sudo apt-get update -y && apt-get install -y iptables resolvconf linux-headers-generic wireguard
mkdir /etc/wireguard
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
cat /etc/wireguard/<strong>privatekey</strong>
cat /etc/wireguard/<strong>publickey</strong>
note the two keys on for e.g. notepad++
nano /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.6.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51194
PrivateKey = <strong><server-private-key></strong>Code-Sprache: HTML, XML (xml)chmod 600 /etc/wireguard/{privatekey,wg0.conf}
wg-quick up wg0
<strong>in reason of kernel modules</strong> <strong>you need to restart before starting the service otherwise it would fail!</strong>
--reconnect ssh--
systemctl start wg-quick@wg0.service
systemctl enable wg-quick@wg0.service
wg show wg0Code-Sprache: HTML, XML (xml)Windows Wireguard Client Installieren
Unter Tunnel hinzufügen auf Einen neuen Tunnel erstellen.
!!! ACHTUNG DEN PRIVATE KEY BEIBEHALTEN !!!
[Interface]
PrivateKey = <gernerierter schlüssel>
Address = 192.168.6.2/32
[Peer]
PublicKey = <server-public-key>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = <domain or ip>:51194
PersistentKeepalive = 15
Last add the Client to the Server:
wg set wg0 peer <client-public-key> allowed-ips 192.168.6.2
# enable ping on client side (for troubleshooting)
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol=icmpv6:8,any dir=in action=allow
# add wireguard udp port: incoming/outgoing
netsh advfirewall firewall add rule name="Wireguard allow 51820 udp" protocol=udp localport=51820 dir=in action=allow netsh advfirewall firewall add rule name="Wireguard allow 51820 udp" protocol=udp localport=51820 dir=out action=allow
Error Handling:
systemctl start wg-quick@wg0.service Job for wg-quick@wg0.service failed because the control process exited with error code. See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.
reboot your server to load kernel driversCode-Sprache: HTML, XML (xml)VPN Forwarding
Step 1: Accept all traffic created by wg0 interface
Allow all traffic on wg0 interface:
iptables -I INPUT 1 -i {interface} -j ACCEPT
iptables -I INPUT 1 -i wg0 -j ACCEPTCode-Sprache: PHP (php)Step 2: Configuring FORWARD rules
We must allow for packets being routed through the WireGuard server by setting up the FORWARD rule. The syntax is:
iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPTStep 3: Open WireGuard UDP port # 51194
Finally, open UDP port # 51194 as follows:
iptables -I INPUT 1 -i eth0 -p udp --dport 51194 -j ACCEPT
(Optional) Command to remove WireGuard iptables rules
We can reverse all command by deleting all added iptabes rules as follows:
iptables -t nat -D POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
iptables -D INPUT -i wg0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 51194 -j ACCEPTStep 5: Turn on IP forwarding on Linux
For IPv4 we set the following Linux kernel variables to accept incoming network packets on wg0, passed on to another network interface such as eth0, and then forwards it accordingly:
For IPv6 / IPv6 try the following sysctl command:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
check the status with:
grep forward /etc/sysctl.conf
edit the /etc/sysctl.conf file and remove # before net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1
nano /etc/sysctl.confCode-Sprache: PHP (php)
To load the settings that we made to /etc/sysctl.conf file, run the following command:
sudo sysctl -p