--- title: Wire Guard description: Configuration for Wire Guard VPN to safely connect to the local network from the internet published: true date: 2025-01-05T00:15:00.505Z tags: editor: markdown dateCreated: 2025-01-02T21:40:36.626Z --- # Wine Guard ## Server Public Key dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM= ## Setup ### Installtion ``` sudo pacman -S wireguard-tools ``` Inside /etc/wineguard/ generate the private and public keys for the server ``` umask 077; wg genkey | tee privatekey | wg pubkey > publickey ``` ### Setup Client Each client should be allocated a new IP address in the format 10.0.0.X. The peers public key is also needed to be added to the config file one the server. Create a config file, on linux /etc/wireguard/wg0.conf with the following structure: ``` [Interface] PrivateKey = Address = 10.0.0.X/24 [Peer] PublicKey = dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM= Endpoint = :41194 AllowedIPs = 0.0.0.0/0 ``` Start the wireguard client with ``` sudo wg-quick up wg0 ``` Terminate the wireguard client with ``` sudo wg-quick down wg0 ``` On linux the wireguard client can be set up with this useful alias in the user .bashrc file ``` alias vpn='sudo wg-quick up wg0 && sudo ip route add 192.168.1.101 via 10.0.0.1 dev wg0' ``` ### Setup Server 1. Create a file configuration file /etc/wireguard/wg0.conf with the following contents. The config file needs to be updated with a new peer when a new client needs to be configured. ``` [Interface] ## IP address for VPN ## Address = 10.0.0.1/24 ## VPN server port ## ListenPort = 41194 ## VPN server's private key i.e. /etc/wireguard/privatekey ## PrivateKey = # Firewall settings PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE [Peer] # Public key for Lukas Laptop PublicKey = ONNwgEwchCb1c2vrBOjIfYP4HuMjpC7AyJkRkEfr8lU= AllowedIPs = 10.0.0.2/32 [Peer] # Public key for Lukas Mobile PublicKey = MEZN0+oKD3cv1uOgpvO4fHarUQKKCAGSx4o/podONh4= AllowedIPs = 10.0.0.3/32 ``` 2. Enable port forwarding for IPv4 and IPv6 by edit the /etc/sysctl.d/10-wireguard.conf file ``` echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf ``` 3. And then reload the changes ``` sysctl -p /etc/sysctl.d/10-wireguard.conf ``` 4. Enable and start as systemd service ``` sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 ``` 5. Adding a new peer To add a new peer the config file needs to be uptades with the peers public key. The the wireguard server needs to be restarted. ``` sudo wg-quick down wg0 sudo wg-quick up wg0 ``` ### Setup Router The router was set up with the following port forwarding settings **Service Name:** WireGuard **WAN Interface:** default **Server IP Address:** 192.168.1.101 **Protocol:** UDP (WireGuard uses UDP). **External Port Start/End:** 41194 **Internal Port Start/End:** 41194