Home · Accounts · Tools · Tips · How to · Security Trinklets · Trans Resources

How to setup WireGuard as an internal VPN

Created: 2025-01-28

This page will describe the setup for one server and one client.

It assumes that you will use port 4242 for WireGuard, 10.42.0.0/24 for the internal IP space, 10.42.0.1 for the server, and 10.42.0.2 for the client. However, it does not setup internal IPv6.

Installation ๐Ÿ”—

Install the userspace WireGuard utilities. For Arch, this will be the wireguard-tools package.

Setup the server ๐Ÿ”—

On the server, generate its WireGuard keypair:

# cd /etc/wireguard
# umask 077
# wg genkey > privkey
# wg pubkey < privkey > pubkey

On the server, save the following:

/etc/wireguard/wg0.conf

[Interface]
Address = 10.42.0.1/24
SaveConfig = true
ListenPort = 4242
Privatekey = <contents of /etc/wireguard/privkey>

To allow client-to-client communication inside the tunnel, we need to allow IP forwarding.
On the server, save the following:

/etc/sysctl.d/ip-forward.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

The above will only apply it on boot. To enable forwarding at runtime, run on the server:

# sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

Start the server:

# systemctl start wg-quick@wg0

Setup the client ๐Ÿ”—

On the client, generate the WireGuard keypair:

# cd /etc/wireguard
# umask 077
# wg genkey > privkey
# wg pubkey < privkey > pubkey

On the client, save the following:

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = <contents of /etc/wireguard/privkey>
Address = 10.42.0.2/24

[Peer]
PublicKey = <contents of server's /etc/wireguard/pubkey>
EndPoint = <server ip>:4242
AllowedIPs = 10.42.0.0/24
PersistentKeepalive = 25

Setting PersistentKeepalive = 25 will alleivate potential problems if NAT is involved. For more information, see "Unable to establish a persistent connection behind NAT / firewall".

We need to authorise the client to connect to the server. To do that, run on the server:

# wg set wg0 peer <contents of client's /etc/wireguard/pubkey> persistent-keepalive 25 allowed-ips 10.42.0.2/32

Now, start the tunnel on the client:

# systemctl start wg-quick@wg0

Check for connectivity ๐Ÿ”—

On the client, try:

$ ping 10.42.0.1

Likewise, on the server:

$ ping 10.42.0.2

If they fail... idk, good luck have fun?

โ† webring.wiki โ†’

The source code to this website is under the MIT license.
Unless otherwise specified, the text and images on this site are under CC BY-SA 4.0.

Made by a ๐Ÿณ๏ธโ€โšง๏ธ person ยท Source code (Average Codestuff, Github)