How to setup wireguard on linux

Bywoden

We look into how to set up WireGuard on a Linux system. In this case, we use Debian in order to create a tunnel between two nodes using WireGuard. The setup is quite easy because WireGuard has strong opinions about what should be available and that means that the setup doesn't have that many things to configure.

How to setup wireguard tunnel

Installation on both machines

echo 'deb http://ftp.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/buster-backports.list
sudo apt update
sudo apt install wireguard

Generate keys on both machines

(umask 077 && wg genkey > wg-private.key)
wg pubkey < wg-private.key > wg-public.key

Configuring server.

On server side add an wireguard configuration file /etc/wireguard/wg0.conf

# define the WireGuard service
[Interface]
# contents of file wg-private.key that was recently created
PrivateKey = SERVER_PRIVATE_KEY

# UDP service port; 51820 is a common choice for WireGuard
ListenPort = 51820

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.2.2/32

Next up we configure the interface for the network in /etc/network/interfaces.d/wg0

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # static IP address
        address 10.0.2.1/24

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

When this is done we can easily enable the network by running

sudo ifup wg0

If we need to remove the network again we can run

sudo ip link delete wg0

You can also allow clients dynamicly to connect we can add an allowed peer with a specific client key

sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.2.2

Configuring client

On client side add an wireguard configuration file /etc/wireguard/wg0.conf

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = 192.168.6.6:51820
AllowedIPs = 0.0.0.0/0

Next up we configure the interface for the network in /etc/network/interfaces.d/wg0

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # static IP address
        address 10.0.2.2/24

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

When this is done we can easily enable the network by running

sudo ifup wg0

If we need to remove the network again we can run

sudo ip link delete wg0

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.