We have a new VPN at work which works with WireGuard.

There are a lot of guides on the web like :

I’m going to present 2 cases:

  • Home need: I need a VPN access for my phone and laptop in order to access block stuff in some situation. All the traffic goes throught the VPN. It’s the simplest case
  • Work need: I need to access some ip or ip ranges but not all the traffic goes throught the VPN.



  • Install of WireGuard. I’m on debian 10
    • create a /etc/apt/sources.list.d/backport.list
    deb http://deb.debian.org/debian buster-backports main
    • apt update && apt install wireguard
    • reboot. WireGuard consist of a kernel module which need to be loaded by the kernel. And unstable will upgrade you kernel to 4.19. that’s why. On ArchLinux for example you don’t need to reboot.
  • Generate the key pair
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
  • Fill the the file /etc/wireguard/wg0.conf. wg0 is the name of your interface it can be everything like wg10 or even chambery
Address =
ListenPort = 51820
PrivateKey = <my private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PublicKey = <client pub key>
AllowedIPs =

Interface means that you listen here. And a Peer means a distant… Peer at the end of the tunnel. You have to declare every peer in your VPN. Which mean that if you deploy wireguard as a VPN concentrator for you company you will need some automation here ! There are some work going on to add dynamic IP to wireguard. Look at the idea here

The PostUp/PostDown are here to NAT the private addresses to the address where the traffic goes (generally, the internet). But in case you just want a tunnel to access internal stuff. You don’t need NAT.

  • Start the service : wg-quick up wg0.
  • Once it works, enable the service in systemd, this way the interface get up when you start the system: systemctl enable wg-quik@wg0


I’m on Arch, so I just have to do pacman -S wireguard. Note that, Since kernel 5.6 (at this time Arch runs on 5.6) integrate WireGuard. So pacman only download the tooling 😏. Pretty neat.

  • Generate a key pair. Same way than on the server :
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then fill the /etc/wireguard/wg0.conf

PrivateKey = <Client Private Key>
Address =
DNS= # if you have a dns on the server !! if not, server of the machine will be the same as before.

PublicKey = <Client Public Key>
AllowedIPs = # this specific address means all the traffic.
Endpoint= # The ip address of your server. can be an domain.

You can now launch !: wg-quick up wg0

And see status : wg show.

Query (for example) ifconfig.io :

curl https://ifconfig.io

The IP returned should be the one from your distant box endpoint.


At Camptocamp I needed a split tunneling. A VPN where only the traffic for our clients goes through the tunnel, not the whole traffic of my machine, it allow us to have a pretty small machine and bandwidth compared to what it should if all the traffic of all employees goes through it.


The server configuration is the same as above


What we want is to route through some route or ip range. The list of IP addresses I want is on git repo but it does not matter, it could anywhere.

Since AllowedIPs cannot be set via shell script in the wgX.conf, we will need to use PostUp/PreDown to:

  1. Add allowed ips to the peer.
  2. add the route in the routing table of the system. Wireguard doesn’t do this for you.

Set this script where you want, you’ll have to prive a $VPN_ROUTES yourself ! This need modifications.


set -e

# this script expose a variable $VPN_ROUTES with all the endpoint that need
# to be added to route and AllowedIPs. You can curl your IPAM, maintain a list curl a gist on
# github. It's shell you can do whatever you want 😀 !
# input like "join_by , A B C " output "A,B,C"
function join_by { local IFS="$1"; shift; echo "$*"; }

function add_routes() {
    for route in $VPN_ROUTES; do
        echo "ip route add $route"
        ip ro add $route dev $WG_INTERFACE

function up_peer() {
    wg set $WG_INTERFACE peer $WG_PEERPUBKEY allowed-ips $(join_by , $VPN_ROUTES)

Then in /etc/wireguard/wg1.conf

PublicKey = <server pub key>
Endpoint = wg.example.com:12345

PrivateKey = <my private key>
Address =
PostUp = /path/to/my/wireguard/setup/route.sh up wg0 "<server pub key>"

Why does it need to set up the route ? If I set AllowedIPs to it works !

It works because wg-quick will read the AllowedIPs and create the route accordingly. Here we are setting up route via wg which does only takes care of setting up the wireguard interface, not the routing.