WireGuard —VPN SERVER AND CLIENT CONFIGURATION

In this blog I will show how to configure client and server vpn using wireguard step by step.

4 min readApr 26, 2021

Introduction:

WireGuard is a security-focused virtual private network (VPN) known for its simplicity and ease of use. It uses proven cryptography protocols and algorithms to protect data. Originally developed for the Linux kernel, it is now deployable on Windows, macOS, BSD, iOS and Android.

Notes: In this WireGuard vpn setup I used ubuntu 20.04 (Client and Server)

Step 1: Install Wireguard in Server Machine (Peer A)

SSH into cloud server, after login into machine check the machine in up to date with following command,

sudo apt-get update && sudo apt-get upgrade

now install Wireguard , with follwing command

sudo apt-get install wireguard

as same as install Wireguard in client machine also.

Ip forwarding:

we need to enable packet forwarding , then only we able to connect through your Wireguard server, to do this we need to edit in this /etc/sysctl.conf file.

sudo nano /etc/sysctl.conf

remove the # for following command net.ipv4.ip_forward=1

after that run the following command to apply,

sysctl -p

you will get this output net.ipv4.ip_forward=1

2. Generating private and public keys

WireGuard works by encrypting the connection using a pair of cryptographic keys. The keypair is used by sharing the public key with the other party who then can encrypt their message in such a way that it can only be decrypted with the corresponding private key. To make the communication secure both ways, each party needs to have their own private and public keys as each pair only enables one-way messaging.

before generating the key pair change the directory to ,

sudo /etc/wireguard

set the permission to that directory umask 077

to generate the key pair , enter the following command,

wg genkey | tee privatekey | wg publickey > publickey

3. Generate server config

to start configuring the WireGuard server, move to this location /etc/wireguard and create a file called wg0.conf .

sudo vi /etc/wireguard/wg0.conf

Add the following directives to the configuration file:

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32

Notes:
1. Copy the private key we generated before , and paste it in the PrivateKey.
2. As same as we need to generate a keypair for client, and copy the public key of client and paste it in PublicKey

To copy the key value use following command:

sudo cat /etc/wireguard/publickey
sudo cat /etc/wireguard/privatekey

4. Starting WireGuard and enabling it at boot

Now we are ready to start the server, to start WireGuard we use wg-quick to start the new interface,

wg-quick up wg0

if configure is done perfect means , you will see the output screen as follows,

to check WireGuard server running status:

wg show

Step 2: Client configuration (Peer 2)

Install WireGuard as same as installed in server side,follow the same steps and generate a Client public and private key pair, to that follow the command,

wg genkey | tee privatekey | wg publickey > publickey

after that create client configuration file , in the following directory sudo vi /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32