Back in the day when OpenVPN ruled the seas installing it, securing it and authenticating clients with certificates was an process involving plenty of effort. Now with wireguard the setup is a breeze.
Pretty much install wireguard, generate a key pair and start it up!
It sounds too easy, but it is. But let’s cover a few essentials, so you understand what you need to provide to get it working.
First you need to understand both parties are peers, there is no difference between a client and a server. They are setup the same way. What you may understand as a server is just a peer that other peers want to talk to.
You need firewall rules.
Yes, you need to be able to configure your firewall to accept traffic and direct it to your wireguard service.
The rules are far more straight forward than the likes of IPSec and PPTP VPN’s. It’s just one UDP port of your choosing.
If you choose to have your wireguard service on your PC listen on UDP port 51820, you must then open and forward UDP port 51820 on your firewall to point to your PC. At the other end, the other peer will need to do the same with the port of their choosing.
|Peer A||Peer B|
|51820/UDP||< – >||8172/UDP|
You can use the same port on every peer if you like, but you must use port forwarding or port triggering on your router to direct the UDP traffic to your PC.
There is no real authentication. You have a key to talk to the remote peer and it has a key to talk to you. These keys are used to encrypt the traffic too. So merely by having a key you are authenticated and have the ability to encrypt traffic.
Both parties must generate a key pair. A private key you keep to yourself and a public key you give to the remote peer so they recognise you. That’s it. No user accounts, passwords or certificates.
This will generate two files. the
private.key and the
$ wg genkey | tee private.key | wg pubkey > public.key
You can then use these in your wireguard config file.
After setting this up on a Raspberry Pi I thought I’d make it easier by scripting the process to make wireguard configurations.
You’ll find the scripts here: https://github.com/paulb-opusvl/wireguard-config-builder
Download and extract the zip or use
git to download it.
$ git clone email@example.com:paulb-opusvl/wireguard-config-builder.git
Create a file called
.env in the folder you downloaded the scripts into and change the details to match your setup.
HOST=18.104.22.168 # External Host Name or IP of server PORT=58120 # UDP Port to listen on
Find your external IP address by visiting https://ifconfig.io
Or if you use dynamic DNS change the 22.214.171.124 to the dynamic DNS name of your system.
Then run the init script:
This creates a file
./conf.d/wg0.conf. Copy this into the folder
Now create a remote client entry using the client script:
$ ./client.sh 100
This creates an entry in the
wg0.conf file that allows a client with the unique Id of 100 to connect to your peer. It also creates a file you can give to the peer for them to put into their
/etc/wireguard/wg0.conf file or import into the wireguard program on their phone.
Now copy the created config into your wireguard folder and install and start up the wireguard service.
$ sudo cp ./conf.d/wg0.conf /etc/wireguard/ $ sudo systemctl enable wg-quick@wg0 $ sudo systemctl start wg-quick@wg0
You can see if wireguard is listening using:
$ sudo wg interface: wg0 public key: sQY7+fQprF3jsbEKVTe1xH17p4Q69XyVunTWyg9jIgs= private key: (hidden) listening port: 51820 peer: 7zAX+IyB8gxM/YhyCl6u3NmT5Nz8VLl1K9Px4V9HRkc= endpoint: 126.96.36.199:38377 allowed ips: 192.168.69.100/32 latest handshake: 1 minute, 19 seconds ago transfer: 18.68 MiB received, 190.45 MiB sent