WireGuard VPN

p2p tunnel, proxy, iptables & ip forwarding

Go to mainpage

Initial WireGuard (wg) setup

install wg on both (or all) peers

On Linux apt install wireguard or FreeBSD pkg install wireguard

Generate keys

on both peers
$ wg genkey | tee privatekey | wg pubkey > publickey
$ cat privatekey && cat publickey

oEQnzQOUa2wIbqBcN/ZhLAwxmUM8Tt8KbMzp2FkWj0Q=
mCjPXru9wbW7++Rjc+5OHSG7JtGF7yCjR7rylvuMw08=

create wg configuration file

$ vi /etc/wireguard/wg0.conf

on first (server - always is up) peer

[Interface]
Address = 10.8.88.13/32
PrivateKey = uPQ[...]iVs=
ListenPort = 4888

[Peer]
PublicKey = hp08[...]Hi9ic=
AllowedIPs = 10.8.88.11/32
PersistentKeepalive = 21

#iphone 12
[Peer]
PublicKey = RtTn[...]/l0=
AllowedIPs = 10.8.88.112/32

#iphone 13
[Peer]
PublicKey = 8d[...]lRQ=
AllowedIPs = 10.8.88.113/32

on second (client - may go offline) peer

[Interface]
Address = 10.8.88.11/32
PrivateKey = oEQ[...]t8=

[Peer]
PublicKey = zc[...]Hg=
Endpoint = 162.66.99.255:4888
AllowedIPs = 10.8.88.13/24
PersistentKeepalive = 21

Add pass-through (proxy) mode for mobile devices

on mobile (client - may go offline) peer

[Interface]
Address = 10.8.88.112/32
PrivateKey = ACd[...]u3=
DNS = 8.8.8.8,9.9.9.9

[Peer]
PublicKey = zc[...]Hg=
Endpoint = 162.66.99.255:4888
AllowedIPs = 0.0.0.0/0

Enable IP forwarding on proxy peer

On-the-fly enable

sysctl -w net.ipv4.ip_forward=1

preserve setting on boot (edit /etc/sysctl.conf)

$ grep ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 1

Add iptables up/down script on server wg0.conf:

[Interface]
Address = 10.8.88.13/32
PrivateKey = uPQ[...]iVs=
PostUp =   iptables -I FORWARD 1 -i wg0 -j ACCEPT; iptables -I FORWARD 1 -o wg0 -j ACCEPT; iptables -t nat -I POSTROUTING 1 -s 10.8.88.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;   iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.8.88.0/24 -o eth0 -j MASQUERADE
ListenPort = 4888
...

Enable (or just start) WireGuard service on both sides


# systemctl enable wg-quick@wg0
# systemctl start wg-quick@wg0
check connection status
$ wg show 
interface: wg0
  public key: hp08Y[...]]9ic=
  private key: (hidden)
  listening port: 46687

peer: zcT[...]Hg=
  endpoint: 162.66.99.255:4888
  allowed ips: 10.8.88.0/24
  latest handshake: 1 minute, 55 seconds ago
  transfer: 90.95 KiB received, 55.70 KiB sent
  persistent keepalive: every 21 seconds