HowTo Quickly Setup A VPN Using WireGuard On NST
Overview
This page provides a quick start reference on how to setup a fast, modern, secure VPN tunnel using WireGuard on NST.
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It tends to outperform OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP Addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.
WireGuard Detailed Command-Line Setup
One can follow the detailed setup for a WireGuard VPN on its main site: Quick Start. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.
NST Quick WireGuard VPN Setup
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "/etc/wireguard".
[root@shopper2 wireguard]# ls -al /etc/wireguard total 28 drwx------ 2 root root 92 Nov 20 08:22 . drwxr-xr-x 229 root root 12288 Nov 20 08:22 .. -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
Example VPN Setup Steps
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a NATed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.
***Note: All WireGuard VPN configuration and command execution requires "root" access. One can "su -" to the "root" user or use the "sudo" command with the "nst" user for configuration and command execution. The "root" user was used for this example VPN setup.
NST Server Side:
- Server Address: "10.55.55.1"
- Host Name: "shopper2"
- Public IP Address: "102.5.221.22" (***Note: Use the command: "getipaddr -f -p" to get your public IP Address)
- WireGuard UDP VPN Listen Port: "51820"
- WireGuard Virtual Interface: "wg0"
- VPN Allowed IP Address: "10.55.55.2/32"
NST Client Side:
- Client Address: "10.55.55.2"
- Host Name: "pktcap28"
- WireGuard Virtual Interface: "wg0"
- VPN Allowed IP Addresses: "10.55.55.0/24"
WireGuard Server Endpoint Setup
Do the following steps on the NST server side (shopper2):
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:
[root@shopper2 ~]# cd /etc/wireguard
2) Copy the Server template file to a "wg0" WireGuard configuration file for this virtual network interface:
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf [root@shopper2 wireguard]# ls -al total 36 drwx------ 2 root root 108 Nov 20 08:46 . drwxr-xr-x 235 root root 16384 Nov 19 08:45 .. -rw------- 1 root root 174 Nov 20 08:50 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = -SERVER PRIVATE KEY- [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:
[root@shopper2 wireguard]# source ./wg-generate-keys [root@shopper2 wireguard]# ls -al total 44 drwx------ 2 root root 143 Nov 20 08:57 . drwxr-xr-x 235 root root 16384 Nov 19 08:45 .. -rw------- 1 root root 45 Nov 20 08:57 privatekey -rw------- 1 root root 45 Nov 20 08:57 publickey -rw------- 1 root root 174 Nov 20 08:50 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
4) Edit the "wg0.conf" configuration file and substitute in the generated Server Private key content for the "-SERVER PRIVATE KEY-" name placeholder.
Before substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = -SERVER PRIVATE KEY- [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
[root@shopper2 wireguard]# cat privatekey UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=
After substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ= [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
***Note: We will substitute in the Client public key later once we generate it on the NST client system (See "WireGuard Client Endpoint Setup - Step: 6 Below").
Peer Client Key Sharing:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ= [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32 10.55.55.3/32
***Note: In this example peers: 10.55.55.2 and 10.55.55.3 with share the same Wireguard key configuration.
WireGuard Client Endpoint Setup
Do the following steps on the NST client side (pktcap28):
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:
[root@pktcap28 ~]# cd /etc/wireguard
2) Copy the Client template file to a "wg0" WireGuard configuration file for this virtual network interface:
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf [root@pktcap28 wireguard]# ls -al total 32 drwx------ 2 root root 108 Nov 19 11:17 . drwxr-xr-x 225 root root 12288 Nov 19 11:17 .. -rw------- 1 root root 296 Nov 21 07:55 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = -CLIENT PRIVATE KEY- #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:
[root@pktcap28 wireguard]# source ./wg-generate-keys [root@pktcap28 wireguard]# ls -al total 40 drwx------ 2 root root 143 Nov 21 07:58 . drwxr-xr-x 225 root root 12288 Nov 19 11:17 .. -rw------- 1 root root 45 Nov 21 07:58 privatekey -rw------- 1 root root 45 Nov 21 07:58 publickey -rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf
4) Edit the "wg0.conf" configuration file and substitute in the generated Client Private key content for the "-CLIENT PRIVATE KEY-" name placeholder.
Before substitution:
[Interface] Address = 10.55.55.2/32 PrivateKey = -CLIENT PRIVATE KEY- #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
[root@pktcap28 wireguard]# cat privatekey +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=
After substitution:
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk= #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
5) Now substitute in both the Server side public key: "-SERVER PUBLIC KEY-" and the public IP Address of the Server: "public.ip.of.server" name placeholders.
The "public.ip.of.server" name placeholder can also be a "FQDN". If both the client and server are on the same LAN, this is the IP Address of the server's LAN facing interface and not the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary.
Server Public Key:
[root@shopper2 wireguard]# cat publickey vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=
After Substitution:
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk= #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= Endpoint = 102.5.221.22:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
6) Now back on the NST Server, substitute in the Client side public key: "-CLIENT PUBLIC KEY-" name placeholder.
Client Public Key:
[root@pktcap28 wireguard]# cat publickey dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=
Server side "wg0.conf" file content after substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ= [Peer] PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= AllowedIPs = 10.55.55.2/32
***Note: At this point all template name placeholders have been filled in.
WireGuard VPN Firewall Rule Changes and IP Forwarding
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "51820" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: Wireguard VPN: Typical Setup covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.
***Note: Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "51820" for this example VPN to be established and work properly.
Bring Up WireGuard VPN
Server Side (Linux)
Use the "wg-quick" command to bring up the WireGuard VPN on the Server side (Linux):
[root@shopper2 ~]# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip address add 10.55.55.1/24 dev wg0 [#] ip link set mtu 1420 dev wg0 [#] ip link set wg0 up [root@shopper2 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0 valid_lft forever preferred_lft forever inet6 fe80::3285:a9ff:fe44:7e37/64 scope link valid_lft forever preferred_lft forever 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.55.55.1/24 scope global wg0 valid_lft forever preferred_lft forever [root@shopper2 ~]# route -nv Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0 10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0 10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0 [root@shopper2 ~]# netstat -uanp | grep 51820 udp 0 0 0.0.0.0:51820 0.0.0.0:* - udp6 0 0 :::51820 :::* -
Server Side - IPv4 Forwarding
To allow client to client access over a WireGuard VPN tunnel enable IPv4 Forwarding:
[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=1 [root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
To make the IPv4 Forwarding change permanent add the following line to file: "/etc/sysctl.conf"
net.ipv4.ip_forward=1
To disallow client to client access over a WireGuard VPN tunnel disable IPv4 Forwarding:
[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=0 [root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0
To make the IPv4 Forwarding disallow change permanent add the following line to file: "/etc/sysctl.conf"
net.ipv4.ip_forward=0
Client Side (Linux)
Use the "wg-quick" command to bring up the WireGuard VPN on the Client side (Linux):
[root@pktcap28 ~]# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip address add 10.55.55.2/32 dev wg0 [#] ip link set mtu 1420 dev wg0 [#] ip link set wg0 up [#] ip route add 10.55.55.0/24 dev wg0 [root@pktcap28 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0 valid_lft forever preferred_lft forever inet6 fe80::215:17ff:fed9:d262/64 scope link valid_lft forever preferred_lft forever 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.55.55.2/32 scope global wg0 valid_lft forever preferred_lft forever [root@pktcap28 ~]# route -nv Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0 10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0 172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0
Client Side (macOS - Using brew)
Use the "wg-quick" command to bring up the WireGuard VPN on the Client side (macOS - Using brew) for the utun2 interface:
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf [#] wireguard-go utun INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118 [+] Interface for utun2 is utun2 [#] wg setconf utun2 /dev/fd/63 [#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias [#] ifconfig utun2 up [#] route -q -n add -inet 10.55.55.0/24 -interface utun2 [+] Backgrounding route monitor iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2 utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14 eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE> xflags=4<NOAUTONX> inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff state availability: 0 (true) scheduler: FQ_CODEL qosmarking enabled: no mode: none low power mode: disabled multi layer packet logging (mpklog): disabled routermode4: disabled routermode6: disabled iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2 interface: utun2 public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs= private key: (hidden) listening port: 62149 peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0= endpoint: 136.56.0.244:51823 allowed ips: 10.55.55.0/24 latest handshake: 1 minute, 45 seconds ago transfer: 184 B received, 712 B sent persistent keepalive: every 21 seconds
WireGuard VPN Access
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., ping and SSH) for exercising the VPN:
1) Ping the Server (10.55.55.1) from the Client (10.55.55.2):
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1 PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data. 64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms 64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms 64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms --- 10.55.55.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms
2) SSH from Server (10.55.55.1) to the Client (10.55.55.2):
[root@shopper2 ~]# ssh root@10.55.55.2 root@10.55.55.2's password: Activate the web console with: systemctl enable --now cockpit.socket =========================================== = Linux Network Security Toolkit (NST 28) = =========================================== Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1 [root@pktcap28 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0 valid_lft forever preferred_lft forever inet6 fe80::215:17ff:fed9:d262/64 scope link valid_lft forever preferred_lft forever 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.55.55.2/32 scope global wg0 valid_lft forever preferred_lft forever [root@pktcap28 ~]# exit logout Connection to 10.55.55.2 closed. [root@shopper2 ~]#
WireGuard VPN Status
Server side VPN status using the "wg" command:
[root@shopper2 ~]# wg show wg0 interface: wg0 public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= private key: (hidden) listening port: 51820 peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= endpoint: 14.41.111.122:38964 allowed ips: 10.55.55.2/32 latest handshake: 1 minute, 57 seconds ago transfer: 9.59 KiB received, 7.27 KiB sent
Client side VPN status using the "wg" command:
[root@pktcap28 ~]# wg show wg0 interface: wg0 public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= private key: (hidden) listening port: 38964 peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= endpoint: 102.5.221.22:51820 allowed ips: 10.55.55.0/24 latest handshake: 58 seconds ago transfer: 860 B received, 4.92 KiB sent persistent keepalive: every 21 seconds
Tear Down WireGuard VPN
Client side tear down the VPN using the "wg-quick" command:
[root@pktcap28 wireguard]# wg-quick down wg0 [#] ip link delete dev wg0
Server side tear down the VPN using the "wg-quick" command:
[root@shopper2 ~]# wg-quick down wg0 [#] wg showconf wg0 [#] ip link delete dev wg0
WireGuard VPN Automation
The WireGuard package includes a systemd template unit script to automate the starting of the VPN when bringing up an NST system.
On Server side:
[root@shopper2 ~]# systemctl start wg-quick@wg0.service; [root@shopper2 ~]# systemctl enable wg-quick@wg0.service; [root@shopper2 ~]# systemctl status wg-quick@wg0.service;
On Client side:
[root@pktcap28 ~]# systemctl start wg-quick@wg0.service; [root@pktcap28 ~]# systemctl enable wg-quick@wg0.service; [root@pktcap28 ~]# systemctl status wg-quick@wg0.service;
Server With Multiple Clients/Peers
It is possible to have multiple client (peer) connections to the same server interface (wg0 for example). In order to accomplish this, you will need to:
- Create a unique private/public key for each client (peer).
- Add multiple [Peer] sections to the wg0.conf file.
- Make sure that the AllowedIps setting for each peer entry do not overlap.
The following sections provide details on a configuration where the server has an IPv4 address of 10.55.55.1 associated with the wg0 interface and allows 3 clients (10.55.55.10, 10.55.55.11 and 10.55.55.12). Do NOT use these configurations verbatim, they are only examples.
- The EndPoint parameter must be changed from wg.networksecuritytoolkit.org:51820 to the address address associated with your server (this typically involves opening a UDP hole in your firewall).
- It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).
- It is recommended to use a port other than 51820 (something different than this public example).
- It is highly recommended that you generate your own server and client private/public key pairs.
Server Configuration (10.55.55.1)
The following /etc/wireguard/wg0.conf configuration would set the server's IPv4 address to 10.55.55.1 and allow 3 simultaneous clients (10.55.55.10, 10.55.55.11 and 10.55.55.12).
[Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM= [Peer] PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI= AllowedIPs = 10.55.55.10/32 [Peer] PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw= AllowedIPs = 10.55.55.11/32 [Peer] PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8= AllowedIPs = 10.55.55.12/32
Client/Peer Configuration (10.55.55.10)
The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.10 client.
[Interface] Address = 10.55.55.10/32 PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0= [Peer] PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ= Endpoint = wg.networksecuritytoolkit.org:51820 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
Client/Peer Configuration (10.55.55.11)
The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.11 client.
[Interface] Address = 10.55.55.11/32 PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14= [Peer] PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ= Endpoint = wg.networksecuritytoolkit.org:51820 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
Client/Peer Configuration (10.55.55.12)
The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.12 client.
[Interface] Address = 10.55.55.12/32 PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8= [Peer] PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ= Endpoint = wg.networksecuritytoolkit.org:51820 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
Manual Wireguard DKMS Build and Install
Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.
Use the following command to build a WireGuard dkms kernel module. This example is for WireGuard version: "0.0.20190123" and kernel: 4.19.16-200.fc28.x86_64.
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123; Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -> /usr/src/wireguard-0.0.20190123 DKMS: add completed. Kernel preparation unnecessary for this kernel. Skipping... Building module: cleaning build area... make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build.... cleaning build area... DKMS: build completed.
Use the following command to install a WireGuard dkms kernel module:
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123; wireguard.ko.xz: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/ Adding any weak-modules depmod.... DKMS: install completed.
Manual Wireguard DKMS Module Verification
Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.
Use the following commands to verify a WireGuard dkms kernel module was built and installed:
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64 wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed
--Or--
[root@vortex nst28]# find /lib/modules -name wireguard* /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz
Manual Wireguard DKMS Module Information
Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.
Use the following command to view WireGuard module information:
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz alias: net-pf-16-proto-16-family-wireguard alias: rtnl-link-wireguard version: 0.0.20190123 author: Jason A. Donenfeld <Jason@zx2c4.com> description: WireGuard secure network tunnel license: GPL v2 srcversion: E44DD24D14B1F49C0DD6610 depends: udp_tunnel,ip6_udp_tunnel retpoline: Y name: wireguard vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload
Manual Wireguard DKMS Module Remove
Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.
Use the following command to remove a wireguard dkms kernel module. This example is for version: "0.0.20190123" and kernel: 4.19.16-200.fc28.x86_64.
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64; -------- Uninstall Beginning -------- Module: wireguard Version: 0.0.20190123 Kernel: 4.19.16-200.fc28.x86_64 (x86_64) ------------------------------------- Status: Before uninstall, this module version was ACTIVE on this kernel. Removing any linked weak-modules wireguard.ko.xz: - Uninstallation - Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/ rmdir: failed to remove 'kernel/net': Directory not empty - Original module - No original module was found for this module on this kernel. - Use the dkms install command to reinstall any previous module version. depmod.... DKMS: uninstall completed. ------------------------------ Deleting module version: 0.0.20190123 completely from the DKMS tree. ------------------------------ Done.
WireGuard Client Setup Example For Windows
The IVPN site has a nice Windows WireGuard Client Setup Example that can be manually entered.