Getting Started with WireGuard » Miguel Mota | Software Developer

<div id=""><a href="https://www.wireguard.com/" style="color: inherit; text-decoration: none;" name="readabilityLink-1">WireGuard</a><a href="#readabilityFootnoteLink-1" class="readability-DoNotFootnote" style="color: inherit;">[1]</a> is a relatively new VPN tunnel protocol that aims to be very fast and easy to setup. It follows the <a href="https://homepage.cs.uri.edu/~thenry/resources/unixart/ch01s06.html" style="color: inherit; text-decoration: none;" name="readabilityLink-2">Unix Philosophy</a><a href="#readabilityFootnoteLink-2" class="readability-DoNotFootnote" style="color: inherit;">[2]</a> closely in that it only does one thing (creating secured VPN tunnels) and does it well.If you’ve ever set up an VPN service such as <a href="https://github.com/OpenVPN/openvpn" style="color: inherit; text-decoration: none;" name="readabilityLink-3">OpenVPN</a><a href="#readabilityFootnoteLink-3" class="readability-DoNotFootnote" style="color: inherit;">[3]</a> before then you know that it can get complicated because of all the steps you have to go through such as generating certificate authorities, issuing server and client keys and certificates, setting up multiple configuration files, configuring firewall rules, setting up route traffic forwarding, etc. which can either be dreadful or daunting. WireGuard is changing all that by simplifying the process of getting up and running in no time and allowing for easy configuration to connect multiple clients (peers).<h3 id="why-use-wireguard">Why use WireGuard?</h3><ul><li>A VPN helps protect you from man in the middle attacks.</li><li>Protect your privacy against ISPs that snoop into your traffic.</li><li>Get around internet censorship in countries.</li></ul>Advantages of WireGuard over other VPNs:<ul><li>It’s kernel-based; improved performance.</li><li>Establishes connections in less than 100ms.</li><li>Small footprint; can be ran in virtually any device, ie. embedded devices.</li><li>Easy to configure and deploy as SSH; reduces attack surface since there’s less complexity.</li><li>Uses modern and improved <a href="https://en.wikipedia.org/wiki/WireGuard#Protocol" style="color: inherit; text-decoration: none;" name="readabilityLink-4">cryptographic standards</a><a href="#readabilityFootnoteLink-4" class="readability-DoNotFootnote" style="color: inherit;">[4]</a>.</li><li>Simple handshake occurring every few minutes to ensure connection secrecy.</li><li>IP roaming support meaning you can change wifi networks or disconnect from wifi or celluar and the VPN tunnel connection won’t be lost. It just works!</li></ul><h3 id="what-well-be-going-over">What we’ll be going over</h3>This post assumes that you’ve never installed a VPN service before and we’ll be using an Ubuntu machine since it’s the most popular distro.This post is pretty verbose! but you can skip to the <a href="#tldr" style="color: inherit; text-decoration: none;" name="readabilityLink-5">TLDR;</a><a href="#readabilityFootnoteLink-5" class="readability-DoNotFootnote" style="color: inherit;">[5]</a> to see the final scripts and configuration files used if you’re familiar with the concepts already.The steps outlined in this post are:<ol><li><a href="#setting-up-a-server" style="color: inherit; text-decoration: none;" name="readabilityLink-6">Setting up a server</a><a href="#readabilityFootnoteLink-6" class="readability-DoNotFootnote" style="color: inherit;">[6]</a></li><li><a href="#installing-wireguard-on-server" style="color: inherit; text-decoration: none;" name="readabilityLink-7">Installing WireGuard on server</a><a href="#readabilityFootnoteLink-7" class="readability-DoNotFootnote" style="color: inherit;">[7]</a></li><li><a href="#generating-server-keys" style="color: inherit; text-decoration: none;" name="readabilityLink-8">Generating server keys</a><a href="#readabilityFootnoteLink-8" class="readability-DoNotFootnote" style="color: inherit;">[8]</a></li><li><a href="#creating-server-configuration-file" style="color: inherit; text-decoration: none;" name="readabilityLink-9">Creating server configuration file</a><a href="#readabilityFootnoteLink-9" class="readability-DoNotFootnote" style="color: inherit;">[9]</a></li><li><a href="#enabling-ip-forwarding-on-server" style="color: inherit; text-decoration: none;" name="readabilityLink-10">Enabling IP forwarding on server</a><a href="#readabilityFootnoteLink-10" class="readability-DoNotFootnote" style="color: inherit;">[10]</a></li><li><a href="#installing-wireguard-on-client" style="color: inherit; text-decoration: none;" name="readabilityLink-11">Installing WireGuard on client</a><a href="#readabilityFootnoteLink-11" class="readability-DoNotFootnote" style="color: inherit;">[11]</a></li><li><a href="#generating-client-keys" style="color: inherit; text-decoration: none;" name="readabilityLink-12">Generating client keys</a><a href="#readabilityFootnoteLink-12" class="readability-DoNotFootnote" style="color: inherit;">[12]</a></li><li><a href="#creating-client-configuration-file" style="color: inherit; text-decoration: none;" name="readabilityLink-13">Creating client configuration file</a><a href="#readabilityFootnoteLink-13" class="readability-DoNotFootnote" style="color: inherit;">[13]</a></li><li><a href="#setting-client-info-on-server-config" style="color: inherit; text-decoration: none;" name="readabilityLink-14">Setting client info on server config</a><a href="#readabilityFootnoteLink-14" class="readability-DoNotFootnote" style="color: inherit;">[14]</a></li><li><a href="#starting-wireguard-service-on-server" style="color: inherit; text-decoration: none;" name="readabilityLink-15">Starting WireGuard service on server</a><a href="#readabilityFootnoteLink-15" class="readability-DoNotFootnote" style="color: inherit;">[15]</a></li><li><a href="#starting-wireguard-service-on-client" style="color: inherit; text-decoration: none;" name="readabilityLink-16">Starting WireGuard service on client</a><a href="#readabilityFootnoteLink-16" class="readability-DoNotFootnote" style="color: inherit;">[16]</a></li><li><a href="#connecting-a-mobile-client-to-server" style="color: inherit; text-decoration: none;" name="readabilityLink-17">Connecting a mobile client to server</a><a href="#readabilityFootnoteLink-17" class="readability-DoNotFootnote" style="color: inherit;">[17]</a></li></ol>Please note that in WireGuard land there is no “server” and “client” in the traditional sense. Rather, computers and devices connected to each other are known as “peers”. For simplicity sake, we’ll be using “server” to mean the hosted server that will be forwarding all our traffic to, and we’ll be using “client” to refer to the home computer that forwards all it’s traffic to the server.<h2 id="setting-up-a-server">Setting up a server</h2>I’ll be using a free tier EC2 micro instance from AWS for the example (and tearing down it afterwards). If you have an AWS account you can launch a new instance by going to:EC2 → Launch Instance → t2.micro with Ubuntu → Review and Launch → LaunchIn this example I’m running Ubuntu 18.04 (Bionic Beaver).<h2 id="installing-wireguard-on-server">Installing WireGuard on server</h2>To install wireguard on Ubuntu <19.04 run the following comands:<ol><li><code>sudo add-apt-repository ppa:wireguard/wireguard</code></li><li><code>sudo apt-get update</code></li><li><code>sudo apt-get install wireguard</code></li></ol>If your server is using a different distro then look at the WireGuard <a href="https://www.wireguard.com/install/" style="color: inherit; text-decoration: none;" name="readabilityLink-18">installation instructions</a><a href="#readabilityFootnoteLink-18" class="readability-DoNotFootnote" style="color: inherit;">[18]</a>.<div class="highlight" readability="11"><pre><code class="language-bash" data-lang="bash">ubuntu@ip-172-30-0-233:~$ sudo add-apt-repository ppa:wireguard/wireguard
WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for WireGuard. More info may be found at its website, listed below.

More info: https://www.wireguard.com/
Packages: wireguard wireguard-tools wireguard-dkms

Install with: $ apt install wireguard
More info: https://launchpad.net/~wireguard/+archive/ubuntu/wireguard
Press [ENTER] to continue or Ctrl-c to cancel adding it.

<truncated>

Fetched 18.5 MB in 4s (4840 kB/s)

ubuntu@ip-172-30-0-233:~$ sudo apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:5 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease
Reading package lists... Done

ubuntu@ip-172-30-0-233:~$ sudo apt-get install wireguard
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:

<truncated>

update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Setting up build-essential (12.4ubuntu1) ...
Setting up wireguard-dkms (1.0.20200401-1ubuntu1~18.04) ...
Loading new wireguard-1.0.20200401 DKMS files...
Building for 4.15.0-1057-aws
Building initial module for 4.15.0-1057-aws
Done.

wireguard:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/4.15.0-1057-aws/updates/dkms/

depmod...

DKMS: install completed.
Setting up wireguard (1.0.20200319-0ppa1~18.04) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
</code></pre></div>Let’s launch a shell as <code>root</code> with <code>sudo -s</code> to avoid having to type sudo every time from now on:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">ubuntu@ip-172-30-0-233:~$ sudo -s
root@ip-172-30-0-233:~#
</code></pre></div>Run <code>wg</code> to check if installation was successful which should not output anything if everything is OK:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# wg
root@ip-172-30-0-233:/etc/wireguard/keys#
</code></pre></div>The two WireGuard commands we’ll be using are:<ul><li><code>wg</code> for configuring WireGuard interfaces.</li><li><code>wg-quick</code> for starting and stopping WireGuard VPN tunnels.</li></ul><h2 id="generating-server-keys">Generating server keys</h2>WireGuard configuration files will live under <code>/etc/wireguard/</code> so let’s create a directory named <code>keys</code> there to store the keys we’ll generate:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:~# mkdir /etc/wireguard/keys
</code></pre></div>Go into the <code>/etc/wireguard/keys/</code> directory:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:~# cd /etc/wireguard/keys
</code></pre></div>Set the directory user mask to <code>077</code> by running <code>umask 077</code>. A umask of 077 allows read, write, and execute permissions for the file’s owner (root in this case), but prohibits read, write, and execute permissions for everyone else and makes sure credentials don’t leak in a race condition:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# umask 077
</code></pre></div>WireGuard uses asymmetric public/private Curve25519 key pairs for authentication between client and server.Use the <code>wg genkey</code> command to generate a private key. We can generate both the private and public key at once by piping the private key output to <code>tee</code> to save it to file but also to forward the private key to <code>wg publickey</code> which derived the public key from a private key and the save it to a file.So the command to run is <code>wg genkey | tee privatekey | wg pubkey > publickey</code> to generate the key pair at once:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# wg genkey | tee privatekey | wg pubkey > publickey
</code></pre></div>If we do an <code>ls</code> we see there’s a <code>privatekey</code> and <code>publickey</code> file:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# ls
privatekey publickey
</code></pre></div>Outputting the contents of the private key file shows us the random key it generated in base64 format:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# cat privatekey
wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
</code></pre></div>Likewise the public key it derived from the private key is in base64 format:<div class="highlight" readability="8"><pre><code class="language-fallback" data-lang="fallback">root@ip-172-30-0-233:/etc/wireguard/keys# cat publickey
H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=
</code></pre></div>We’ll be needing the private key for the WireGuard server configuration, and the public key for the client configuration.<h3 id="creating-server-configuration-file">Creating server configuration file</h3>Go into the <code>/etc/wireguard/</code> directory and create a new file <code>wg0.conf</code>. WireGuard will create a new network interface named the same as the filename so it’s common convention to denote the first WireGuard network interface as <code>wg0</code> for context:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# touch /etc/wireguard/wg0.conf
</code></pre></div>Open up the server configuration file <code>/etc/wireguard/wg0.conf</code> in your favorite editor:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# vim /etc/wireguard/wg0.conf
</code></pre></div>Paste the following configuration into the new config file:<div class="highlight" readability="7"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = <server private key>
Address = 10.0.0.1/24
ListenPort = 51820
</code></pre></div>The config files are in standard <a href="https://en.wikipedia.org/wiki/INIfile" style="color: inherit; text-decoration: none;" name="readabilityLink-19">INI</a><a href="#readabilityFootnoteLink-19" class="readability-DoNotFootnote" style="color: inherit;">[19]</a> format.Replace the <code>PrivateKey</code> value with the private key content you generated earlier:<div class="highlight" readability="8"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
Address = 10.0.0.1/24
ListenPort = 51820
</code></pre></div>The address <code>10.0.0.1</code> was chosen because it’s an available private subnet on the server. If your server is using that IP range already, then pick a different address like <code>192.168.2.1</code> to avoid conflicts.The <code>[Interface]</code> section is for configuration the new WireGuard interface we are creating.<ul><li><code>PrivateKey</code> is your server’s private key.</li><li><code>Address</code> is the private network IP address range that we’re assigning to for this network interface.</li><li><code>ListenPort</code> is the host port to run the service on. This port will need to be publicly accessible. The port <code>51820</code> is the default port.</li></ul>Make sure to enable the port <code>51820</code> for <code>UDP</code> traffic. If using EC2 then you should allow it under the Security Group for the EC2 instance.EC2 instance → Security groups → Click on security group → Edit inbound rules → Add rules → Custom UDP → Port range: 51820 → Source: Anywhere → Save rulesThe rules immediately take effect.If your server is behind a NAT (which in our case it is because it’s on EC2 behind a VPC) then all traffic needs to be forwarded from the default interface to the WireGuard interface.To find out the name of the default interface run <code>ip route</code>:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# ip route | grep default | awk '{print $5}'
eth0
</code></pre></div>Now add forwarding rules for forwarding in the server configuration file using the <code>PostUp</code> and <code>PostDown</code> config settings where <code>PostUp</code> value command is ran when the WireGuard service starts and <code>PostDown</code> value command runs when the service is shutting down.<div class="highlight" readability="10"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
</code></pre></div>The three iptable rules are:<ul><li><code>iptables -A FORWARD -i %i -j ACCEPT</code> for allowing inbound traffic received by the interface.</li><li><code>iptables -A FORWARD -o %i -j ACCEPT</code> for allowing outbound traffic from the interface.</li><li><code>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code> for masking the private IP address of the interface with the external IP address of the default interface.</li></ul><h2 id="enabling-ip-forwarding-on-server">Enabling IP forwarding on server</h2>By default IP forwarding is disabled meaning that if the interface receives a packet that wasn’t intended for it then it’ll reject it. Since we need to pass on packets from one interface to another then we need to allow IP forwarding.Open up the file <code>/etc/sysctl.conf</code> for editing:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# vim /etc/sysctl.conf
</code></pre></div>Allow forwarding of IP packets by uncommenting out the line <code>net.ipv4.ipforward=1</code> near line 28:<div class="highlight" readability="7"><pre><code class="language-ini" data-lang="ini"># Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ipforward=1
</code></pre></div>Run <code>sysctl -p</code> for the changes to take effect without requiring a reboot:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# sysctl -p
net.ipv4.ipforward = 1
</code></pre></div>Confirm that IP forwarding is enabled by outputting the contents of <code>/proc/sys/net/ipv4/ipforward</code> which should return <code>1</code>:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# cat /proc/sys/net/ipv4/ipforward
1
</code></pre></div>The server is almost fully configured. It’s only now missing information about the client so let’s set up the client next.<h2 id="installing-wireguard-on-client">Installing WireGuard on client</h2>Jump back to your client machine and install WireGuard. My client machine is running Arch linux but the process will be the same for most linux distros. If you’re running Ubuntu on the client then do the same install steps you did on the server above or look at the official WireGuard <a href="https://www.wireguard.com/install/" style="color: inherit; text-decoration: none;" name="readabilityLink-20">installation instructions</a><a href="#readabilityFootnoteLink-20" class="readability-DoNotFootnote" style="color: inherit;">[20]</a>.Ubuntu WireGuard install instructions:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
</code></pre></div>If running Arch like I am, then these are the WireGuard install instructions:<div class="highlight" readability="7"><pre><code class="language-fallback" data-lang="fallback">$ sudo pacman -S wireguard-tools wireguard-dkms
</code></pre></div>Let’s launch a shell as <code>root</code> with <code>sudo -s</code> to avoid having to type sudo every time from now on:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">$ sudo -s
[root@archlinux ~]#
</code></pre></div><h2 id="generating-client-keys">Generating client keys</h2>The process of generating WireGuard keys on the client is the same as how it’s done on the server. Create the directory <code>/etc/wireguard/keys</code> and set the user mask to <code>077</code>.<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">[root@archlinux ~]# mkdir /etc/wireguard/keys
[root@archlinux ~]# cd /etc/wireguard/keys
[root@archlinux keys]# umask 077
</code></pre></div>Generate a private and public key pair for the client using the same command as we did on the server:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">[root@archlinux keys]# wg genkey | tee privatekey | wg pubkey > publickey
</code></pre></div>Output the key contents which we’ll be needing soon in our configuration files:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">[root@archlinux keys]# cat privatekey
cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
[root@archlinux keys]# cat publickey
vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw=
</code></pre></div><h2 id="creating-client-configuration-file">Creating client configuration file</h2>On the client create the configuration <code>/etc/wireguard/wg0.conf</code>:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">[root@archlinux keys]# vim /etc/wireguard/wg0.conf
</code></pre></div>Paste the configuration into your client configuration file:<div class="highlight" readability="7"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = <client private key>
</code></pre></div>Replace the <code>PrivateKey</code> value with your client’s private key:<div class="highlight" readability="7"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
</code></pre></div>Set the DNS to Cloudflare’s public DNS resolver <code>1.1.1.1</code> which is fast and secure:<div class="highlight" readability="8"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
DNS = 1.1.1.1
</code></pre></div>The <code>[Interface]</code> section is for configuration the new WireGuard interface we are creating.<ul><li><code>Address</code> is the private network IP address range that we’re assigning to for this network interface.</li><li><code>PrivateKey</code> is your client’s private key.</li><li><code>DNS</code> is the DNS resolve to use.</li></ul><h2 id="setting-server-peer-on-client-config">Setting server peer on client config</h2>The next step is to set information about the server in the client configuration file under the <code>[Peer]</code> section:<div class="highlight" readability="9"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
DNS = 1.1.1.1

[Peer]
PublicKey = <server public key>
Endpoint = <server public ip>:51820
AllowedIPs = 0.0.0.0/0
</code></pre></div>Replace the <code>PublicKey</code> value to your server’s public key and set the <code>Endpoint</code> to be your server’s public IP address:<div class="highlight" readability="9"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
DNS = 1.1.1.1

[Peer]
PublicKey = H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=
Endpoint = 54.225.123.18:51820
AllowedIPs = 0.0.0.0/0
</code></pre></div>Because our server is behind a NAT, we’ll also need to set <code>PersistentKeepalive</code> to keep the connection alive:<div class="highlight" readability="9"><pre><code class="language-ini" data-lang="ini">[Interface]
Address = 10.0.0.2/32
PrivateKey = cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=
DNS = 1.1.1.1

[Peer]
PublicKey = H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=
Endpoint = 54.225.123.18:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
</code></pre></div>The <code>[Peer]</code> section is for configuration information about the peer it’s connecting to, which in this case it’s the client connection to the server.<ul><li><code>PublicKey</code> is the public key of the server.</li><li><code>Endpoint</code> is your server’s public IP and port the server’s interface is listening, configured with <code>ListenPort</code> in the server’s config.</li><li><code>AllowedIPs</code> is the IP range to allow forwarding from. Setting it to <code>0.0.0.0/0</code> will forward all traffic over the tunnel.</li><li><code>PersistentKeepalive</code> is the interval to periodically send keepalive packets to the server.</li></ul>If you’re not sure what your server’s public address is, you can do an IP lookup by doing a DNS query request to <code>myip.opendns.com</code>:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# dig +short myip.opendns.com @resolver1.opendns.com
54.225.123.18
</code></pre></div>If your server is an EC2 instance, you get query the metadata endpoint to get the public IP address:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# curl http://169.254.169.254/latest/meta-data/public-ipv4
54.225.123.18
</code></pre></div><h2 id="setting-client-peer-on-server-config">Setting client peer on server config</h2>Go back into the server and edit the config. We’re going to add information about the client so that the server and client can authenticate with each other.<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0.conf
</code></pre></div>Add the <code>[Peer]</code> section to the server config:<div class="highlight" readability="10"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32
</code></pre></div>Replace the <code>PublicKey</code> value with your client’s public key:<div class="highlight" readability="10"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw=
AllowedIPs = 10.0.0.2/32
</code></pre></div>The <code>[Peer]</code> section is for configuration information about the peer it’s connecting to, which in this case it’s the servers connection to the client.<ul><li><code>PublicKey</code> is the client’s public key.</li><li><code>AllowedIPs</code> are allowed client IP addresses.</li></ul><h2 id="starting-wireguard-service-on-server">Starting WireGuard service on server</h2>Now that the server has the client peer information we can start the WireGuard service with <code>wg-quick up wg0</code> on the server:<div class="highlight" readability="10"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 8921 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</code></pre></div>Depending on your Ubuntu installation, you might need to install additional kernel modules. If you got the error “RNETLINK answers: Operation not supported” trying to start the wg0 interface then install the following packages on the server:<div class="highlight" readability="8"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)
</code></pre></div>To start WireGuard across reboots you’ll need to enable the service to add it to the systemd init system by running <code>systemctl enable wg-quick@wg0.service</code>:<div class="highlight" readability="9"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# systemctl enable wg-quick@wg0.service
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.
</code></pre></div>Check the status by running <code>systemctl status wg-quick@wg0.service</code> and if you see Active: active (exited) then if everything is good so far:<div class="highlight" readability="12"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; indirect; vendor preset: enabled)
Active: active (exited) since Thu 2020-04-02 06:35:22 UTC; 1s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 10730 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 10730 (code=exited, status=0/SUCCESS)

Apr 02 06:35:21 ip-172-30-0-233 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: [#] ip link add wg0 type wireguard
Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: [#] wg setconf wg0 /dev/fd/63
Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: [#] ip -4 address add 10.0.0.1/24 dev wg0
Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: [#] ip link set mtu 8921 up dev wg0
Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ipt
Apr 02 06:35:22 ip-172-30-0-233 systemd[1]: Started WireGuard via wg-quick(8) for wg0.
</code></pre></div>Verify that new iproute rules have been applied with <code>iptables -L -n</code>:<div class="highlight" readability="10"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
</code></pre></div>Running the command <code>ifconfig</code> shows the new network interface <code>wg0</code> with the internal IP address we specified <code>10.0.0.1</code>:<div class="highlight" readability="18"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.30.0.233 netmask 255.255.255.0 broadcast 172.30.0.255
inet6 fe80::1097:5bff:fe30:d57 prefixlen 64 scopeid 0x20<link>
ether 12:97:5b:30:0d:57 txqueuelen 1000 (Ethernet)
RX packets 1151269 bytes 524679242 (524.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1022229 bytes 345390292 (345.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 526 bytes 48787 (48.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 526 bytes 48787 (48.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8921
inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
</code></pre></div><h2 id="starting-wireguard-service-on-client">Starting WireGuard service on client</h2>First take note of your current public IP address on the client machine:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">[root@archlinux wireguard]# dig +short myip.opendns.com @resolver1.opendns.com
65.88.88.4
</code></pre></div>After we start the WireGuard service on the client then the public IP address will be resolved to the server’s public IP address.Start the WireGuard service using <code>wg-quick</code> just like we did previously on the server:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">[root@archlinux wireguard]# wg-quick up wg0
</code></pre></div>Now that WireGuard is running, check the public IP address again of the client and it should now be the public IP address of the server:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">[root@archlinux wireguard]# dig +short myip.opendns.com @resolver1.opendns.com
54.225.123.18
</code></pre></div>Success! WireGuard is correctly configured and the peers are connected.<h2 id="connecting-a-mobile-client-to-server">Connecting a mobile client to server</h2>Download the WireGuard app for <a href="https://apps.apple.com/us/app/wireguard/id1441195209" style="color: inherit; text-decoration: none;" name="readabilityLink-21">iOS</a><a href="#readabilityFootnoteLink-21" class="readability-DoNotFootnote" style="color: inherit;">[21]</a> or <a href="https://play.google.com/store/apps/details?id=com.wireguard.android&hl=enUS" style="color: inherit; text-decoration: none;" name="readabilityLink-22">Android</a><a href="#readabilityFootnoteLink-22" class="readability-DoNotFootnote" style="color: inherit;">[22]</a> on your device.For this example we’ll create a second client (an iPhone) to connect to the WireGuard server. The same steps will need to be followed from when we setup the first client.We can generate keys directly on the device and set up the configuration manually but that’s not quick and ideal. Instead we can generate the keys and configuration on the server and then securely transfer the information into the WireGuard app.Run <code>wg genkey</code> but specify different filenames this time to distinguish them from the server keys:<div class="highlight" readability="10"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# cd /etc/wireguard/keys
root@ip-172-30-0-233:/etc/wireguard/keys# wg genkey | tee iphoneprivatekey | wg pubkey > iphonepublickey
root@ip-172-30-0-233:/etc/wireguard/keys# cat iphoneprivatekey
kFnMqMSiAluwb/xWgemXhjLh/II/sb92OoYCbh7yaWw=
root@ip-172-30-0-233:/etc/wireguard/keys# cat iphonepublickey
cKIxzfp5ESpdM34vT2Qk/S7yvprOff6Le4YnyOTI4B8=
</code></pre></div>Open up the server config <code>/etc/wireguard/wg0.conf</code> in your favorite editor:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0.conf
</code></pre></div>Add the second peer section and include the client’s public key and IP address:<div class="highlight" readability="10"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PrivateKey = wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = cKIxzfp5ESpdM34vT2Qk/S7yvprOff6Le4YnyOTI4B8=
AllowedIPs = 10.0.0.3/32
</code></pre></div>Create a new configuration file for the iPhone client on the server. We’ll name it <code>wgo-iphone.conf</code>:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0-iphone.conf
</code></pre></div>Paste client configuration but remember to use a different private IP that differs from the first client.<div class="highlight" readability="9"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = kFnMqMSiAluwb/xWgemXhjLh/II/sb92OoYCbh7yaWw=
Address = 10.0.0.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=
Endpoint = 54.225.123.18:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
</code></pre></div>Install <a href="https://github.com/fukuchi/libqrencode" style="color: inherit; text-decoration: none;" name="readabilityLink-23">qrencode</a><a href="#readabilityFootnoteLink-23" class="readability-DoNotFootnote" style="color: inherit;">[23]</a> on the server to generate a QRCode from the configuration file.You’ll be scanning this qrcode in the WireGuard app to download the configuration. This is a safer way to transport credentials since the keys and configuration files don’t need to be zipped and moved.Generate the text based qrcode image in your terminal with <code>qrencode -t ansiutf8 < wg0-iphone.conf</code><div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">root@ip-172-30-0-233:/etc/wireguard# qrencode -t ansiutf8 < wg0-iphone.conf
<qrcode image>
</code></pre></div>In the WireGuard app go to: Add a tunnel → Create from QRCodeScan the qrcode code generated in the terminal and make sure to Allow the VPN configuration in the settings popup.Enable the VPN by toggling on the switch.Visit <a href="https://ipchicken.com/" style="color: inherit; text-decoration: none;" name="readabilityLink-24">ipchicken.com</a><a href="#readabilityFootnoteLink-24" class="readability-DoNotFootnote" style="color: inherit;">[24]</a> in the browser to verify the public iP address has changed.<h2 id="generating-vanity-addresses">Generating vanity addresses</h2>It’s easy to lose track of which keys belong to which devices since they all look like random strings. To make it easier to associate keys to devices you can use this <a href="https://github.com/warner/wireguard-vanity-address" style="color: inherit; text-decoration: none;" name="readabilityLink-25">vanity address generator</a><a href="#readabilityFootnoteLink-25" class="readability-DoNotFootnote" style="color: inherit;">[25]</a> to generate public keys that contain a custom array of characters.For example, we’ll generate a key pair where the public key starts with “iPho” to denote that it’s a key pair to be used on the iPhone client.First install the vanity address generator with <a href="https://crates.io/" style="color: inherit; text-decoration: none;" name="readabilityLink-26">cargo</a><a href="#readabilityFootnoteLink-26" class="readability-DoNotFootnote" style="color: inherit;">[26]</a>:<div class="highlight" readability="7"><pre><code class="language-bash" data-lang="bash">$ cargo install wireguard-vanity-address
</code></pre></div>Now just specify the list of characters that you want in the public key base64 output:<div class="highlight" readability="13"><pre><code class="language-bash" data-lang="bash">$ wireguard-vanity-address ipho
searching for 'ipho' in pubkey[0..10], one of every 149796 keys should match
one trial takes 83.6 us, CPU cores available: 8
est yield: 1.6 seconds per key, 638.83e-3 keys/s
hit Ctrl-C to stop
private YPpudjAoVCnaPUJdcEVhj5Ttedq7WP1ozL+ZdtuTC1g= public cHklbipHoMS9CA8XlRdKMBOOIfQC28Ut8SVyYsqmox0=
private kD6FSIZehv1DKJ28MKJQcmSDdd69U3s4s11ymtP1Ekc= public iPHoaaQye7+OJNq/TfOvXjMr99pq9ADDDlGynRQ6KQ8=
private aEJ33LXCeipouhiAoQjfMjtwrHPfZDvKLguE8XlawnY= public iPHoEoUy4WgkUXr4e47IkA06IZqVI/AqHNS2RZlGhHM=
^C
</code></pre></div>It’ll keep generating until you manually stop it when you see a key pair that you like.<h2 id="automation">Automation</h2>A nice tool to automate the process of setting up a WireGuard VPN is <a href="https://github.com/trailofbits/algo" style="color: inherit; text-decoration: none;" name="readabilityLink-27">Algo</a><a href="#readabilityFootnoteLink-27" class="readability-DoNotFootnote" style="color: inherit;">[27]</a>.Algo is a set of <a href="https://github.com/ansible/ansible" style="color: inherit; text-decoration: none;" name="readabilityLink-28">Ansible</a><a href="#readabilityFootnoteLink-28" class="readability-DoNotFootnote" style="color: inherit;">[28]</a> scripts to help you set up and configure WireGuard on the remote server from your local machine.To get started, clone the algo repository and install the python dependencies:<div class="highlight" readability="9"><pre><code class="language-bash" data-lang="bash">~$ git clone https://github.com/trailofbits/algo.git
~$ cd algo/
~/algo$ pip install virtualenv
~/algo$ python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt
</code></pre></div>Now run the algo executable file to start the walkthough of deploying an Algo server to the cloud:<div class="highlight" readability="10"><pre><code class="language-bash" data-lang="bash">(.env) ~/algo$ ./algo
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)

Enter the number of your desired provider
:
<truncated>
</code></pre></div><h2 id="tldr">TLDR;</h2>Here’s a summary of the server and client configuration and commands used in this post:<h3 id="server">Server</h3>Server commands:<div class="highlight" readability="10"><pre><code class="language-bash" data-lang="bash">sudo -s
apt-get install wireguard
mkdir -p /etc/wireguard/keys
cd /etc/wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
vim /etc/wireguard/wg0.conf # see server config below
vim /etc/sysctl.conf # uncomment line "net.ipv4.ipforward=1"
sysctl -p
wg-quick up wg0
systemctl enable wg-quick@wg0.service
</code></pre></div>Server config <code>/etc/wireguard/wg0.conf</code>:<div class="highlight" readability="10"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = <server private key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32
</code></pre></div><h3 id="client">Client</h3>Client commands:<div class="highlight" readability="9"><pre><code class="language-bash" data-lang="bash">sudo -s
apt-get install wireguard
mkdir -p /etc/wireguard/keys
cd /etc/wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
vim /etc/wireguard/wg0.conf # see client config below
wg-quick up wg0
</code></pre></div>Client config <code>/etc/wireguard/wg0.conf</code>:<div class="highlight" readability="9"><pre><code class="language-ini" data-lang="ini">[Interface]
PrivateKey = <client private key>
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server public key>
Endpoint = <server public ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
</code></pre></div><h2 id="resources">Resources</h2>Follow discussion on <a href="https://news.ycombinator.com/item?id=22788584" style="color: inherit; text-decoration: none;" name="readabilityLink-29">Hacker News</a><a href="#readabilityFootnoteLink-29" class="readability-DoNotFootnote" style="color: inherit;">[29]</a>.</div><div id="readability-footnotes"><h3>References</h3><ol id="readability-footnotes-list"><li><a href="#readabilityLink-1" title="Jump to Link in Article">^</a> <a href="https://www.wireguard.com/" name="readabilityFootnoteLink-1">WireGuard</a> (www.wireguard.com)</li><li><a href="#readabilityLink-2" title="Jump to Link in Article">^</a> <a href="https://homepage.cs.uri.edu/~thenry/resources/unixart/ch01s06.html" name="readabilityFootnoteLink-2">Unix Philosophy</a> (homepage.cs.uri.edu)</li><li><a href="#readabilityLink-3" title="Jump to Link in Article">^</a> <a href="https://github.com/OpenVPN/openvpn" name="readabilityFootnoteLink-3">OpenVPN</a> (github.com)</li><li><a href="#readabilityLink-4" title="Jump to Link in Article">^</a> <a href="https://en.wikipedia.org/wiki/WireGuard#Protocol" name="readabilityFootnoteLink-4">cryptographic standards</a> (en.wikipedia.org)</li><li><a href="#readabilityLink-5" title="Jump to Link in Article">^</a> <a href="#tldr" name="readabilityFootnoteLink-5">TLDR;</a></li><li><a href="#readabilityLink-6" title="Jump to Link in Article">^</a> <a href="#setting-up-a-server" name="readabilityFootnoteLink-6">Setting up a server</a></li><li><a href="#readabilityLink-7" title="Jump to Link in Article">^</a> <a href="#installing-wireguard-on-server" name="readabilityFootnoteLink-7">Installing WireGuard on server</a></li><li><a href="#readabilityLink-8" title="Jump to Link in Article">^</a> <a href="#generating-server-keys" name="readabilityFootnoteLink-8">Generating server keys</a></li><li><a href="#readabilityLink-9" title="Jump to Link in Article">^</a> <a href="#creating-server-configuration-file" name="readabilityFootnoteLink-9">Creating server configuration file</a></li><li><a href="#readabilityLink-10" title="Jump to Link in Article">^</a> <a href="#enabling-ip-forwarding-on-server" name="readabilityFootnoteLink-10">Enabling IP forwarding on server</a></li><li><a href="#readabilityLink-11" title="Jump to Link in Article">^</a> <a href="#installing-wireguard-on-client" name="readabilityFootnoteLink-11">Installing WireGuard on client</a></li><li><a href="#readabilityLink-12" title="Jump to Link in Article">^</a> <a href="#generating-client-keys" name="readabilityFootnoteLink-12">Generating client keys</a></li><li><a href="#readabilityLink-13" title="Jump to Link in Article">^</a> <a href="#creating-client-configuration-file" name="readabilityFootnoteLink-13">Creating client configuration file</a></li><li><a href="#readabilityLink-14" title="Jump to Link in Article">^</a> <a href="#setting-client-info-on-server-config" name="readabilityFootnoteLink-14">Setting client info on server config</a></li><li><a href="#readabilityLink-15" title="Jump to Link in Article">^</a> <a href="#starting-wireguard-service-on-server" name="readabilityFootnoteLink-15">Starting WireGuard service on server</a></li><li><a href="#readabilityLink-16" title="Jump to Link in Article">^</a> <a href="#starting-wireguard-service-on-client" name="readabilityFootnoteLink-16">Starting WireGuard service on client</a></li><li><a href="#readabilityLink-17" title="Jump to Link in Article">^</a> <a href="#connecting-a-mobile-client-to-server" name="readabilityFootnoteLink-17">Connecting a mobile client to server</a></li><li><a href="#readabilityLink-18" title="Jump to Link in Article">^</a> <a href="https://www.wireguard.com/install/" name="readabilityFootnoteLink-18">installation instructions</a> (www.wireguard.com)</li><li><a href="#readabilityLink-19" title="Jump to Link in Article">^</a> <a href="https://en.wikipedia.org/wiki/INIfile" name="readabilityFootnoteLink-19">INI</a> (en.wikipedia.org)</li><li><a href="#readabilityLink-20" title="Jump to Link in Article">^</a> <a href="https://www.wireguard.com/install/" name="readabilityFootnoteLink-20">installation instructions</a> (www.wireguard.com)</li><li><a href="#readabilityLink-21" title="Jump to Link in Article">^</a> <a href="https://apps.apple.com/us/app/wireguard/id1441195209" name="readabilityFootnoteLink-21">iOS</a> (apps.apple.com)</li><li><a href="#readabilityLink-22" title="Jump to Link in Article">^</a> <a href="https://play.google.com/store/apps/details?id=com.wireguard.android&hl=enUS" name="readabilityFootnoteLink-22">Android</a> (play.google.com)</li><li><a href="#readabilityLink-23" title="Jump to Link in Article">^</a> <a href="https://github.com/fukuchi/libqrencode" name="readabilityFootnoteLink-23">qrencode</a> (github.com)</li><li><a href="#readabilityLink-24" title="Jump to Link in Article">^</a> <a href="https://ipchicken.com/" name="readabilityFootnoteLink-24">ipchicken.com</a> (ipchicken.com)</li><li><a href="#readabilityLink-25" title="Jump to Link in Article">^</a> <a href="https://github.com/warner/wireguard-vanity-address" name="readabilityFootnoteLink-25">vanity address generator</a> (github.com)</li><li><a href="#readabilityLink-26" title="Jump to Link in Article">^</a> <a href="https://crates.io/" name="readabilityFootnoteLink-26">cargo</a> (crates.io)</li><li><a href="#readabilityLink-27" title="Jump to Link in Article">^</a> <a href="https://github.com/trailofbits/algo" name="readabilityFootnoteLink-27">Algo</a> (github.com)</li><li><a href="#readabilityLink-28" title="Jump to Link in Article">^</a> <a href="https://github.com/ansible/ansible" name="readabilityFootnoteLink-28">Ansible</a> (github.com)</li><li><a href="#readabilityLink-29" title="Jump to Link in Article">^</a> <a href="https://news.ycombinator.com/item?id=22788584" name="readabilityFootnoteLink-29">Hacker News</a> (news.ycombinator.com)</li></ol></div>

keywords miguel mota,web developer,software developer,html5 developer,javascript developer,blockchain developer

No Items Found.

Add Comment

Other Items in VPN

Getting Started with WireGuard » Miguel Mota | Software Developer

Other Categories in Linx

ai apps articles cloud apps code coffee factorio games hardware health iphone lists minecraft music pi security stock images stock images tech vpn web dev web developer websites windows ai android api apps articles asp audio australia bio bitcoin blog books bootstrap career charts code editors codepens cooking css css animations daily linx data day trips design design elements drawing education emulators entrepreneur factorio fitness flowcharts fonts foobar2000 themes games hardware headphones health home automation html templates icons itunes javascript jquery js linux mac maps media mhx minecraft misc money motivation music network news nginx os osrs pantheon parenting phone phones php pi products programming radio random reading reddit rs3 runescape seo shopping sqlite stock images storage tax tech technology text formatting tools trains video video editor videos wallpapers weather web web design web development web sites webdev windows wine wordpress workout youtube

Welcome

This is my test area for webdev. I keep a collection of code here, mostly for my reference. Also if i find a good link, i usually add it here and then forget about it. more...

Latest News

## 🚀 AI Giants Hit Bullseye: Anthropic & OpenAI Achieve Product-Market Fit Anthropic and OpenAI have reached a significant milestone, finding product-market fit with their AI technologies, which means their products effectively meet the needs of their customers, driving growth and adoption. This achievement showcases the practical value of their innovations, enabling businesses and individuals to leverage AI for enhanced productivity and efficiency. With this alignment of product and market needs, these companies are poised to transform industries and shape the future of technology.

Getting Started with WireGuard » Miguel Mota | Software Developer

Add Comment

Other Items in VPN

Other Categories in Linx

Search Linx

Latest from Linx

Welcome

Random Quote

Latest News

Latest Articles

Code

Links

Quick Links

Quick Links

Sections