wireguard configuration
1. Install
apt-get install wireguard
2. Enable IP Forwarding at server
vim /etc/sysctl.conf
Edit:
net.ipv4.ip_forward=1
Apply
sysctl -p
3. Configure ufw (for Azure edit network firewall setting)
Unblock ssh, wireguard ports:
apt install ufw
ufw allow ssh
ufw allow 51820/udp
Enable firewall:
ufw enable
Check status:
ufw status
4. Generate keys at server & client
cd /etc/wireguard
Remove permission:
umask 077
Generate keys:
wg genkey | tee privatekey | wg pubkey > publickey
5. Generate server config:
vim /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server private key>
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
# client 1
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.8.0.2/32
# client 2
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.8.0.3/32
6. Generate client config:
vim /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.2/32
PrivateKey = <client private key>
# server
[Peer]
PublicKey = <server public key>
Endpoint = server_IP_or_domain_name:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 15
7. Enable wireguard, start as service
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
7. Start wireguard as process
wg-quick up wg0
8. To Check wireguard kernel module loaded:
modprobe wireguard
8. To check default interface name:
ip route list default
9. Generate QR code with keys:
apt install qrenconde
qrencode -t ansiutf8 wg-client.conf
Save as png:
qrencode -t png -o client-qr.png -r wg-client.conf
References: