Refer to this article for a brief overview, prerequisites, and server details. Ensure you run all commands as the root user.

Generate keys

Each server requires a unique public/private key pair to establish identity and secure connections. Run the following commands to create the required files:

(umask 0077; wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey)
wg genpsk   # Generates a preshared key for Peer A (adds an extra layer of encryption)

Create configuration file

Create a configuration for the new interface. In Wireguard, the configuration file’s name determines the interface name. For example, if you create /etc/wireguard/wg0.conf, the interface will be named wg0.

Open your editor and create or edit the file (e.g., /etc/wireguard/wg0.conf) with the following content:

[Interface]
Address = 10.201.1.1/24
ListenPort = 51281
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -I FORWARD 1 -i %i -j ACCEPT; iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  • Address: The private network address assigned to this server instance.
  • ListenPort: The UDP port on which the server listens for incoming connections (used in the client configuration).
  • SERVER_PRIVATE_KEY: The contents of the file /etc/wireguard/privatekey.
  • PostUp/PostDown: These commands set up and tear down NAT and forwarding rules. %i automatically expands to the interface name (e.g., wg0), and eth0 should be replaced with your actual interface responsible for global internet connectivity.

To allow the server to route traffic between the VPN and the internet, enable IP forwarding. Create or edit a sysctl configuration file at /etc/sysctl.d/10-ip-forward.conf with these lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Then, reload the sysctl settings:

sysctl --system

Configure Firewall

Enable the firewall on your server and ensure that both SSH (typically on port 22) and the Wireguard UDP port (51281) are allowed. Replace 1.1.1.1 with your server’s public IP address as needed.

ufw allow proto udp from any to 1.1.1.1 port 22
ufw allow proto udp from any to 1.1.1.1 port 51281
ufw enable

Adding Peers

Before adding a peer configuration, complete the peer configuration since you’ll need the client’s private network address and public key. Save a copy of the server’s public key (located in /etc/wireguard/publickey and referred to as SERVER_PUBLIC_KEY) to use when setting up clients. Also, retain the preshared key generated by wg genpsk (PEER_PSK) to enhance security with an extra layer of encryption.

Once the peer configuration is ready, edit the /etc/wireguard/wg0.conf file and append the following at the end:

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
PresharedKey = PEER_PSK
AllowedIPs = 10.201.1.2/32

Here, AllowedIPs is configured to permit only the specific IP address (with a /32 bitmask), ensuring that this peer only handles traffic intended for it.

Start the Wireguard service

To start this Wireguard peer instance, execute:

systemctl start  wg-quick@wg0

Be sure to replace wg0 with the actual Wireguard interface name used in your configuration.

Verifying Peer Setup on the Server

Once the peer configuration is complete and the service is started, follow these steps on the peer machine to ensure its setup is working as expected:

  1. Check the Wireguard Status:
    Run the following command to view active connections and verify the peer is listed with the correct parameters:

        wg show

    Look for your peer’s public key, allowed IPs, and the latest handshake time.

  2. Test Connectivity:
    From the server, ping the peer’s VPN IP address to confirm network connectivity. For example:

        ping 10.201.1.2

    A successful ping indicates that traffic is correctly routed between the server and the peer.

  3. Monitor Logs:
    Check the Wireguard log for any errors or anomalies by executing:

        journalctl -u wg-quick@wg0 -f

    This live log view can help you identify and troubleshoot any issues during the connection.

By performing these checks, you can confidently verify that your Wireguard peer is correctly configured and operating as intended.

Wrapping Up the Server Setup

Your server configuration is now complete, and your Wireguard server is ready to securely manage and route traffic between your network and the internet. Test the connection to ensure that NAT, IP forwarding, and all related settings function as expected. As your network evolves, remember that you can add more peers to expand your VPN’s reach.

Happy networking!