|
|
@@ -0,0 +1,100 @@ |
|
|
Install WireGuard via whatever package manager you use. For me, I use apt. |
|
|
|
|
|
$ sudo add-apt-repository ppa:wireguard/wireguard |
|
|
$ sudo apt-get update |
|
|
$ sudo apt-get install wireguard |
|
|
|
|
|
MacOS |
|
|
$ brew install wireguard-tools |
|
|
|
|
|
Generate key your key pairs. The key pairs are just that, key pairs. They can be |
|
|
generated on any device, as long as you keep the private key on the source and |
|
|
place the public on the destination. |
|
|
|
|
|
$ wg genkey | tee privatekey | wg pubkey > publickey |
|
|
example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= |
|
|
example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= |
|
|
|
|
|
Take the above private key, and place it in the server. And conversely, put the public key on the peer. Generate a second key pair, and do the opposite, put the public on the server and the private on the peer. |
|
|
|
|
|
On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, so use whatever IP ranges and CIDR blocks that will work for your network. |
|
|
################################ |
|
|
[Interface] |
|
|
Address = 10.0.0.1/24 |
|
|
DNS = 1.1.1.1 |
|
|
PrivateKey = [ServerPrivateKey] |
|
|
ListenPort = 51820 |
|
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE |
|
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE |
|
|
|
|
|
[Peer] |
|
|
#Peer #1 |
|
|
PublicKey = [Peer#1PublicKey] |
|
|
AllowedIPs = 10.0.0.3/32 |
|
|
|
|
|
[Peer] |
|
|
#Peer #2 |
|
|
PublicKey = [Peer#2PublicKey] |
|
|
AllowedIPs = 10.0.0.10/32 |
|
|
|
|
|
[Peer] |
|
|
#Peer #3 |
|
|
PublicKey = [Peer#3PublicKey] |
|
|
AllowedIPs = 10.0.0.2/32 |
|
|
|
|
|
[Peer] |
|
|
#Peer #4 |
|
|
PublicKey = [Peer#4PublicKey] |
|
|
AllowedIPs = 10.0.0.11/32 |
|
|
################################## |
|
|
|
|
|
On each client, define a /etc/wireguard/wg0.conf - |
|
|
|
|
|
################################### |
|
|
[Interface] |
|
|
Address = 10.0.0.3/24 |
|
|
PrivateKey = [PrivateKeyPeer#1] |
|
|
|
|
|
[Peer] |
|
|
PublicKey = [ServerPublicKey] |
|
|
Endpoint = some.domain.com:51820 |
|
|
AllowedIPs = 0.0.0.0/0 |
|
|
|
|
|
# This is for if you're behind a NAT and |
|
|
# want the connection to be kept alive. |
|
|
PersistentKeepalive = 25 |
|
|
######################################## |
|
|
|
|
|
sudo wg show |
|
|
######################################### |
|
|
peer: Peer #1 |
|
|
endpoint: 192.168.2.1:50074 |
|
|
allowed ips: 10.0.0.2/32 |
|
|
latest handshake: 4 minutes, 16 seconds ago |
|
|
transfer: 57.58 KiB received, 113.32 KiB sent |
|
|
|
|
|
peer: Peer #2 |
|
|
endpoint: 99.203.28.43:36770 |
|
|
allowed ips: 10.0.0.10/32 |
|
|
latest handshake: 5 minutes, 30 seconds ago |
|
|
transfer: 92.98 KiB received, 495.89 KiB sent |
|
|
################################################## |
|
|
|
|
|
Start/stop interface |
|
|
wg-quick up wg0 |
|
|
wg-quick down wg0 |
|
|
|
|
|
Start/stop service |
|
|
$ sudo systemctl stop [email protected] |
|
|
$ sudo systemctl start [email protected] |
|
|
|
|
|
Instead of having to modify the file for every client you want to add to the server you could also use the wg tool instead: |
|
|
|
|
|
# add peer |
|
|
wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 |
|
|
|
|
|
# verify connection |
|
|
wg |
|
|
|
|
|
# save to config |
|
|
wg-quick save wg0 |
chrisswanda revised this gist