Once your server is up and running, you can configure a peer. The process is nearly identical to setting up the server—allowing you to easily replicate these steps for adding multiple peers. As always, ensure that all commands are executed as the root user.

Generate keys

Each peer requires a unique public/private key pair to establish identity and secure connections, just like the server . Run the following commands to create the required files:

(umask 0077; wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey)

Create configuration file

Create a configuration file for the new peer interface. In Wireguard, the configuration file’s name determines the interface name; for example, if you create /etc/wireguard/wg0.conf, the interface will be named wg0.

Open your editor and create (or modify) the file (e.g., /etc/wireguard/wg0.conf) with the following content:

[Interface]
Address = 10.201.1.2/24
PrivateKey = CLIENT_PRIVATE_KEY
  • Address: The private network IP assigned to this peer.
  • CLIENT_PRIVATE_KEY: The contents of the file /etc/wireguard/privatekey.

Note that the peer configuration does not require PostUp or PostDown options, as these settings are only needed for routing or NAT operations on a server. A ListenPort might be needed if the peer is acting as a proxy for other peers, but this is uncommon in most setups.

Add Peer

We need the server ’s SERVER_PUBLIC_KEY and the preshared key (PEER_PSK) provided by your administrator. Add the following peer configuration:

[Peer]
PublicKey = SERVER_PUBLIC_KEY
PresharedKey = PEER_PSK
AllowedIPs = 10.201.1.0/24
Endpoint = 1.1.1.1:51281
PersistentKeepalive = 30
  • PublicKey: Identifies the remote peer and is crucial for establishing a secure connection.
  • PresharedKey: Provides an additional layer of security for this specific connection.
  • AllowedIPs: Specifies which IPs or ranges (e.g., /32, /24, /16) are allowed through this connection, serving as both a routing directive and an access control mechanism. If you want to restrict communication to a single IP, specify that IP with a /32 bitmask.
  • Endpoint: Instructs this peer how to reach the remote peer—using an IP address or domain name along with the port number.
  • PersistentKeepalive: Ensures the connection remains active by sending periodic keepalive messages.

Also, retain the contents of /etc/wireguard/publickey as PEER_PUBLIC_KEY to pass to the server when configuring its peer.

Start the Wireguard service

To start this Wireguard peer instance, run:

systemctl start  wg-quick@wg0

Be sure to replace wg0 with the appropriate Wireguard interface name used in your configuration.

A Note on UFW and Routed Traffic When Using a Peer as a Proxy

When using a peer as a proxy to route traffic between two networks, it’s important to be aware of UFW’s default behavior regarding forwarded traffic. Even if basic connectivity is established (evidenced by successful pings), routed connections such as SSH or other services may be blocked if not explicitly allowed.

By default, UFW denies routed (forwarded) traffic. This means that traffic intended to cross between different subnets or interfaces can be dropped, even if the peers themselves are connected.

To address this without compromising overall security, instead of setting UFW’s global forward policy to ACCEPT, you can add specific forwarding rules. For example, if you need to allow traffic from one particular IP (e.g., 10.201.1.1) to another (e.g., 10.222.2.2), you can modify UFW’s configuration as follows:

  1. Edit the UFW before.rules File:

    Open the file:

        sudo vi /etc/ufw/before.rules

  2. Add a Custom Forwarding Rule:

    Insert the following rule in the ufw-user-forward chain before the COMMIT line:

        -A ufw-user-forward -s 10.201.1.1 -d 10.222.2.2 -j ACCEPT

  3. Reload UFW:

        sudo ufw reload

This targeted rule will permit the necessary routed traffic between the specified IP addresses, ensuring that only the required traffic is allowed while maintaining a secure firewall posture.

Wrapping Up the Peer Setup

Your peer configuration is now finalized, ensuring that this node only handles the specific traffic intended for it. Once connected, verify that your routing and connectivity work flawlessly, and that persistent keepalive maintains a stable link. With your secure connection established, you’re ready to integrate this peer into your overall VPN environment.

Stay connected and secure!