Notes on Setting up WireGuard for Ubuntu Server
Setting up WireGuard (0.0.20190905) on Ubuntu Server (18.04.3 LTS)
1 minute read
almost 6 years ago
Primary
Supplemental
Notes
- There is little distinction between “server” (Endpoint) and “client” (Peer). A tunnel is established between a Peer’s interface and an Endpoint’s interface. Which traffic goes over the interface to the
Endpointis determined by theAllowedIPsof the Peer. Use0.0.0.0/0for all traffic. - WireGuard can be configured to give the interface a static IP as defined in the configuration file as well as which DNS server to use. I suspect dynamic allocation could be done if one were willing to configure a DHCP service on the server.
- Use
wg-quickto setup the wg service and interface- It will handle configuring the interface such as setting the ip, bringing it up, and configuring DNS
- The syntax for the
wg-quickconfig file appears to be a superset of the wg config file - There is a handy systemd script which will handle interface config and execute pre-up and post-down commands which are useful for running iptables commands
-
tcpdumpis quite useful for debugging. For example trytcpdump -i wg0on the server while pinging on the client to make sure traffic is being sent to the server over the tunnel
Sample Configuration
Client
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Interface] | |
| PrivateKey = # Client Private Key | |
| Address = 10.0.0.2/32 # Interface static IP address. Note:/32 since we are only using a single IP address | |
| DNS = 1.1.1.1 | |
| [Peer] | |
| PublicKey = # Server Public Key | |
| PresharedKey = # Shared Key | |
| AllowedIPs = 0.0.0.0/0 # Proxy all the traffic | |
| Endpoint = IP_OR_DOMAIN:51820 # Server address and port |
Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Interface] | |
| Address = 10.0.0.1/24 # Set IP and subnet | |
| PrivateKey = # Server Private Key | |
| ListenPort = 51820 | |
| # Note: SNAT (source NAT) is supposed to be faster than NAT so we use that here. | |
| # Since the server has a static IP this will be functionally equivalent to NAT. | |
| PreUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens3 -j SNAT --to-source SERVER_IP | |
| PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens3 -j SNAT --to-source SERVER_IP | |
| [Peer] | |
| # Client A | |
| PublicKey = # Client Public Key | |
| PreSharedKey = # Shared Key | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| # Client B | |
| PublicKey = # Client Public Key | |
| PreSharedKey = # Shared Key | |
| AllowedIPs = 10.0.0.3/32 |