komuw · November 3, 2025 12:55 · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025 · Jun 29, 2025
diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -57,7 +57,10 @@ sysctl --system
 ```bash
 apt -y update && \
 apt -y install wireguard 
+
 # apt -y install openresolv # may be required if wg is unable to start
+#     if using a custom local dns-server(eg, dnscrypt), 
+#     u do not need to install openresolv; just comment out the `DNS=` line.
 ```
 
 ```bash
@@ -97,6 +100,8 @@ journalctl -xf -n10 -u [email protected]
 sudo wg
 ```
 **NB:** you may have to install `apt-get -y install openresolv` if wire-guard is unable to start
+        if using a custom local dns-server(eg, dnscrypt), 
+        u do not need to install openresolv; just comment out the `DNS=` line.
 
 ### IV. edit configs   
 to edit `/etc/wireguard/wg0.conf` you need to; 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -25,24 +25,27 @@ wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 `cat /etc/wireguard/wg0.conf`  
 ```bash
 [Interface]
-Address = 192.168.3.1/24, fd86:ea04:1115::1/64
+Address = 192.168.3.1/24, fd86:ea04:1115::1/64 # server-IPs
 ListenPort = 5555
-PrivateKey = <ServerPrivatekey>
+PrivateKey = <value-of-ServerPrivatekey>
 # the following two lines may not be neccesary
 # If you only want to create a tunnel but not forward all your traffic through the server you can skip those.
 # todo: use SNAT instead of MASQUERADE; it's faster. https://jamesmcm.github.io/blog/no-ipv4/
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 # eth0 is the servers public interface. You can find what yours is by;
 # ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1
+PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+PostUp = echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
 [Peer]
-PublicKey = <ClientPublickey>
-AllowedIPs = 192.168.3.2/32
+PublicKey = <value-of-ClientPublickey>
+AllowedIPs = 192.168.3.2/32, fd86:ea04:1115::2/64 # client-IPs
 ```
 
 ```bash
-# enable packet forwarding
+# Enable packet forwarding
+# This is only needed if wireguard config does not have the `PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/forwarding` stuff
 echo "net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
 
@@ -64,21 +67,25 @@ wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
 `cat /etc/wireguard/wg0.conf`
 ```bash
 [Interface]
-Address = 192.168.3.2/32
+Address = 192.168.3.2/32, fd86:ea04:1115::2/64 # client-IPs
 ListenPort = 5555
-PrivateKey = <ClientPrivatekey>
-# or use a dns server from uk; https://public-dns.info/nameserver/gb.html
-# or use <ServerPublicIPadress>
-DNS = 1.1.1.1
+PrivateKey = <value-of-ClientPrivatekey>
+# For DNS you can;
+#   (a) use a dns server from uk; https://public-dns.info/nameserver/gb.html
+#   (b) use <ServerPublicIPadress>
+#   (c) use google(8.8.8.8)
+#   (d) comment it out. This is good if u r using a custom local dns-server like dnscrypt-proxy
+DNS = 1.1.1.1, 8.8.8.8
 # the following two lines may not be neccesary
 PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
 PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
 
 [Peer]
-PublicKey = <ServerPublickey>
+PublicKey = <value-of-ServerPublickey>
 # This can be narrowed down if you only want some traffic to go over VPN.
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = <ServerPublicIPadress>:5555
+PersistentKeepalive = 180 # Optional. Needed for clients behind NAT.
 ```
 
 ### III. START/STOP

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -9,9 +9,8 @@
 
 **NB;**  
 - the private IP address `192.168.3.XX` doesn't have to be an IP you own.  
-create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup   
+- Create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup   
 it should show location as the location u want.     
-- this requires at least ubuntu 19.10
 
 ### I. SERVER
 ```bash

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -4,6 +4,7 @@
 3. https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/    
 4. https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 5. https://www.procustodibus.com/blog/2020/10/wireguard-topologies/
+6. https://jamesmcm.github.io/blog/no-ipv4/ (use SNAT instead of MASQUERADE; it's faster)
 
 
 **NB;**  
@@ -30,6 +31,7 @@ ListenPort = 5555
 PrivateKey = <ServerPrivatekey>
 # the following two lines may not be neccesary
 # If you only want to create a tunnel but not forward all your traffic through the server you can skip those.
+# todo: use SNAT instead of MASQUERADE; it's faster. https://jamesmcm.github.io/blog/no-ipv4/
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 # eth0 is the servers public interface. You can find what yours is by;

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -3,6 +3,7 @@
 2. https://gist.github.com/nealfennimore/92d571db63404e7ddfba660646ceaf0d    
 3. https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/    
 4. https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
+5. https://www.procustodibus.com/blog/2020/10/wireguard-topologies/
 
 
 **NB;**  

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -39,8 +39,8 @@ PublicKey = <ClientPublickey>
 AllowedIPs = 192.168.3.2/32
 ```
 
-# enable packet forwarding
 ```bash
+# enable packet forwarding
 echo "net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -38,12 +38,14 @@ PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING
 PublicKey = <ClientPublickey>
 AllowedIPs = 192.168.3.2/32
 ```
-`cat /etc/sysctl.conf`
+
+# enable packet forwarding
 ```bash
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
+echo "net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
+
+sysctl --system
 ```
-`sysctl -p` # to enable packet forwarding
 
 
 ### II. CLIENT

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -94,6 +94,7 @@ to edit `/etc/wireguard/wg0.conf` you need to;
 - c. restart wg  
 
 **NB:** edits made while wg is still running may not be persisted   
+**NB:** check dns leaks at https://mullvad.net/en/check
 **NB:** regarding dns leaks. I had a chat on the wireguard irc and;  
 ```bash
 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -2,6 +2,7 @@
 1. https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/     
 2. https://gist.github.com/nealfennimore/92d571db63404e7ddfba660646ceaf0d    
 3. https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/    
+4. https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 
 
 **NB;**  

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -1,6 +1,7 @@
 #### DOCS:    
 1. https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/     
 2. https://gist.github.com/nealfennimore/92d571db63404e7ddfba660646ceaf0d    
+3. https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/    
 
 
 **NB;**  

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -29,6 +29,8 @@ PrivateKey = <ServerPrivatekey>
 # If you only want to create a tunnel but not forward all your traffic through the server you can skip those.
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+# eth0 is the servers public interface. You can find what yours is by;
+# ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1
 
 [Peer]
 PublicKey = <ClientPublickey>

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -1,4 +1,7 @@
-#### DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
+#### DOCS:    
+1. https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/     
+2. https://gist.github.com/nealfennimore/92d571db63404e7ddfba660646ceaf0d    
+
 
 **NB;**  
 - the private IP address `192.168.3.XX` doesn't have to be an IP you own.  
@@ -53,7 +56,7 @@ wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
 `cat /etc/wireguard/wg0.conf`
 ```bash
 [Interface]
-Address = 192.168.3.2
+Address = 192.168.3.2/32
 ListenPort = 5555
 PrivateKey = <ClientPrivatekey>
 # or use a dns server from uk; https://public-dns.info/nameserver/gb.html

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -42,7 +42,8 @@ net.ipv6.conf.all.forwarding = 1
 ### II. CLIENT
 ```bash
 apt -y update && \
-apt -y install wireguard
+apt -y install wireguard 
+# apt -y install openresolv # may be required if wg is unable to start
 ```
 
 ```bash

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -41,7 +41,6 @@ net.ipv6.conf.all.forwarding = 1
 
 ### II. CLIENT
 ```bash
-sudo add-apt-repository ppa:wireguard/wireguard -y && \
 apt -y update && \
 apt -y install wireguard
 ```

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -1,12 +1,13 @@
 #### DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
 
-**NB;**  the private IP address `192.168.3.XX` doesn't have to be an IP you own.  
+**NB;**  
+- the private IP address `192.168.3.XX` doesn't have to be an IP you own.  
 create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup   
-it should show location as the location u want.   
+it should show location as the location u want.     
+- this requires at least ubuntu 19.10
 
 ### I. SERVER
 ```bash
-sudo add-apt-repository ppa:wireguard/wireguard -y && \
 apt -y update && \
 apt -y install wireguard
 ```

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -18,7 +18,7 @@ wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 `cat /etc/wireguard/wg0.conf`  
 ```bash
 [Interface]
-Address = 192.168.3.1/24
+Address = 192.168.3.1/24, fd86:ea04:1115::1/64
 ListenPort = 5555
 PrivateKey = <ServerPrivatekey>
 # the following two lines may not be neccesary

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -64,6 +64,7 @@ PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m ad
 
 [Peer]
 PublicKey = <ServerPublickey>
+# This can be narrowed down if you only want some traffic to go over VPN.
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = <ServerPublicIPadress>:5555
 ```

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -87,12 +87,14 @@ to edit `/etc/wireguard/wg0.conf` you need to;
 **NB:** edits made while wg is still running may not be persisted   
 **NB:** regarding dns leaks. I had a chat on the wireguard irc and;  
 ```bash
+
 zx2c4:
   on the client, to fix dns leaks you can either
   1) not use debian/ubuntu
   2) add this "kill switch" to your config file:
   PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
   PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+
 amdj:
 - just settle for confirming that your query is being sent over wireguard and call it a day.
   this is easy with e.g. tcpdump, or you can enforce it with the rules zx2c4 gave you.

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -11,6 +11,7 @@ apt -y update && \
 apt -y install wireguard
 ```
 ```bash
+# this will generate server private key & public key
 wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 ```
 
@@ -43,7 +44,9 @@ sudo add-apt-repository ppa:wireguard/wireguard -y && \
 apt -y update && \
 apt -y install wireguard
 ```
+
 ```bash
+# this will generate client private key & public key
 wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
 ```
 `cat /etc/wireguard/wg0.conf`

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -52,7 +52,9 @@ wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
 Address = 192.168.3.2
 ListenPort = 5555
 PrivateKey = <ClientPrivatekey>
-DNS = 1.1.1.1 # or use a dns server from uk; https://public-dns.info/nameserver/gb.html
+# or use a dns server from uk; https://public-dns.info/nameserver/gb.html
+# or use <ServerPublicIPadress>
+DNS = 1.1.1.1
 # the following two lines may not be neccesary
 PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
 PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -21,6 +21,7 @@ Address = 192.168.3.1/24
 ListenPort = 5555
 PrivateKey = <ServerPrivatekey>
 # the following two lines may not be neccesary
+# If you only want to create a tunnel but not forward all your traffic through the server you can skip those.
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -6,8 +6,8 @@ it should show location as the location u want.
 
 ### I. SERVER
 ```bash
-sudo add-apt-repository ppa:wireguard/wireguard -y \
-apt -y update \
+sudo add-apt-repository ppa:wireguard/wireguard -y && \
+apt -y update && \
 apt -y install wireguard
 ```
 ```bash
@@ -38,8 +38,8 @@ net.ipv6.conf.all.forwarding = 1
 
 ### II. CLIENT
 ```bash
-sudo add-apt-repository ppa:wireguard/wireguard -y \
-apt -y update \
+sudo add-apt-repository ppa:wireguard/wireguard -y && \
+apt -y update && \
 apt -y install wireguard
 ```
 ```bash

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -6,7 +6,7 @@ it should show location as the location u want.
 
 ### I. SERVER
 ```bash
-sudo add-apt-repository -y ppa:wireguard/wireguard \
+sudo add-apt-repository ppa:wireguard/wireguard -y \
 apt -y update \
 apt -y install wireguard
 ```
@@ -38,7 +38,7 @@ net.ipv6.conf.all.forwarding = 1
 
 ### II. CLIENT
 ```bash
-sudo add-apt-repository -y ppa:wireguard/wireguard \
+sudo add-apt-repository ppa:wireguard/wireguard -y \
 apt -y update \
 apt -y install wireguard
 ```

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -19,10 +19,10 @@ wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 [Interface]
 Address = 192.168.3.1/24
 ListenPort = 5555
+PrivateKey = <ServerPrivatekey>
 # the following two lines may not be neccesary
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-PrivateKey = <ServerPrivatekey>
 
 [Peer]
 PublicKey = <ClientPublickey>

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -19,6 +19,7 @@ wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 [Interface]
 Address = 192.168.3.1/24
 ListenPort = 5555
+# the following two lines may not be neccesary
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 PrivateKey = <ServerPrivatekey>
@@ -51,6 +52,7 @@ Address = 192.168.3.2
 ListenPort = 5555
 PrivateKey = <ClientPrivatekey>
 DNS = 1.1.1.1 # or use a dns server from uk; https://public-dns.info/nameserver/gb.html
+# the following two lines may not be neccesary
 PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
 PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -68,6 +68,7 @@ systemctl status wg-quick@wg0
 journalctl -xf -n10 -u [email protected]
 sudo wg
 ```
+**NB:** you may have to install `apt-get -y install openresolv` if wire-guard is unable to start
 
 ### IV. edit configs   
 to edit `/etc/wireguard/wg0.conf` you need to; 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -1,6 +1,6 @@
 #### DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
 
-**NB;**  the private IP address 192.168.3.XX doesn't have to be an IP you own.  
+**NB;**  the private IP address `192.168.3.XX` doesn't have to be an IP you own.  
 create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup   
 it should show location as the location u want.   
 

diff --git a/setup_wireguard.md b/setup_wireguard.md
@@ -5,17 +5,17 @@ create a new vps/ip on ua cloud provider and check IP location on https://www.wh
 it should show location as the location u want.   
 
 ### I. SERVER
-```sh
+```bash
 sudo add-apt-repository -y ppa:wireguard/wireguard \
 apt -y update \
 apt -y install wireguard
 ```
-```sh
+```bash
 wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
 ```
 
 `cat /etc/wireguard/wg0.conf`  
-```sh
+```bash
 [Interface]
 Address = 192.168.3.1/24
 ListenPort = 5555
@@ -28,24 +28,24 @@ PublicKey = <ClientPublickey>
 AllowedIPs = 192.168.3.2/32
 ```
 `cat /etc/sysctl.conf`
-```sh
+```bash
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
 ```
 `sysctl -p` # to enable packet forwarding
 
 
 ### II. CLIENT
-```sh
+```bash
 sudo add-apt-repository -y ppa:wireguard/wireguard \
 apt -y update \
 apt -y install wireguard
 ```
-```sh
+```bash
 wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
 ```
 `cat /etc/wireguard/wg0.conf`
-```sh
+```bash
 [Interface]
 Address = 192.168.3.2
 ListenPort = 5555
@@ -61,7 +61,7 @@ Endpoint = <ServerPublicIPadress>:5555
 ```
 
 ### III. START/STOP
-```sh
+```bash
 systemctl stop wg-quick@wg0
 systemctl start wg-quick@wg0
 systemctl status wg-quick@wg0
@@ -77,7 +77,7 @@ to edit `/etc/wireguard/wg0.conf` you need to;
 
 **NB:** edits made while wg is still running may not be persisted   
 **NB:** regarding dns leaks. I had a chat on the wireguard irc and;  
-```sh
+```bash
 zx2c4:
   on the client, to fix dns leaks you can either
   1) not use debian/ubuntu

diff --git a/setup_wireguard.sh → setup_wireguard.md b/setup_wireguard.sh → setup_wireguard.md
@@ -1,16 +1,21 @@
-
-## DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
-NB;  the private IP address 192.168.3.XX doesn't have to be an IP you own.
-
-create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup
-it should show location as the location u want.
-
-I. SERVER
-sudo add-apt-repository -y ppa:wireguard/wireguard; apt -y update; apt -y install wireguard
+#### DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
+
+**NB;**  the private IP address 192.168.3.XX doesn't have to be an IP you own.  
+create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup   
+it should show location as the location u want.   
+
+### I. SERVER
+```sh
+sudo add-apt-repository -y ppa:wireguard/wireguard \
+apt -y update \
+apt -y install wireguard
+```
+```sh
 wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
+```
 
-
-cat /etc/wireguard/wg0.conf 
+`cat /etc/wireguard/wg0.conf`  
+```sh
 [Interface]
 Address = 192.168.3.1/24
 ListenPort = 5555
@@ -21,20 +26,26 @@ PrivateKey = <ServerPrivatekey>
 [Peer]
 PublicKey = <ClientPublickey>
 AllowedIPs = 192.168.3.2/32
-
-
-cat /etc/sysctl.conf
+```
+`cat /etc/sysctl.conf`
+```sh
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
+```
+`sysctl -p` # to enable packet forwarding
 
-sysctl -p # to enable packet forwarding
 
-II. CLIENT
-sudo add-apt-repository -y ppa:wireguard/wireguard; apt -y update; apt -y install wireguard
+### II. CLIENT
+```sh
+sudo add-apt-repository -y ppa:wireguard/wireguard \
+apt -y update \
+apt -y install wireguard
+```
+```sh
 wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickey
-
-cat /etc/wireguard/wg0.conf 
-
+```
+`cat /etc/wireguard/wg0.conf`
+```sh
 [Interface]
 Address = 192.168.3.2
 ListenPort = 5555
@@ -47,31 +58,32 @@ PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m ad
 PublicKey = <ServerPublickey>
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = <ServerPublicIPadress>:5555
+```
 
-
-III. START/STOP
+### III. START/STOP
+```sh
 systemctl stop wg-quick@wg0
 systemctl start wg-quick@wg0
 systemctl status wg-quick@wg0
 journalctl -xf -n10 -u [email protected]
 sudo wg
+```
 
-IV. edit configs
+### IV. edit configs   
+to edit `/etc/wireguard/wg0.conf` you need to; 
+- a. stop wg
+- b. edit files
+- c. restart wg  
 
-to edit /etc/wireguard/wg0.conf you need to
-a. stop wg
-b. edit files
-c. restart wg
-NB: edits made while wg is still running may not be persisted
-
-NB: regarding dns leaks. I had a chat on the wireguard irc and;
+**NB:** edits made while wg is still running may not be persisted   
+**NB:** regarding dns leaks. I had a chat on the wireguard irc and;  
+```sh
 zx2c4:
   on the client, to fix dns leaks you can either
   1) not use debian/ubuntu
   2) add this "kill switch" to your config file:
   PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
   PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
-
 amdj:
 - just settle for confirming that your query is being sent over wireguard and call it a day.
   this is easy with e.g. tcpdump, or you can enforce it with the rules zx2c4 gave you.
@@ -82,5 +94,6 @@ amdj:
 - the operators of authoritative nameservers can see the address of the recursor that's asking them questions. 
   if that recursor is running on your endpoint using an IP address registered to you (e.g. in whois data) then you've given your identity 
   away to every domain admin you do lookups for.
+```
+**NB:** zx2c4 is main author of wireguard   
 
-NB: zx2c4 is main author of wireguard
diff --git a/setup_wireguard.sh b/setup_wireguard.sh
@@ -2,6 +2,9 @@
 ## DOCS: https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
 NB;  the private IP address 192.168.3.XX doesn't have to be an IP you own.
 
+create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup
+it should show location as the location u want.
+
 I. SERVER
 sudo add-apt-repository -y ppa:wireguard/wireguard; apt -y update; apt -y install wireguard
 wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickey
No results found