Basic guide to Wireguard

This guide is a short howto on a single server and single client, and will not be a too technical one. It will consist of mostly the two config files should be for simple case and explaining where it needs to be.

Initial packages needed.

Simply install and wireguard-tools

 pacman -S wireguard-tools

Router setup

You will need to setup port forwarding and set a static IP for the Wireguard server.

Static IP

Follow the guide for the model of router you have. You need static IP for the server so that the IP never changes and cause a possible Wireguard connection issue.

Port forwarding

Also follow the guide for your router to set port forwarding up for Wireguard. The typical port for Wireguard is 15280.
The basic concept is to forward the chosen port to the static IP setup earlier.

IP Forwarding

/etc/sysctl.conf

 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding=1

Security concerns

File system

Since the configuration files hold secrets, they should be only readable and writable by the root user.
The files will be located under /etc/wireguard so this directory must be owned by root:root and have permissions set to 0700 so that no one can even see what are the used interfaces.
After creating the needed files they should be only readable by root so they should have 0400 permissions and also owned by root:root.

Keys

In the following guide, files containing private keys will be generated, you MUST remove them after the data they contain has been used in the configuration files. These information MUST be kept private to make the connection secure.

Generate keys

Server
 wg genkey | tee server.private | wg pubkey > server.public
Client
  wg genkey | tee client.private | wg pubkey > client.public
Pre-shared key (optionnal)

The pre-shared key allows an additional layer of symmetric encryption.
The key needs to be exchanged securely between the peers to be considered effective and, as the private key, it has to be considered a secret only known by the two peers.

 wg genpsk > common.psk

Server configuration

 # /etc/wireguard/wg0.conf
 [Interface]
 Address = 192.168.2.1/24
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
 ListenPort = 51820
 PrivateKey = <Server's private key>

 [Peer]
 PublicKey = <Client's public key>
 PreSharedKey = <Common key>
 AllowedIPs = 192.168.2.2/32
Explanation
Interface
  • Address: IP address of the server (that will act as a gateway here) and its subnet mask. It should be ensure that the used subnet is different from the ones devices are connected. Common used subnets for VPNs are 192.168.X.0/24 or 10.X.X.0/16.
  • PostUp: Firewall rules to be added after the server has been started, it allows to forward traffic. The ip6tables part can be removed if using only IPv4.
  • PostDown: Firewall rules to be removed after the server has been stopped, it has to be the same rules as in PostUp. The ip6tables part can be removed if using only IPv4.
  • ListenPort:: is the port that Wireguard will listen on and also needs to be the port used in port forwarding.
Peer
  • AllowedIPs: IP address of the client. It has to be unique (also if having several peers) and must have a 32 bits subnet mask so it is a fixed IP.

Client configuration

 # /etc/wireguard/wg0.conf
 [Interface]
 Address = 192.168.2.2/32
 PrivateKey = <Client's private key>
 DNS = 1.1.1.1

 [Peer]
 PublicKey = <Server's public key>
 PreSharedKey = <Common key>
 Endpoint = <Public side IP>:51820
 AllowedIPs = 0.0.0.0/0
Explanation
Interface
  • Address: Same address as the one in the server's AllowedIPs.
  • DNS: The IP address of the DNS that will be used (requests will be routed through the tunnel).
Peer
  • Endpoint: Public IP of the server .
  • AllowedIPs = 0.0.0.0/0 ensures all traffic goes through Wireguard.
Start Wireguard server
 wg-quick up INTERFACE

qrencode

qrencode creates a QR code, so you can easily import a client configuration file

 pacman -S qrencode

You can use qrencode -t ansiutf8 < client.conf

Notes

Private/Public keys

You will need to extract the hash from the created private/public key files and place them in the correct placeholders in each configuration.

qrencode

The client config file can be placed anywhere as it won't need to be forever stored on the computer.
Make sure to use qrencode on the client configuration and not the server's configuration.

Router port forwarding guide
 https://portforward.com/router.htm

Tips

Restart Wireguard after boot

Create an init file to run wg-quick up INTERFACE