peer A - a VPN client
peer B - a VPN server
To set up a wireguard network peering A and B, routing A’s traffic through B
-
install wireguard and generate key pairs for A and B
sudo pacman -S wireguard-tools cd ~/.ssh umask 0077; wg genkey > wg_server.key wg pubkey < wg_server.key > wg_server.pub umask 0077; wg genkey > wg_client.key wg pubkey < wg_client.key > wg_client.pub
-
peer B (server) configuration
create
/etc/wireguard/wg0.conf[Interface] PrivateKey = WG_SERVER_PRIVATE_KEY Address = 10.200.200.1/24 ListenPort = 51820 PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE [Peer] PublicKey = WG_CLIENT_PUBLIC_KEY AllowedIPs = 10.200.200.2/32
PostUp
sysctl -w net.ipv4.ip_forward=1, enable ip forwarding in current shell, it’s not persistent
iptables -A FORWARD -i %i -j ACCEPT;, allow FORWARD from interface wg0
iptables -A FORWARD -o %i -j ACCEPT;, allow FORWARD to interface wg0
iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE, allow NAT table POSTROUTING to interface enp1s0 (the public interface on host)
PostDown
iptables -D FORWARD -i %i -j ACCEPT;, deny FORWARD from interface wg0
iptables -D FORWARD -o %i -j ACCEPT;, deny FORWARD to interface wg0
iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE, deny NAT table POSTROUTING to interface enp1s0 -
peer A (client) configuration
create
/etc/wireguard/wg0.conf[Interface] Address = 10.200.200.2/32 PrivateKey = WG_CLIENT_PRIVATE_KEY DNS = 1.1.1.1 [Peer] PublicKey = WG_SERVER_PUBLIC_KEY Endpoint = PEER_B_PUBLIC_IP:PORT AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25