My WireGuard Setup
We have a new VPN at work which works with WireGuard. There are a lot of guides on the web like : Wireguard VPN : Typical Setup : The poetry of (in)security Getting Started with WireGuard I’m going to present 2 cases: Home need: I need a VPN access for my phone and laptop in order to access block stuff in some situation. All the traffic goes throught the VPN. It’s the simplest case Work need: I need to access some ip or ip ranges but not all the traffic goes throught the VPN. Home Server Install of WireGuard. I’m on debian 10 create a /etc/apt/sources.list.d/backport.list deb http://deb.debian.org/debian buster-backports main apt update && apt install wireguard reboot. WireGuard consist of a kernel module which need to be loaded by the kernel. And unstable will upgrade you kernel to 4.19. that’s why. On ArchLinux for example you don’t need to reboot. Generate the key pair cd /etc/wireguard umask 077 wg genkey | tee privatekey | wg pubkey > publickey Fill the the file /etc/wireguard/wg0.conf. wg0 is the name of your interface it can be everything like wg10 or even chambery [Interface] Address = 10.10.10.1/24 ListenPort = 51820 PrivateKey = <my private key> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <client pub key> AllowedIPs = 10.10.10.2/32 Interface means that you listen here. And a Peer means a distant… Peer at the end of the tunnel. You have to declare every peer in your VPN. Which mean that if you deploy wireguard as a VPN concentrator for you company you will need some automation here ! There are some work going on to add dynamic IP to wireguard. Look at the idea here ...