Wireguard

Installation

Debian

sudo apt-get install wireguard

CentOS

sudo yum install elrepo-release epel-release
sudo yum install kmod-wireguard wireguard-tools

RedHat

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
sudo yum install kmod-wireguard wireguard-tools

Configuration

Create private and public key

sudo chmod 0700 /etc/wireguard
sudo touch /etc/wireguard/privatekey /etc/wireguard/publickey /etc/wireguard/wg0.conf
sudo chmod 0600 /etc/wireguard/privatekey /etc/wireguard/publickey /etc/wireguard/wg0.conf
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

for peer in 1 2 3; do sudo touch /etc/wireguard/psk.${peer} ; done
for peer in 1 2 3; do sudo chmod 0600 /etc/wireguard/psk.${peer} ; done
for peer in 1 2 3; do wg genpsk | sudo tee /etc/wireguard/psk.${peer} ; done

Create a server’s config

sudo tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = <IP to be set on wg0 interface>
ListenPort = <A port to listen on>

PrivateKey = <The content of server:/etc/wireguard/privatekey>
EOF

Allow access to hosts behind wireguard endpoint

sudo tee -a /etc/wireguard/wg0.conf <<EOF
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF

Add peer(s)

sudo tee -a /etc/wireguard/wg0.conf <<EOF
[Peer]
PublicKey = <The content of peer:/etc/wireguard/publickey>
AllowedIPs = <IP of peer's wg0 interface or even '0.0.0.0/0' if security does not matter>
PresharedKey = <The content of server:/etc/wireguard/psk.<peer>>
EOF

Create a peer’s config

sudo tee -a /etc/wireguard/wg0.conf <<EOF
[Interface]
PrivateKey = <The content of peer:/etc/wireguard/privatekey>
Address = <IP of peer's wg0 interface>

[Peer]
PublicKey = <The content of server:/etc/wireguard/publickey>
PresharedKey = <The content of server:/etc/wireguard/psk.<peer>>
Endpoint = <The external IP of server>:<The port defined in server:/etc/wireguard/wg0.conf>
AllowedIPs = <Comma separated list of IPs and networks to be reached through this tunnel, e.g. the server's internal IP, the DMZ internal network or even 0.0.0.0>
PersistentKeepalive = 20
EOF

Example

DMZ              Server                           Internet    Firewall/NAT       Peer/Client
                 external  IP: 1.2.3.4/32                     x.y.z.a
192.126.1.0/24   internal  IP: 192.168.1.2/24                                    10.1.2.3/24
                 wireguard IP: 172.16.0.1                                        172.16.0.2

Server’s config

[Interface]
Address = 172.16.0.1
ListenPort = 51820

PrivateKey = gMotnK1iONbBSWwi6/padwDPnd1MlHuUS/I7tj+x+3g=

PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = 7FuoQ9rXq4bK3EsJo9tTATNpEu301j+tlhXSqB2sPkE=
PresharedKey = JC1hducZ9ovx0Ucie18QvpofTLWcm9I4rdULPqFB9y5=
AllowedIPs = 172.16.0.2/32

Peer’s config

[Interface]
PrivateKey = GOwsCfX5pQ/okfKdDtZAbo0QpXga6xbGzfXshFFVBnk=
Address = 172.16.0.2

[Peer]
PublicKey = B2K22l+ncwRumirn9iFd5LJfhxUj/uIc6neikhUOXzo=
PresharedKey = JC1hducZ9ovx0Ucie18QvpofTLWcm9I4rdULPqFB9y5=
Endpoint = 1.2.3.4:51820
AllowedIPs = 192.168.1.0/24
PersistentKeepalive = 20

After restarting wireguard, eg. by sudo systemctl restart wg-quick@wg0.service all peer traffic to 192.168.1.0/24 will go through wireguard VPN tunnel.

Remember

Don’t forget to open the firewall on server side for incoming wireguard traffic on specified port/UDP.