Basic guide to Wireguard

This guide is a short howto on a single server and single client, and will not be a too technical one. It will consist of mostly the two config files should be for simple case and explaining where it needs to be.

Initial packages needed.

Simply install and wireguard-tools

 pacman -S wireguard-tools

Router setup

You will need to setup port forwarding and set a static IP for the Wireguard server.

Static IP

Follow the guide for the model of router you have. You need static IP for the server so that the IP never changes and cause a possible Wireguard connection issue.

Port forwarding

Also follow the guide for your router to set port forwarding up for Wireguard. The typical port for Wireguard is 15280.
The basic concept is to forward the chosen port to the static IP setup earlier.

IP Forwarding



Security concerns

File system

Since the configuration files hold secrets, they should be only readable and writable by the root user.
The files will be located under /etc/wireguard so this directory must be owned by root:root and have permissions set to 0700 so that no one can even see what are the used interfaces.
After creating the needed files they should be only readable by root so they should have 0400 permissions and also owned by root:root.


In the following guide, files containing private keys will be generated, you MUST remove them after the data they contain has been used in the configuration files. These information MUST be kept private to make the connection secure.

Generate keys

 wg genkey | tee server.private | wg pubkey > server.public
  wg genkey | tee client.private | wg pubkey > client.public
Pre-shared key (optionnal)

The pre-shared key allows an additional layer of symmetric encryption.
The key needs to be exchanged securely between the peers to be considered effective and, as the private key, it has to be considered a secret only known by the two peers.

 wg genpsk > common.psk

Server configuration

 # /etc/wireguard/wg0.conf
 Address =
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
 ListenPort = 51820
 PrivateKey = <Server's private key>

 PublicKey = <Client's public key>
 PreSharedKey = <Common key>
 AllowedIPs =
  • Address: IP address of the server (that will act as a gateway here) and its subnet mask. It should be ensure that the used subnet is different from the ones devices are connected. Common used subnets for VPNs are 192.168.X.0/24 or 10.X.X.0/16.
  • PostUp: Firewall rules to be added after the server has been started, it allows to forward traffic. The ip6tables part can be removed if using only IPv4.
  • PostDown: Firewall rules to be removed after the server has been stopped, it has to be the same rules as in PostUp. The ip6tables part can be removed if using only IPv4.
  • ListenPort:: is the port that Wireguard will listen on and also needs to be the port used in port forwarding.
  • AllowedIPs: IP address of the client. It has to be unique (also if having several peers) and must have a 32 bits subnet mask so it is a fixed IP.

Client configuration

 # /etc/wireguard/wg0.conf
 Address =
 PrivateKey = <Client's private key>
 DNS =

 PublicKey = <Server's public key>
 PreSharedKey = <Common key>
 Endpoint = <Public side IP>:51820
 AllowedIPs =
  • Address: Same address as the one in the server's AllowedIPs.
  • DNS: The IP address of the DNS that will be used (requests will be routed through the tunnel).
  • Endpoint: Public IP of the server .
  • AllowedIPs = ensures all traffic goes through Wireguard.
Start Wireguard server
 wg-quick up INTERFACE


qrencode creates a QR code, so you can easily import a client configuration file

 pacman -S qrencode

You can use qrencode -t ansiutf8 < client.conf


Private/Public keys

You will need to extract the hash from the created private/public key files and place them in the correct placeholders in each configuration.


The client config file can be placed anywhere as it won't need to be forever stored on the computer.
Make sure to use qrencode on the client configuration and not the server's configuration.

Router port forwarding guide


Restart Wireguard after boot

Create an init file to run wg-quick up INTERFACE