From the WireGuard project homepage:

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.

Source: wiki.archlinux.org

Server

Do everything with root.

su

Packages

pacman -S wireguard-tools

 

Keys

cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

 

Config (wg0.conf)

Interface

Copy the private key number.

cat privatekey
nano wg0.conf
[Interface]
PrivateKey = <Private Key>
Address = 10.0.0.1/24, fd86:ea04:1115::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
Change your interface <code>eth0</code> to your interface.

 

Peer

  1. Go to clients first and follow the instructions.

  2. Copy the publickey and presharedkey of your client.

    cat /etc/wireguard/clients/phones/pinephone/publickey && cat /etc/wireguard/clients/phones/pinephone/presharedkey
  3. Add the peer
    nano /etc/wireguard/wg0.conf
    [Peer]
    PublicKey = <client public key>
    PresharedKey = <preshared key>
    AllowedIPs = 10.0.0.2/32

 

Clients

Folder structure

Create clients for laptop, desktop, phones etc.. Whatever you prefer.

mkdir -p /etc/wireguard/clients/phones/pinephone/

 

Keys

cd /etc/wireguard/clients/phones/pinephone/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey | wg genpsk > presharedkey
cat privatekey && cat presharedkey && cat /etc/wireguard/publickey
nano pinephone.conf
[Interface]
PrivateKey = <pinephones-privatekey>
Address = 10.0.0.2/24,fd42:42:42::2/64

[Peer]
PublicKey = <server public key>
PresharedKey = <preshared key>
Endpoint = <server public IP or domain>:51820
AllowedIPs = 0.0.0.0/0,::/0
<i>Optional</i> <br> Add another DNS server under <code>[Interface]</code> if you do not want to use the server DNS.<br> <code>DNS = 'dns server'</code>

 

Permissions

Set the right permissions.

chmod -R 600 /etc/wireguard/clients/

 

Copy file

Copy your .conf file to your device.

scp pinephone.conf dan@192.168.1.248:~/

 

Generate QR Code

You can also create an QR code.

pacman -S qrencode
qrencode -t ansiutf8 < pinephone.conf

 

Back to peer

Click

 

More clients

If you need more clients, just follow the clients process again and add the peer to your server among your other clients.

Stop the Wireguard interface when adding new clients/peers.<br> <code>systemctl stop wg-quick@wg0.service</code>

 

Start service

systemctl enable wg-quick@wg0.service && systemctl start wg-quick@wg0.service

 

UFW

ufw allow 51820/udp

 

DDClient - Dynamic DNS

You may need a DynDNS-Domain. For example, from https://www.noip.com/sign-up.

sudo pacman -S ddclient --noconfirm && sudo nano /etc/ddclient/ddclient.conf

Add following lines and change the login=,password=, and the domain at the bottom.

For noip
protocol=dyndns2
use=web, if=eth0
server=dynupdate.no-ip.com
login=your-@emailaddress.com
password='your-password'
your-dyndns_domain
sudo crontab -e
#######################DDClient
45 04 * * * /usr/sbin/ddclient --force
##################################

 

IPv4/6 forwarding / client internet access

sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv6.conf.all.forwarding=1

Make the change for every reboot:

nano /etc/sysctl.d/99-vpn.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1