Link to this headingWireguard

Intro to Wireguard
The missing Wireguard documentation

WireGuard topologies
WireGuard beyond basic configuration

Management:

Link to this headingSetup

Generate Keys:

# generate server keys wg genkey | tee server-private.key | wg pubkey > server-public.key # generate client keys wg genkey | tee client-private.key | wg pubkey > client-public.key

Link to this headingExample Configs

Route to self and others on the internal network::

AllowedIPs = 10.0.0.1/24

Route to self only::

AllowedIPs = 10.0.0.1/32

Route to the whole internet::

AllowedIPs = 0.0.0.0/0,::/0

Route to self and specific peer:

AllowedIPs = 10.0.0.3/32,10.0.0.4/32

Link to this headingDirect Connect

Client Config:

[Interface] Name = "Client 1" Address = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128 DNS = 10.200.100.1, fd43:6666:9dc1:70b7::3 PrivateKey = [from key] [Peer] AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = example.com:51820 #public-server2.example-vpn.dev:51820 PersistentKeepalive = 25 PublicKey = zBFeSr+t+Rw3n9Dh7io+XkDWoBnzDPrWiEwDEl1poxU=

Server Config:

[Interface] Address = 10.200.100.1/24, fd43:6666:9dc1:70b7::1/64 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #PostUp = iptables -A FORWARD -i %i -j ACCEPT; PostUp = iptables -A FORWARD -o %i -j ACCEPT; PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = [from key] #bk201 [Peer] Name = bk201 PublicKey = XIfHCt6PgYJbcL7coxVlBTkmP8BGDm4MVhZJOEU/Tzo= AllowedIPs = 10.200.100.2/32, fd43:6666:9dc1:70b7::2/128 # This denotes the clients IP. #Android [Peer] Name = Android PublicKey = s/eJ5huy5FjbCcMQ5+zz+Lw9nSsbcpwpCJ5DiIvC6g4= AllowedIPs = 10.200.100.3/32, fd43:6666:9dc1:70b7::3/128 # This denotes the clients IP. #Docker [Peer] Name = Docker PublicKey = LQOFb+BpnPFotBDGZcDrFtnruBjmZmrDZZLrRI67O0c= AllowedIPs = 10.200.100.4/32, fd43:6666:9dc1:70b7::4/128 # This denotes the clients IP. #Windows [Peer] PublicKey = 6IQ/3J8hNe2zl74UaLTUZNUcNNh64R7d3m4CS+ncqRo= AllowedIPs = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128 # This denotes the clients IP.

Link to this headingDirect Connect with local IP access

[Interface] PrivateKey = [from key] Address = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128 DNS = 10.200.100.1, fd43:6666:9dc1:70b7::1 [Peer] PublicKey = zBFeSr+t+Rw3n9Dh7io+XkDWoBnzDPrWiEwDEl1poxU= AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 Endpoint = [SERVER_IP]:51820 PersistentKeepalive = 25

Link to this headingAs a Proxy

A Wireguard client that exposes itself as a SOCKS5 proxy or tunnels.

Link to this headingDebugging connection issues

Check interface status:

wg show

View detailed peer information:

wg show all

Enable debug logging:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

Monitor traffic:

tcpdump -i wg0 -n