Skip to content

Instantly share code, notes, and snippets.

@etiennetremel

etiennetremel/README.md

Last active October 26, 2025 14:09
Show Gist options
  • Save etiennetremel/a90d898103b0d3e450bc53d428a47e91 to your computer and use it in GitHub Desktop.
Save etiennetremel/a90d898103b0d3e450bc53d428a47e91 to your computer and use it in GitHub Desktop.
Download ZIP
Simple Wireguard setup as VPN server and multiple clients
Raw
README.md

Simple WireGuard configuration

1 server, 2 clients

Getting started

Install Wireguard on all machines.

Generate all keys

$ wg genkey > server_privatekey
$ wg pubkey < server_privatekey > server_publickey_client1
$ wg pubkey < server_privatekey > server_publickey_client2
$ wg genkey | tee client1_privatekey | wg pubkey > client1_publickey
$ wg genkey | tee client2_privatekey | wg pubkey > client2_publickey

Start

$ wg-quick up wg0

Stop

$ wg-quick down wg0

Check status

$ wg show
interface: wg0
  public key: <SERVER PUBLIC KEY>
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: <CLIENT 1 PUBLIC KEY>
  endpoint: ...
  allowed ips: 10.100.0.2/32
  latest handshake: 4 seconds ago
  transfer: 21.11 KiB received, 38.92 KiB sent

peer: <CLIENT 2 PUBLIC KEY>
  endpoint: ...
  allowed ips: 10.100.0.3/32
  latest handshake: 9 seconds ago
  transfer: 911.10 KiB received, 2.57 MiB sent
Raw
client1-wg0.conf
[Interface]
Address = 10.100.0.2/32
PrivateKey = <CLIENT 1 PRIVATE KEY>
DNS = 10.100.0.1
[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820
Raw
client2-wg0.conf
[Interface]
Address = 10.100.0.3/32
PrivateKey = <CLIENT 2 PRIVATE KEY>
DNS = 10.100.0.1
[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820
Raw
postdown.sh
#!/usr/bin/env bash
set -ex
# Traffic forwarding
iptables -D FORWARD -i %i -j ACCEPT
iptables -D FORWARD -o %i -j ACCEPT
# Nat
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# DNS
iptables -D INPUT -s 10.100.0.1/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -D INPUT -s 10.100.0.1/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Raw
postup.sh
#!/usr/bin/env bash
set -ex
# Traffic forwarding
iptables -A FORWARD -i %i -j ACCEPT
iptables -A FORWARD -o %i -j ACCEPT
# Nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# DNS
iptables -A INPUT -s 10.100.0.1/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.100.0.1/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Raw
server-wg0.conf
[Interface]
Address = 10.100.0.1/24
SaveConfig = true
PostUp = /etc/wireguard/postup.sh
PostDown = /etc/wireguard/postdown.sh
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <SERVER PRIVATE KEY>
[Peer]
PublicKey = <CLIENT 1 PUBLIC KEY>
AllowedIPs = 10.100.0.2/32
[Peer]
PublicKey = <CLIENT 2 PUBLIC KEY>
AllowedIPs = 10.100.0.3/32
@johnaaronrose
Copy link

I'm using Ubuntu 24.04 and following instructions at Install Wireguard on 24.04 I want multiple clients. So I've created a conf file for each client with different Address e.g.

[Interface]
PrivateKey = ***   # Client-Private-Key
Address = 10.8.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = ***     # Server-Public-Key
AllowedIPs = 0.0.0.0/0
Endpoint = roseserver.mywire.org:51820
PersistentKeepalive = 15

My wg0.conf file has different AllowedIPs for each client:

[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey =***
AllowedIPs = 10.8.0.2/32

[Peer]
PublicKey = ***
AllowedIPs = 10.8.0.3/32

The wg-quick@wg0 service starts Ok and shows Status except that it displays:

Aug 06 13:51:43 raspberrypi systemd[1]: Finished [email protected] - WireGuard via wg-quick(8) for wg0"

Also, the wg0.conf file is changed with one of the Allowed IPs being removed!

I have tried to find a channel for WireGuards issues without success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment