WireGuard is a next-gen VPN server that is supposed to be more simple to configure than OpenVPN, while being faster and beter on latency in the tunnel. Currently it is not listed as a stable piece of software, but in its current state it is still useful and useable.
This article was written and tested using Debian 9 on a Vultr VPS, but should work on any deb based distro.
Install WireGuard
First we need to install some pre-reqs: (because wireguard integrates into the kernel we need kernel headers to compile)
apt-get install linux-headers libmnl-dev linux-headers-$(uname -r) build-essential make git
Next we will add the unstable repo and pin the wireguard package from that repo. An alternative to this would be to pull and compile right from the wireguard git repo and compile manually.
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
apt-get update
apt-get install wireguard-dkms wireguard-tools
Enable the wireguard kernel module and verify
modprobe wireguard && lsmod | grep wireguard
Configure WireGuard
First we have to generate a key
wg genkey
Then place the following text into /etc/wireguard/wg0.conf with your favorite $EDITOR
[Interface]
PrivateKey = <PUT HERE THE KEY JUST GENERATED>
Address = 10.0.0.1/24, fd86:ea04:1115::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
Next it would be a good idea to enable packet forwarding (as with any VPN service).
Open this file /etc/sysctl.conf and change the following:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
You can reboot your server or run sysctl -p for these changes to take affect.
Start and enable WireGuard
Now we want WireGuard to start and to start on boot up. We run the following:
wg-quick up wg0
systemctl enable wg-quick@wg0
And that is it server side!
Client Setup
We need to find the public key for the client, below we find it from the private key earlier and then save in the file public
wg pubkey < private > public
cat public
Lastly we configure the server to accept and assign the client: (back on the server)
wg set wg0 peer <CLIENT/PEER PUBLIC KEY> allowed-ips 10.0.0.5,fd86:ea04:1115::5
Make sure you set your config on the client to use the public key from the server from the public file and that your IPs match what you are assigning and what is in the client config.
Troubleshooting Commands
wg show
ifconfig
You can install a client the same way on a Linux PC as above, for Windows I recommend the TunSafe client, though beware it is not opensource.