Quick Tip! Setting up a lightweight Server-Client VPN with wireguard


This blog post has been taken over from my collection of "Today I Learned" articles.

You can easily set up a private network of your devices. This way you can "talk" to your phone, raspberry pi etc. over an encrypted network, with simple IP-addresses.

Firstly, install wireguard on all of your systems. Simply install the wireguard package from your package manager respectively. Check out the official installation guide if you can't find the package. If you're on debian, try this guide. There's also an app for Android, iOS and MacOS.

Every participent (Client and server) needs a key-pair. To generate this, run this command first on the server, and on all clients:

wg genkey | tee wg-private.key | wg pubkey > wg-public.key

It might make sense to do this as root. This way you don't have to type sudo with every command.

Server Configuration

You will need to create a configuration for the server. Save this template at /etc/wireguard/wg0.conf, and replace the fields where needed:

PrivateKey = <Server private key from wg-private.key>
Address = # IP Address of the server. Using this IP Address, you can assign IPs ranging from - to your clients
ListenPort = 51820 # This is the standard port for wireguard

# The following fields will take care of routing
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Laptop
PublicKey = <Public Key of Laptop Client>
AllowedIPs = # The client will be reachable at this address

# Android Phone
PublicKey = <Public Key of Phone Client>
AllowedIPs =

# ...

Then run wg-quick up wg0 to start the wireguard interface with the configuration from /etc/wireguard/wg0.

Setting up clients

Setting up clients is very similar to the server setup process. Generate a keypair on each client, save the following config to /etc/wireguard/wg0.conf and replace the nessessary fields:

PrivateKey = <Client Private Key from wg-private.key>
Address = # The fixed address of the client. Needs to be specified in the server config as well

PublicKey = <Server Public key>
AllowedIPs = # Routes all traffic in this subnet to the server. If you want to tunnel all traffic through the wireguard connection, use here instead
Endpoint = <Public Server IP>:51820
PersistentKeepalive = 25 # Optional. Will ping the server every 25 seconds to remain connected.

On every client, run wg-quick up wg0 to start the interface using the config at /etc/wireguard/wg0.conf.

This whole proccess might be easier on GUIs like Android or MacOS.

Now, try to ping your phone from your laptop:

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=5382 ms
64 bytes from icmp_seq=2 ttl=64 time=4364 ms


Continue Reading