WireGuard is a modern VPN solution, which is much easier to configure than OpenVPN and its likes. In this tutorial, we assume a simple setup where we want to route all clients network traffic through the VPN, exiting through the server.
$ sudo apt install wireguard $ PRIVATE_KEY=$(wg genkey)
Now we create the configuration file for our tunnel (
$ cat <<EOF | sudo tee /etc/wireguard/wg0.conf [Interface] PrivateKey = $PRIVATE_KEY Address = 10.8.0.1/24 ListenPort = 51820 SaveConfig = true PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE EOF
If you have a firewall, you’ll need to open up UDP port 51820 (or whatever configured as the
Enable IPv4 forwarding, so we can route all the client traffic through the server (and reload
echo net.ipv4.ip_forward=1 | sudo tee /etc/sysctl.d/40-wireguard.conf guyru@droplet1:~$ sudo sysctl --system
Enable and start the WireGuard service:
sudo systemctl enable --now email@example.com
Finally, take note of the server public key (it will be a short base64 encoded string):
$ echo $PRIVATE_KEY | wg pubkey
You’ll need it in the next step.
$ sudo apt install wireguard $ PRIVATE_KEY=$(wg genkey) $ PUBLIC_KEY=$(echo $PRIVATE_KEY | wg pubkey) $ SERVER_PUBLIC_KEY=6TDw+U2WFhkaKUy/xXrCRtuZvB2m2SFN7URZA5AkGis= $ SERVER_IP=126.96.36.199
Replace the value of
SERVER_PUBLIC_KEY with the public key of your server, and
SERVER_IP with the correct IP address of your server.
$ cat <<EOF | sudo tee /etc/wireguard/wg0.conf [Interface] PrivateKey = $PRIVATE_KEY Address = 10.8.0.2/24 [Peer] PublicKey = $SERVER_PUBLIC_KEY AllowedIPs = 0.0.0.0/0 Endpoint = $SERVER_IP:51820 EOF
AllowedIPs = 0.0.0.0/0 will route all traffic through the VPN connection. If you don’t want to do that, edit the configuration file, and set
AllowedIPs = 10.8.0.0/24.
We need to make the server aware of the peer. The following command should be executed on the server.
$ sudo wg set wg0 peer $PUBLIC_KEY allowed-ips 10.8.0.2
PUBLIC_KEY is the value of the client’s public key (stored in the
$PUBLIC_KEY environment variable).
/etc/wireguard/wg0.conf will be updated according and make the added peer configuration persistent due to the
SaveConfig = true. The configuration update will take place the next time the WireGuard interface goes down.
It is also useful to have WireGuard on the phone. WireGuard supports both iOS and Android, and the setup should be similar in both cases. Start by installing WireGuard from the Play Store. The next step is to generate the required configuration. It can be done directly on the phone, or by creating a configuration file on your computer and transferring it, which I find simpler.
$ PRIVATE_KEY=$(wg genkey) $ PUBLIC_KEY=$(echo $PRIVATE_KEY | wg pubkey) $ SERVER_PUBLIC_KEY=6TDw+U2WFhkaKUy/xXrCRtuZvB2m2SFN7URZA5AkGis= $ SERVER_IP=188.8.131.52 $ cat <<EOF > wg0.conf [Interface] PrivateKey = $PRIVATE_KEY Address = 10.8.0.3/24 [Peer] PublicKey = $SERVER_PUBLIC_KEY AllowedIPs = 0.0.0.0/0 Endpoint = $SERVER_IP:51820 EOF
Again, make the server aware of the client by running the following command on the server:
$ sudo wg set wg0 peer $PUBLIC_KEY allowed-ips 10.8.0.3
Transfer the configuration file
wg0.conf to the phone and load it using the WireGuard app.