Table of Contents

WireGuard VPN

Installation

sudo apt update
sudo apt install wireguard wireguard-tools

Konfiguration

Server

create private key and remove permissions for any one other than root

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

create public key

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <private key server>
Address = 10.1.2.254/32
ListenPort = 51820
SaveConfig = false
 
[Peer]
PublicKey = <public key client>
AllowedIPs = 10.1.2.1/32

Dienst aktivieren und starten

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Client

[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254
 
[Peer]
PublicKey = <public key server>
AllowedIPs = 10.1.2.1/32
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

Inter-Client Communication

IPv4 Packet Forwarding aktivieren

sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -p                                             # Änderung anwenden

Kommunikation wg0 ↔ wg0 erlauben

sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT           # ans Ende der chain (append)
sudo iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT           # an den Anfand der Chain

Internetzugriff

Server IPv4/IPv6 Packet Forwarding aktivieren

sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -w net.ipv6.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -p                                             # Änderung anwenden

Server

[Interface]
PrivateKey = <private key server>
Address = 10.1.2.254/32
ListenPort = 51820
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 
[Peer]
PublicKey = <public key client>
AllowedIPs = 10.1.2.1/32

Client

[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254 #, 1.1.1.1
 
[Peer]
PublicKey = <public key server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

DNS-Suffix und Suchliste

Client interface Anpassen

[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254, lab.local, wg0.lab.local
 
[Peer]
PublicKey = <public key server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

Windows Client

wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf"
wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf.dpapi"
wireguard /installmanagerservice
wireguard /uninstallmanagerservice
wireguard /update 2> C:\path\to\update\log.txt