Install

sudo pacman -S wireguard-tools wireguard-dkms linux-headers

Set up

	Server	Client
Public IP	x.x.x.x	y.y.y.y
WireGuard IP (Internal)	10.0.0.1/24	10.0.0.2/24
Listening port	4567	9876

Generate keys

wg genkey | tee WireGuardPrivateKey | wg pubkey > WireGuardPublicKey
wg genpsk > WireGuardPreSharedKey

The generated key will look like

COGgZXoCz172t9IOzlTlDmmgDzFWQP4OCskftRy650Q=

Generate profiles

Server

Each interface is stored in /etc/wireguard/wgX.conf beign X a number. /etc/wireguard/wg0.conf is the default. Must be saved with strong permissions (600).

[Interface]
Address = 10.0.0.1/24
SaveConfig = true ## If you make any changes, (at exit??), it will save the changes
ListenPort = 4567
PrivateKey = <server's private key>

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32 ## Client IP (Virtual) which will be assigned when connected
#PersistentKeepalive = 25

Open UDP port 4567 to the client's IP address.

Client

/etc/wireguard/wg0.conf. Must be saved with strong permissions (600).

[Interface]
PrivateKey = <client private key>
ListenPort = 9876

[Peer]
PublicKey = <server's public key>
Endpoint = x.x.x.x:4567
AllowedIPs = 0.0.0.0/0 ## Source IPs of the incoming packages

Connect

wg-quick up wg0

Check status

wg

Traditional VPN server Source

Enable IPv4 forwarding. Add to /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward = 1

Configure the firewall accordingly.

Generate the keys.

Configure the server at /etc/wireguard/wg0.conf.

[Interface]
Address = 10.200.200.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <SERVER PRIVATE KEY>

# note - substitute eth0 in the following lines to match the Internet-facing interface
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# client foo
PublicKey = <FOO's PUBLIC KEY>
PresharedKey = <PRE-SHARED KEY>
AllowedIPs = 10.200.200.2/32

[Peer]
# client bar
PublicKey = <BAR's PUBLIC KEY>
AllowedIPs = 10.200.200.3/32

Configure the clients.

[Interface]
Address = 10.200.200.2/24
PrivateKey = <FOO's PRIVATE KEY>
DNS = 10.200.200.1

[Peer]
PublicKey = <SERVER PUBLICKEY>
PresharedKey = <PRE-SHARED KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = my.ddns.address.com:51820

Add a client while the server is running.

wg set wg0 peer "<Peer A public key>" persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574

Remove a client.

wg set wg0 peer "<Peer A public key>" remove

Generate QR code

If the client is a mobile device such as a phone, qrencode can be used to generate the config for the client:

qrencode -t ansiutf8 < client.conf

Links

• https://wiki.archlinux.org/index.php/WireGuard
• https://www.wireguard.com