apt install wireguard-tools
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
/etc/wireguard/wg0.conf)[Interface]
Address = 10.0.0.1/24 # choose whatever subnet you want!
SaveConfig = true
# eth0 may not be what you want, your interface may be named differently!
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <Server Private Key>
[Peer]
PublicKey = <Peer Public Key>
AllowedIPs = 10.0.0.2/24
ufw allow 22/tcp
ufw allow 51820/udp
ufw enable
ufw status verbose
wg-quick up wg0
wg status
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding
If those aren't set to 1, set them in /etc/sysctl.conf and run sysctl -p; systemctl restart networking.
systemctl enable wg-quick@wg0
/etc/wireguard/wg0.conf)[Interface]
PrivateKey = <Client Private Key>
Address = 10.0.0.2/24
# Optional, if you have a DNS server with local names setup at that address(for example dnsmasq)
DNS = 10.0.0.1
[Peer]
PublicKey = <Server Public Key>
Endpoint = <Server Public IP/domain name>:51820
# this will forward all trafic through wg0
# put 10.0.0.0/24 if you want only that subnet forwarded
AllowedIPs = 0.0.0.0/0
# Optional, for clients behind NAT
PersistentKeepalive = 25
wg-quick up wg0
wg status
systemctl enable wg-quick@wg0