WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
If you want to use your services at home, wherever you are, the following steps are required.
If you do not have a static IP from your Internet Service Provider (ISP), a Dynamic DNS (DDNS) is required. So you need to create an account with one of the providers listed below:
Install ddclient
and search for your chosen provider and enter your credentials there.
pacman -S ddclient nano /etc/ddclient/ddclient.conf
systemctl enable --now ddclient.service
We will use Wireguard to access your server over the Internet. To do this, you must open a port in your router and forward it to your server.
The wireguard port listens on 51820
by default. If you want to change this, you need to redirect the port to your chosen number and adjust the tutorial accordingly.
The example below is based on OPNsense, but it is basically the same for other devices as well.
The example below also has a different destination port (1212). If you want to change this as well, you have to change Endpoint = <server public IP or domain>:1212
under clients as well:
Do everything with root.
su
pacman -S wireguard-tools
cd /etc/wireguard/ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
Copy and paste the private key under PrivateKey =
.
cat privatekey
nano wg0.conf
[Interface] PrivateKey = <Private Key> Address = 10.0.0.1/24 ListenPort = 51820
cat /etc/wireguard/clients/phones/pinephone/publickey cat /etc/wireguard/clients/phones/pinephone/presharedkey
nano /etc/wireguard/wg0.conf
[Peer] # pinephone PublicKey = <client public key> PresharedKey = <preshared key> AllowedIPs = 10.0.0.2/32
Create clients for laptop, desktop, phone and so on. Wherever you need it for.
mkdir -p /etc/wireguard/clients/phones/pinephone/
cd /etc/wireguard/clients/phones/pinephone/ umask 077; wg genkey | tee privatekey | wg pubkey > publickey | wg genpsk > presharedkey
cat privatekey && cat /etc/wireguard/publickey && cat presharedkey
nano pinephone.conf
[Interface] PrivateKey = <pinephones-privatekey> Address = 10.0.0.2/24 [Peer] PublicKey = <server public key> PresharedKey = <preshared key> Endpoint = <server public IP or domain>:51820 AllowedIPs = 0.0.0.0/0
[Interface]
in the configuration of your client, e.g. if you do not want to use the DNS server of your provider.
DNS = `dns server`
Set the right permissions.
chmod -R 600 /etc/wireguard/clients/
Copy your .conf
file to your device.
scp pinephone.conf USER@IP:~/
You can also create an QR code.
pacman -S qrencode
qrencode -t ansiutf8 < pinephone.conf
If you need more clients, just follow the clients process again and add the peer to your server among your other clients.
systemctl stop wg-quick@wg0.service
systemctl enable --now wg-quick@wg0.service
Based on firewalld.
wireguard
)wg0
interface” to your new wireguard zone
You can check your clients connections via the command wg
on your wireguard server. You should see:
latest handshake: 1 minute, 52 seconds ago transfer: 1.22 MiB received, 3.80 MiB sent
Also check the IP address of your clients, for example with https://dnsleaktest.com, which should be the IP address of your home, and click the Extended test button for the DNS server you are using which can be different on your Android device if DNS isn't set on clients side.