Cui 
“Democracy cannot succeed unless those who express their choice are prepared to choose wisely. The real safeguard of democracy, therefore, is education.” - Franklin D. Roosevelt
Wireguard Server Setup
- 1.Install Wireguard to VM
sudo apt update
sudo apt upgrade
sudo apt install wireguard
- 2.Create Wireguard Server Keys
sudo -i
cd /etc/wireguard/
mkdir -p clients keys
# Generate private and public key
umask 077
wg genkey | tee keys/server_private_key | wg pubkey > keys/server_public_key
- 3.Config Wireguard Server
# Generate wg0.conf file with private key information
cat << EOF > /etc/wireguard/wg0.conf
## Set Up WireGuard VPN on Ubuntu By Editing/Creating wg0.conf File ##
[Interface]
## Server available Private IPs range ##
Address = 10.0.1.1/24
## Server Port ##
ListenPort = 51820
## Server Private key from step 2 ##
PrivateKey = $(cat /etc/wireguard/keys/server_private_key)
EOF
- 4.Config VM IP Forwarding
# Allow IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
# In order to make change permanent, update sysctl.conf file.
vim /etc/sysctl.conf
# uncomment line: net.ipv4.ip_forward = 1
# reload changes
sudo sysctl -p /etc/sysctl.conf
- 5.Config Wireguard Server Firewall
## Create IP Rules for forwarding
#IP4
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#IP6
sudo ip6tables -A FORWARD -i wg0 -j ACCEPT
sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#NAT
sudo iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
- 6.Tooling
# Install qrencode to generate QR code for client configuration
sudo apt install qrencode
Wireguard Client Setup
- 1.Script for creating Wireguard Client
/etc/wireguard/create-client.sh
#!/bin/bash
cd /etc/wireguard
echo "Generating wireguard client keys ..."
umask 077 &&
wg genkey | tee /etc/wireguard/keys/${1}_private_key | wg pubkey > /etc/wireguard/keys/${1}_public_key
wg set wg0 peer $(cat /etc/wireguard/keys/${1}_public_key) allowed-ips ${2}/32
echo "Generating wireguard client configuration ..."
echo "[Interface]
Address = ${2}/32
PrivateKey = $(cat /etc/wireguard/keys/${1}_private_key)
DNS = 1.1.1.1 # Cloudflare DNS
[Peer]
PublicKey = $(cat '/etc/wireguard/keys/server_public_key')
Endpoint = ${3}:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > /etc/wireguard/clients/${1}.conf
echo "Generating QR code for wireguard client configuration ..."
qrencode -o /etc/wireguard/clients/${1}.png -t png < /etc/wireguard/clients/${1}.conf
- 2.Check next available Client IP Digit
wg show | grep allowed | sort -V
Output:
peer: 18SQGOXqSAvQuGDeXCtxIhh5r872k4PxcFdhoVE5fQ0=
allowed ips: 10.0.1.11/32
allowed ips: 10.0.1.12/32
allowed ips: 10.0.1.13/32
allowed ips: 10.0.1.14/32
allowed ips: 10.0.1.15/32
allowed ips: 10.0.1.16/32
allowed ips: 10.0.1.17/32
allowed ips: 10.0.1.18/32
- 3.Create WireGuard Client with next available IP
10.0.1.19, and replaceSERVER_PUBLIC_IPwith your server public IP.
create-client.sh username 10.0.1.19 SERVER_PUBLIC_IP
- 4.Download client configuration QR code
scp root@SERVER_PUBLIC_IP:/etc/wireguard/clients/username.png .
- 5.WireGuard Android APK
Learn Spring Boot 3 with Micrometer