sudo apt-get update -y && apt-get install -y iptables resolvconf linux-headers-generic wireguard mkdir /etc/wireguard wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey cat /etc/wireguard/privatekey cat /etc/wireguard/publickey note the two keys on for e.g. notepad++ nano /etc/wireguard/wg0.conf [Interface] Address = 192.168.6.1/24 SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51194 PrivateKey = <server-private-key>
chmod 600 /etc/wireguard/{privatekey,wg0.conf} wg-quick up wg0 in reason of kernel modules you need to restart before starting the service otherwise it would fail! --reconnect putty-- systemctl start wg-quick@wg0.service systemctl enable wg-quick@wg0.service wg show wg0 Windows Wireguard Client Installieren Unter Tunnel hinzufügen auf Einen neuen Tunnel erstellen. !!! ACHTUNG DEN PRIVATE KEY BEIBEHALTEN !!! [Interface] PrivateKey = <gernerierter schlüssel> Address = 192.168.6.2/32 [Peer] PublicKey = <server-public-key> AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 Endpoint = <domain or ip>:51194 PersistentKeepalive = 15 Last add the Client to the Server: wg set wg0 peer <client-public-key> allowed-ips 192.168.6.2 # enable ping on client side (for troubleshooting) netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol=icmpv6:8,any dir=in action=allow # add wireguard udp port: incoming/outgoing netsh advfirewall firewall add rule name="Wireguard allow 51820 udp" protocol=udp localport=51820 dir=in action=allow netsh advfirewall firewall add rule name="Wireguard allow 51820 udp" protocol=udp localport=51820 dir=out action=allow
Error Handling:
systemctl start wg-quick@wg0.service Job for wg-quick@wg0.service failed because the control process exited with error code. See „systemctl status wg-quick@wg0.service“ and „journalctl -xe“ for details.
reboot your server to load kernel drivers
VPN forwarding:
Step 1: Accept all traffic created by wg0 interface
Allow all traffic on wg0 interface:iptables -I INPUT 1 -i {interface} -j ACCEPT
iptables -I INPUT 1 -i wg0 -j ACCEPT
The above rules allows for packets destined to wg0.
Step 2: Configuring FORWARD rules
We must allow for packets being routed through the WireGuard server by setting up the FORWARD rule. The syntax is:iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
Step 3: Open WireGuard UDP port # 51194
Finally, open UDP port # 51194 as follows:iptables -I INPUT 1 -i eth0 -p udp --dport 51194 -j ACCEPT
(Optional) Command to remove WireGuard iptables rules
We can reverse all command by deleting all added iptabes rules as follows:# iptables -t nat -D POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
# iptables -D INPUT -i wg0 -j ACCEPT
# iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
# iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
# iptables -D INPUT -i eth0 -p udp --dport 51194 -j ACCEPT
Step 5: Turn on IP forwarding on Linux
For IPv4 we set the following Linux kernel variables to accept incoming network packets on wg0, passed on to another network interface such as eth0, and then forwards it accordingly:
sysctl -w net.ipv4.ip_forward=1
For IPv6, try the following sysctl command:
sysctl -w net.ipv6.conf.all.forwarding=1
check the status with
grep forward /etc/sysctl.conf
edit the /etc/sysctl.conf file and remove # before net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1
nano /etc/sysctl.conf
To load the settings that we made to /etc/sysctl.conf file, run the following command:
sudo sysctl -p