only IPv4.
ListenPort:: is the port that Wireguard will listen on and also needs to be the port used in port forwarding.
AllowedIPs: IP address of the client. It has to be unique (also if having several peers) and must have a 32 bits subnet mask so it is a fixed IP.
# /etc/wireguard/wg0.conf [Interface] Address = 192.168.2.2/32 PrivateKey = <Client's private key> DNS = 220.127.116.11 [Peer] PublicKey = <Server's public key> PreSharedKey = <Common key> Endpoint = <Public side IP>:51820 AllowedIPs = 0.0.0.0/0
Address: Same address as the one in the server's
DNS: The IP address of the DNS that will be used (requests will be routed through the tunnel).
Endpoint: Public IP of the server .
AllowedIPs = 0.0.0.0/0ensures all traffic goes through Wireguard.
wg-quick up INTERFACE
qrencode creates a QR code, so you can easily import a client configuration file
pacman -S qrencode
You can use
qrencode -t ansiutf8 < client.conf
You will need to extract the hash from the created private/public key files and place them in the correct placeholders in each configuration.
The client config file can be placed anywhere as it won't need to be forever stored on the computer.
Make sure to use qrencode on the client configuration and not the server's configuration.
Create an init file to run
wg-quick up INTERFACE