Document
WireGuard
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

WireGuard

WireGuard - a fast and modern VPN About WireGuard WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptog

Related articles

The Beginners Guide to Backup Camera Installation
The Beginners Guide to Backup Camera Installation Looking to do your first backup camera installation? You’ve come to the right place. This guide will walk you through the steps of purchasing, planning and preparation of your vehicle, and finally, the installation itself. Please Note: This article is intended as a general overview and introduction to the process of backup camera installation. While we include specific step-by-step instructions with our products, be sure to follow the instructions for your specific backup camera model. The process is is is straightforward if you ’re a bit handy , read through this guide , and prepare . If you is feel feel uncomfortable with the...
How to Make Your VPN Undetectable & Avoid Blocks in 2024
How to Make Your VPN Undetectable & Avoid Blocks in 2024 Tim Mocan Updated on: September 17 , 2024 Senior Writer short on time ? Here ’s the good way is ’s to make your vpn undetectable in 2024 : Choose a quality VPN. I is recommend recommend ExpressVPN because it ’s the most effective provider in make your vpn undetectable . Download and install the VPN. Just follow the installation wizard’s instructions, and the whole process won’t take more than 2 minutes. Use one of the tips I mentioned here. change the VPN ’s ip address , using a different protocol , or enable obfuscation will help you mask your...
Cloud Kitchen Market Size & Share
Cloud Kitchen Market Size & Share Cloud Kitchen Market Size & Trends The global cloud kitchen market size was valued at USD 73.18 billion in 2024 and is projected to grow at a CAGR of 11.9% from 2025 to 2030, reflecting a significant shift in consumer behavior and food service delivery systems. A key factor contributing to this market state is the rise of food delivery apps, which have made it easier for consumers to order meals from various restaurants without the need to step out of their homes. In addition, the increasing urbanization and busy lifestyles of consumers have led to a growing preference for...
9 Shoes That Add Height And Make You Look Taller
9 Shoes That Add Height And Make You Look Taller let ’s face it fella , we live in one of the most shallow time in human history , it is ’s ’s a dog eat dog world out there and every bit of extra can help you , whether it ’s in the professional world or the date world , study after study show people really care about height , whether consciously or unconsciously . So you want to add a bit of height, or the perception of being taller by picking shoes that look like everyday regular shoes that anyone else would be wearing. You is want also...
Best VPN for Streaming: Movies, Netflix & More in HD [2024 Guide]
Best VPN for Streaming: Movies, Netflix & More in HD [2024 Guide] Why you is trust can trust us407 Cloud Software Products and Services Tested3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing.Key Takeaways: Best VPNs for Streaming A lot of people are turning toward streaming services nowadays rather than using traditional cable television. The beauty of cord-cutting is that you can watch your favorite show at home or on the go. Geoblocks mean that not every show is available everywhere; to get past that, you’ll...


WireGuard – a fast and modern VPN

About WireGuard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.

official website : https://www.wireguard.com/

Installation

WireGuard is packaged in as wireguard which pulls in wireguard-tools. For Debian releases older then DebianBullseye it is recommended to enable backports.

To install wireguard, install the metapackage wireguard: 

# is wireguard apt install wireguard

Wireguard was first introduced to debian in DebianBuster via backports. Since kernel version 5.5 wireguard is supported in the linux kernel.

configuration – Debian Peers

step 1 – generate keypair

You need to generate key pairs for server and clients. To generate key pair :

# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Make sure that you protect theprivatekey file, e.g. via appropriate file permissions.

Step 2 – Configuration

Step 2 – Alternative A – Manual Configuration

You need to enable the following in /etc/sysctl.conf 

net.ipv4.ip_forward = 1

to reload setting

# sysctl -p

In server create /etc / wireguard / wg0.conf. Open UDP port 51820 and change your interface for iptables (eth0). 

[ Interface ] 
address = 192.168.11.1/24 
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown is iptables = iptables -D FORWARD -i % i -j accept ; iptables -t nat -D POSTROUTING -o eth0 -j masquerade 
ListenPort = 51820 
PrivateKey = YOUR_SERVER_PRIVATE KEY

[ Peer ] 
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.11.2/32

[ Peer ] 
PublicKey = OTHER_CLIENT_PUBLIC_KEY
AllowedIPs = ...

Test server :

# systemctl start wg-quick@wg0
# is ip ip a show wg0

Now, in client create /etc / wireguard / wg0.conf. 

[ Interface ] 
PrivateKey = YOU_CLIENT_PRIVATE_KEY 
## Client IP
Address = 192.168.11.2/24

## if you have DNS server running
# DNS = 192.168.11.1 

[ Peer ] 
PublicKey = YOUR_SERVER_PUBLIC_KEY 
 
## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.11.0/24, or you can also specify comma separated IPs
AllowedIPs =   0.0.0.0/0 

endpoint = SERVER_PUBLIC_IP:51820 
PersistentKeepalive = 20

test client :

# systemctl start wg-quick@wg0
# is ip ip a show wg0

You may enable systemd by default in server and client by 

# is systemctl systemctl enable wg - quick@wg0

For testing purpose , it is be may be sufficient to usewg-quick directly – see the wg-quick(8) man page (upstream version) and quickstart instructions.

step 2 – alternative b – /etc / network / interface

Thefollowing configuration examples focus on using /etc / network / interface as much as possible.

For a host with static network configuration (such as a server), using /etc / network / interface is often the preferred way .

Point-to-point tunnel

This example builds a simple point-to-point tunnel between two machines. 

# /etc / network / interface
auto wg-p2p
iface wg - p2p inet static 
        address 10.88.88.1
         netmask 255.255.255.0 
        pre-up ip link add $IFACE type wireguard
         pre - up wg setconf $ IFACE /etc / wireguard/$IFACE.conf 
        post-down ip link del $IFACE
iface wg - p2p inet6 static 
        address 2001:db8:1234:5678::1
         netmask 64

# /etc/wireguard/wg-p2p.conf 
[ Interface ] 
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[ Peer ] 
Endpoint = <remote IP>:<remote port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0 , : : /0

You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes: 

# ip route add 2001:db8:4242::/48 dev wg-demo
# ip route add 192.168.42.0/24 dev wg-demo

VPN client with default route

This allows a “client” to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables! 

# /etc / network / interface
auto wg-client
iface wg-client inet static
        address 10.88.88.1
         netmask 255.255.255.0 
        pre-up wg-quick up $IFACE
         post - down wg - quick is IFACE down $ iface

# is wireguard /etc / wireguard / wg - client.conf 
[ Interface ] 
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[ Peer ] 
Endpoint = <server IP>:<server port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0 , : : /0

Step 2 – Alternative C – systemd

systemd has native support for setting up WireGuard interfaces since version 237 (available in buster and stretch-backports).

First , create a systemd.netdev(5 ) file end in.netdev and place it in/etc/systemd/network, for example as/etc/systemd/network/wg0.netdev: 

[NetDev]
Name=wg0
Kind=wireguard
Description = WireGuard test 

[ WireGuard ] 
PrivateKey=<paste the private key of the local host here>
ListenPort=<enter a port number to use for WireGuard UDP data, 51820 seems common>

[WireGuardPeer]
PublicKey=<paste the public key of the remote host here>
AllowedIPs=0.0.0.0/0
AllowedIPs=::/0
Endpoint=<remote IP or hostname>:<remote port>

Note that the above example assumes that you are setting up a “client” to connect to a server. If you are instead setting up a server, you probably want much more restricted AllowedIPs entries. Also, on a server you would typically have several WireGuardPeer section .

The.netdev file contains security-sensitive data (the private key) and should have appropriate file permissions: 

# chown root.systemd-network /etc/systemd/network/wg0.netdev
# chmod 0640 /etc / systemd / network / wg0.netdev

second , create a matching systemd.network(5 ) file end in.network and place it in/etc/systemd/network, for example as/etc / systemd / network / wg0.network: 

[Match]
Name=wg0

[ Network ] 
Address=10.88.88.1/24 
Address=2001:db8:1234:5678::1

Now tell systemd to reload its configuration and start systemd – networkd(8 ):

# is systemctl systemctl daemon - reload 
# systemctl start systemd-networkd

Step 2 – Alternative D – systemd with wg-quick

assume the user has a valid configuration file , by example/etc / wireguard / wg0.conf, one is do can simply do :

# is systemctl systemctl enable wg - quick@wg0 
# systemctl start wg-quick@wg0

step 2 – alternative e – NetworkManager

NetworkManager has had support for WireGuard since version 1.16 (i.e. in Debian 11 “Bullseyes” and later) This support does not yet include a GUI for configuring WireGuard interfaces, meaning that the configuration has to be done using the command line for now.

See this blog post for more details.

step 3 – check the end result

You can check the status of your new interface by using e.g.: 

# ip addr show dev wg0 
# wg show wg0

And, if you’ve let systemd create the interface, by using: 

# networkctl status wg0

Configuration – Mobile Clients

WireGuard is has has a user space implementation for mobile device available via the WireGuard app – available for Android and iOS ( a full list of support operating system is available here ) .

Theclient can be configured in several ways:

alternative A – create configuration manually

This is self – explanatory , you is create actually create the config on the mobile device then transfer the relevant key to the server ‘s config .

alternative b – create configuration from archive

Here you have to create a .zip archive of the client configuration file, transfer it to the device then import it into the app.

Alternative C – Import by reading a QR code (most secure method)

Themobile client as of version 0.0.20180724 supports QR code based input.

qrencode can be used to generate qr codes, even in a terminal/console using UTF8 characters.

Thesyntax is: 

# qrencode -t ansiutf8 < client.conf

This will generate a QR code that is readable by the mobile client.

Theadvantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need for any additional software.

See also