Billy Bromell

Wireguard Setup

·2 mins
hero

This guide assumes you are setting up a wireguard client on linux and you will be given the server address and public key by the wireguard server admin.

Install Wireguard

Install WireGuard on the client.

Generate keys

On the client, generate a key pair:

wg genkey | tee clientkey.priv | wg pubkey > clientkey.pub

For other systems key generation instructions differ - you may need to look up instructions for your OS.

https://www.ivpn.net/setup/windows-10-wireguard.html

Preshared Keys (Optional)

For enhanced security you can create a preshared key using:

wg genpsk > shared.psk

You will then need to send this along with your public key when requesting access (see below). Public keys can be shared across insecure networks, but for preshared keys this needs to be shared in a secure manner - e.g. in person or through a trusted encrypted channel.

You will also need to add the following line below [Peer] in the config (see Generate Config section)

Example preshared key

PresharedKey = XezV652xbAQX7NPIwNLU8ykIzUsIqdcjdP4kUcw8tV0#

Request Access

Send the admin your public key (do not ever share your private key), and they will send you the public key for the server, a tunnel address and an endpoint address to use in the config (see below).

Generate config

Use the snippet below as the template for the config, filling the YOUR_TUNNELADDRESS, SERVER_PUBLICKEY and SERVER_ENDPOINT variables with what is sent to you, and YOUR_PRIVATEKEY with the private key you generated earlier (the string from the file clientkey.priv).

/etc/wireguard/wg0.conf

[Interface]
Address = YOUR_TUNNELADDRESS
PrivateKey = YOUR_PRIVATEKEY

[Peer]
PublicKey = SERVER_PUBLICKEY
Endpoint = SERVER_ENDPOINT
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs can be changed to specific subnets if you don’t want to route all your traffic through the server.

To use the vpn on linux you can use:

> wg-quick up NAME # connect

> wg-quick down NAME # disconnect

OR using systemd

> systemctl start wg-quick@NAME # connect

> systemctl stop wg-quick@NAME # disconnect

Where NAME is NAME from /etc/wireguard/NAME.conf (for example wg0)