# 1 - On the server:
sudo su
apt-get install wireguard resolvconf
wg genkey | sudo tee /etc/wireguard/server_private.key
chmod go= /etc/wireguard/server_private.key
cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
nano /etc/sysctl.conf
# add:
net.ipv4.ip_forward = 1
# 2 - On the client, same setup:
sudo su
apt-get install wireguard resolvconf
wg genkey | sudo tee /etc/wireguard/server_private.key
chmod go= /etc/wireguard/server_private.key
cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
nano /etc/sysctl.conf
# add:
net.ipv4.ip_forward = 1
# 3 - Back on the server:
[Interface]
Address = 10.5.5.1/24
ListenPort = 51820
PrivateKey = *** the server's own private key here ***
# enable ip forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0
[Peer]
PublicKey = *** the client's public key
AllowedIPs = 10.5.5.2/24
# 4 - On the client
[Interface]
Address = 10.5.5.2/24
DNS = 8.8.8.8
PostUp = wg set %i private-key /etc/wireguard/pibox_private.key
PostUp = ping -c1 10.5.5.1
[Peer]
PublicKey = *** the server's public key ***
Endpoint = 1.2.3.4:51820 # the server's public IP adddress
AllowedIPs = 10.5.5.0/24 # ensure the full VPN subnet is allowed
PersistentKeepalive = 25
# 5 On the server
sudo iptables -L -v -n
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A OUTPUT -o wg0 -j ACCEPT
sudo iptables -A INPUT -i wg0 -s 10.5.5.2 -j ACCEPT
sudo iptables -A OUTPUT -o wg0 -d 10.5.5.2 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
# 6 Only on the client
sudo iptables -L -v -n
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A OUTPUT -o wg0 -j ACCEPT
# 7 On both the server and the client
wg-quick up wg0
wg
systemctl enable wg-quick@wg0
wg show
# 8 Test from client to server
ssh user@10.5.5.1
# 9 Test from server to client
ssh user@10.5.5.2