$UDP_SERVERUDP_PORT
- The port on which the client will establish a connection with the server (should be opened by a firewall and/or forwarded through NAT).
$WHITE_IP_OR_DOMAIN_YOUR_SERVER
- Зublic (white) address of the server to which clients will connect to create a tunnel.
192.168.200.XXX
- Network addressing inside the tunnel (gray network), you can change it to your own or leave it as it is, the main thing is that there is no other network with the same addressing from both the server side and the client side.
PersistentKeepalive
- Ф parameter indicating how often the client should exchange heartbeats with the server, in the absence of other traffic it helps them not to "lose" each other.
AllowedIPs
- A list of host or network addresses AVAILABLE for routing through the tunnel, by default wg creates a route for available networks by itself. You can list on multiple lines or separated by commas. If you don't want wireguard to create routes according to AllowedIPs you can set Table = off
in the [Interface]
section (usually required on the client side). Regardless of how many and which routes you have added here, do not forget to specify the address of the gray network inside the tunnel. On the server, client addresses are specified with the /32
mask.
wg0
- The name of the configuration file will also be used by the systemd service to run, and will also become the name of the network interface. You can replace it with any other convenient for you.
DO NOT use the same private/public key pair for different clients!
wg genkey | tee privatekey | wg pubkey > publickey
this create 2 files, with private and public server keys
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.200.1/24
PostUp = iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o $UPLINK_DEV -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 192.168.200.0/24 -o $UPLINK_DEV -j MASQUERADE
ListenPort = $UDP_SERVERUDP_PORT
PrivateKey = $SERVER_PRIVATE_KEY
# Client_1
[Peer]
PublicKey = $CLIENT_1_PUBLIC_KEY
AllowedIPs = 192.168.200.2/32
PersistentKeepalive = 3
# Client_2
[Peer]
PublicKey = $CLIENT_2_PUBLIC_KEY
AllowedIPs = 192.168.200.3/32
PersistentKeepalive = 3
wg genkey | tee privatekey | wg pubkey > publickey
this create 2 files, with private and public client keys
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.200.2/24
PrivateKey = $CLIENT_PRIVATE_KEY
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
AllowedIPs = 192.168.200.0/24
AllowedIPs = XXX.XXX.XXX.XXX/XX
AllowedIPs = YYY.YYY.YYY.YYY/YY
Endpoint = $WHITE_IP_OR_DOMAIN_YOUR_SERVER:$UDP_SERVER_PORT
PersistentKeepalive = 3
systemctl enable --now wg-quick@wg0.service
You can add all public (white) ip from this list:
0.0.0.0/5
8.0.0.0/7
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/3
160.0.0.0/5
168.0.0.0/6
172.0.0.0/12
172.32.0.0/11
172.64.0.0/10
172.128.0.0/9
173.0.0.0/8
174.0.0.0/7
176.0.0.0/4
192.0.0.0/9
192.128.0.0/11
192.160.0.0/13
192.169.0.0/16
192.170.0.0/15
192.172.0.0/14
192.176.0.0/12
192.192.0.0/10
193.0.0.0/8
194.0.0.0/7
196.0.0.0/6
200.0.0.0/5
208.0.0.0/4