WireGuard Installation and Configuration Guide

This guide covers the steps required to install and configure WireGuard on both Debian-based and Red Hat-based systems.

Prerequisites

Before starting, ensure you have root or sudo privileges on the system.

Dependencies

For Debian-based Systems (Ubuntu)

sudo apt update
sudo apt install -y make gcc libmnl-dev libelf-dev pkg-config linux-headers-$(uname -r)

For Red Hat-based Systems (Rocky Linux, AlmaLinux)

sudo dnf install -y make gcc libmnl-devel elfutils-libelf-devel pkgconf-pkg-config kernel-headers kernel-devel

Installation

From Source

For both distributions, you can compile WireGuard tools from source:

git clone https://git.zx2c4.com/wireguard-tools.git
cd wireguard-tools/src
make -j$(nproc)   # Compiles the tools using all available CPU cores
sudo make install # Installs the compiled tools

Using Package Manager

Debian-based Systems

sudo apt update
sudo apt install -y wireguard-tools

Red Hat-based Systems

sudo dnf install -y wireguard-tools

Verify the installation:

wg --version

Configuration

Server Configuration

Create a WireGuard configuration file for the server:

sudo nano /etc/wireguard/wg0.conf

Example Configuration

[Interface]
# The private IP address of the server on the VPN
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

[Peer]
PublicKey = <client_public_key>
# Allow the entire subnet or a single IP for the client
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <client2_public_key>
# Allow entire traffic from the client to pass through the VPN
AllowedIPs = 0.0.0.0/0

Enable IP Forwarding

Enable IP forwarding to route traffic through the VPN:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1

To make it persistent:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Client Configuration

Create a configuration file on the client machine:

sudo nano /etc/wireguard/wg0.conf

Example Configuration

[Interface]
# The private IP address of the client on the VPN
Address = 10.0.0.2/24
PrivateKey = <client_private_key>

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip>:51820
AllowedIPs = 10.0.0.0/24

For routing all traffic through WireGuard:

AllowedIPs = 0.0.0.0/0

Start WireGuard on Client

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Verify the Connection

On both the server and the client, check the WireGuard status:

wg show

Best Practices

  1. Use Strong Keys: Always generate fresh keys for new configurations.
  2. Secure the Server: Restrict access to the server using firewall rules.
  3. Monitor Traffic: Regularly check wg show for active connections.
  4. Backup Configurations: Save a backup of your configuration files in a secure location.