Back in the day when OpenVPN ruled the seas installing it, securing it and authenticating clients with certificates was an process involving plenty of effort. Now with wireguard the setup is a breeze.

Pretty much install wireguard, generate a key pair and start it up!

It sounds too easy, but it is. But let’s cover a few essentials, so you understand what you need to provide to get it working.

First you need to understand both parties are peers, there is no difference between a client and a server. They are setup the same way. What you may understand as a server is just a peer that other peers want to talk to.

You need firewall rules.

Yes, you need to be able to configure your firewall to accept traffic and direct it to your wireguard service.

The rules are far more straight forward than the likes of IPSec and PPTP VPN’s. It’s just one UDP port of your choosing.

If you choose to have your wireguard service on your PC listen on UDP port 51820, you must then open and forward UDP port 51820 on your firewall to point to your PC. At the other end, the other peer will need to do the same with the port of their choosing.

Peer APeer B
51820/UDP< – >8172/UDP
UDP Traffic

You can use the same port on every peer if you like, but you must use port forwarding or port triggering on your router to direct the UDP traffic to your PC.

Authentication

There is no real authentication. You have a key to talk to the remote peer and it has a key to talk to you. These keys are used to encrypt the traffic too. So merely by having a key you are authenticated and have the ability to encrypt traffic.

Both parties must generate a key pair. A private key you keep to yourself and a public key you give to the remote peer so they recognise you. That’s it. No user accounts, passwords or certificates.

This will generate two files. the private.key and the public.key

$ wg genkey | tee private.key | wg pubkey > public.key

You can then use these in your wireguard config file.

Configuration Builder

After setting this up on a Raspberry Pi I thought I’d make it easier by scripting the process to make wireguard configurations.

You’ll find the scripts here: https://github.com/paulb-opusvl/wireguard-config-builder

Download and extract the zip or use git to download it.

$ git clone git@github.com:paulb-opusvl/wireguard-config-builder.git

Create a file called .env in the folder you downloaded the scripts into and change the details to match your setup.

HOST=123.123.123.123    # External Host Name or IP of server
PORT=58120              # UDP Port to listen on

Find your external IP address by visiting https://ifconfig.io

Or if you use dynamic DNS change the 123.123.123.123 to the dynamic DNS name of your system.

Then run the init script:

$ ./init.sh

This creates a file ./conf.d/wg0.conf. Copy this into the folder /etc/wireguard

Now create a remote client entry using the client script:

$ ./client.sh 100

This creates an entry in the wg0.conf file that allows a client with the unique Id of 100 to connect to your peer. It also creates a file you can give to the peer for them to put into their /etc/wireguard/wg0.conf file or import into the wireguard program on their phone.

Now copy the created config into your wireguard folder and install and start up the wireguard service.

$ sudo cp ./conf.d/wg0.conf /etc/wireguard/
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0

You can see if wireguard is listening using:

$ sudo wg
interface: wg0
  public key: sQY7+fQprF3jsbEKVTe1xH17p4Q69XyVunTWyg9jIgs=
  private key: (hidden)
  listening port: 51820

peer: 7zAX+IyB8gxM/YhyCl6u3NmT5Nz8VLl1K9Px4V9HRkc=
  endpoint: 82.25.45.111:38377
  allowed ips: 192.168.69.100/32
  latest handshake: 1 minute, 19 seconds ago
  transfer: 18.68 MiB received, 190.45 MiB sent