ifconfig, you will see network interface name is eth0 and public IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet xxx.xxx.xxx.xx netmask 255.255.240.0 broadcast xxx.xxx.xxx.xx
2 - WireGuard installation & key pair
apt install wireguard -y
cd /etc/wiregaurd/
Generate key pair wg genkey | tee server-privateKey | wg pubkey > server-publicKey
tee means to write privatekey run ls , you’ll see 2 files in the directory
cat server-privateKey -> 3Ab************Xk=
cat server-publicKey -> y6Qjx*********s=
chmod 600 /etc/wireguard/server-privateKey
chmod go= /etc/wireguard/server-privateKey
# this command removes any permissions, only root can access
3 - Create server config file
vim /etc/wireguard/wg0.conf
# you need to create the `config` file with content below:
Put below content to wg0.conf file
# Server config
[Interface]PrivateKey=server-private-key # used private key generated on server sideAddress=10.106.0.2/20, fd7b:6185:74b5::/64 # private IP address, see how to generate IPv6 below
SaveConfig=trueListenPort=51820 # 51820 is default wg port, you can use any port
# create the rules when run `wg-quick up wg0`
PostUp=iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADEPostUp=ufw allow 51820/udp# Allow traffic on port 51820/udp for WireGuard, not 51820, WireGuard uses UDP
PostUp=ufw route allow in on wg0 out on eth0# Allow traffic routing from wg0 to ens5
# Reverse the above rules on shutdown when run `wg-quick down wg0`
PreDown=ufw route delete allow in on wg0 out on eth0PreDown=ufw delete allow 51820/udpPreDown=iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE# PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;
# PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
# Post up rule, receive and accept every packets into the tunnel, going outward tunnel interface with masked the public IP of the server
# PreDown = iptables -D FORWARD -i wg0 -j ACCEPT;
# PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
# remove all rules
[Peer]PublicKey=client-public-keyAllowedIPs=client-private-ip-range # eg: 10.0.0.1/24
Run ip route list default to check public interface
4 - Manual Management
Manual change to the wg0 rules
run wg-quick up wg0, this will auto add rules that has defined in /etc/wireguard/wg0.conf
run wg-quick down wg0 , this will delete UFW rules that also defined in /etc/wireguard/wg0.conf
5 - UFW (Optional)
ufw status numbered
ufw allow 22
ufw enable
ufw disable
6 - Wireguard on client
If installed on ubuntu as client, same process as how you would setup on a server.
Using pre-configured vpn router that supports Wireguard
Generate another set of key pair for client, that will interact with server key pair.
wg genkey | tee client-privatekey | wg pubkey | tee client-publickey
cat client-privatekey
cat client-publickey
Put the above key in the client side configuration file, file name can be [client-config.conf]
# config on client[Interface]Address = 10.0.0.1/24# client private IP range ListenPort = 51234PrivateKey = [client-privatekey]DNS = 1.1.1.1, 8.8.8.8MTU = 1420[Peer]AllowedIPs = 0.0.0.0/0, ::/0Endpoint = [server-public-IP]:51820PersistentKeepalive = 25#specify second PublicKey = [Server-public-key]
AWS setup
AWS has slight different config. In most cases, you run ifconfig you see eth0 as the interface to connect to internet. AWS uses ens5, see example:
[Interface]PrivateKey=server-private-keyAddress=10.0.0.1/24SaveConfig=trueListenPort=51820# create the rules when run `wg-quick up wg0`
PostUp=iptables -t nat -I POSTROUTING -o ens5 -j MASQUERADEPostUp=ufw allow 51820/udp# Allow traffic on port 51820/udp for WireGuard, not 51820, WireGuard uses UDP
PostUp=ufw route allow in on wg0 out on ens5# Allow traffic routing from wg0 to ens5
# Reverse the above rules on shutdown when run `wg-quick down wg0`
PreDown=ufw route delete allow in on wg0 out on ens5PreDown=ufw delete allow 51820/udpPreDown=iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE[Peer]PublicKey=client-public-key AllowedIPs=10.0.0.2/32