Wireguard

I have just started using Wireguard and didn't find any clear and concise instructions. There are many pages about Wireguard, just none that clicked for me. These are my notes.

1. Install Wireguard

I am not going to re-write these instructions - they are simple enough.

2. Create Keys

Wireguard authentication is based on public key infrastructure so you are going to need a private key and public key for each user. The public keys are distributed to the machines that the user wishes to connect to. Those machines also have a private and a public key. So, on every machine you need to do this:

$ umask 077
$ mkdir ~/.wg
$ cd ~/.wg
$ wg genkey | tee privatekey | wg pubkey > publickey

Now distribute public keys to the machines you would like to connect to. This is simple enough to do - just SSH in and paste the keys into the config files in the steps below.

3. Configure wg-quick - client

Edit /etc/wireguard/wg0.conf (wg0 is the interface name, this is its config)

[Interface]
# PrivateKey is the contents of ~/.wg/privatekey
PrivateKey = ...
# Address contains CIDR defining how this machine will be addressed
# on the Wireguard network
Address = 10.10.0.2/24

[Peer]
# PublicKey is the public key of the machine you are connecting to
# that you will find in its ~/.wg/publickey
PublicKey = ...
# Endpoint is the host and port of the machine you are connecting to
# (DNS name or IP address is fine)
Endpoint = wg.example.com:51820
# AllowedIPs is a list of the networks that Wireguard will route to over this
# interface:
# - 0.0.0.0/0 = use as default IPv4 route - your typical catch-all VPN server
# - IPv4 and IPv6 are allowed at the same time
# - Can be a comma separated list of CIDRs.
AllowedIPs = 10.10.0.0/24

4. Configure wg-quick - server

Edit /etc/wireguard/wg0.conf (wg0 is the interface name, this is its config)

[Interface]
# PrivateKey is the contents of ~/.wg/privatekey
PrivateKey = ...
# Address contains CIDR defining how this machine will be addressed
# on the Wireguard network
Address = 10.10.0.1/24

[Peer]
# PublicKey is the public key of the peer connecting to this machine
PublicKey = ...

# Note you don't need to specify Endpoint - the client dials into this server.

# AllowedIPs is the network that Wireguard will route to the client.
# It should match what is in the client AllowedIPs Peer section
AllowedIPs = 10.10.0.0/24

5. Run!

On both machines:

$ wg-quick up wg0

6. Add more machines

If you want to add another machine to the network you just add the public keys to the server's Peer section.

Mobile phones

If you want to connect from your phone then the instructions are almost the same - the difference being you start by getting it working on a PC, then QR encode the configuration so you can easily import it into the Wireguard app. I did this by creating a wg_phone config with its own set of keys, IP addresses etc, tested it worked on my PC, then displayed the QR code in my terminal like this:

sudo cat /etc/wireguard/wg_phone.conf | qrencode -t ansiutf8

Peers?

OK, so while we may think of Wireguard as having clients and servers in the above docs, really there aren't specific client and server roles, just peers that talk to each other. Any Peer section that has an Endpoint will try to dial to it, so you can create a mesh of machines that dial to each other. Some machines will have a predictable network that others can dial into, and that will tend to take the role of server. Others, such as laptops or mobile phones will probably not always be able to open up a port to the world so others can dial in, and these will be more likely thought of as clients.

References

wg-quick

Mesh networking

wesher is a mesh network manager for Wireguard. If you have a lot of machines to join together it is probably easier than manually handling the key distribution.

Future projects to watch

wg-dynamic is a work in progress at the moment, but will eventually remove the need to pick client addresses ahead of time.