If a message like the following is shown in this step: Warning: `/etc/wireguard/wg0.conf' is world accessible This means that the configuration file permissions are too broad - and they shouldn’t, as there’s a private key in there. This can be fixed withsudo chmod 600 /etc/wireguard/wg0.conf.

Sep 15, 2018 • Tiago Ilieve

WireGuard is the new kid on the block in the world of VPNs. It has been receiving a lot of attention lately, especially afterLinus Torvalds himself praised the projectlast month, resulting inin-depth guides about its characteristicsbeing published. The problem is thatpractical guides about its setup, including theofficial one, doesn’t show how quick and easy it is to do that. They are full of lengthy, complex and unneeded commands, when everything that is needed are simple configuration files.

This guide won’t describe how to actually install WireGuard, as this isthoroughly covered by the official documentationfor every supported platform. It consists of aloadable kernel modulethat allows virtual WireGuard network interfaces to be created. In here, an EC2 instance located in Ireland and a virtual machine (based on Vagrant/VirtualBox) in Germany, both running Ubuntu, will be connected.

The first step is to generate a pair of keys for every machine. WireGuard authentication system doesn’t rely passwords or certificates that includes hard-to-maintain Certification Authorities (CAs). Everything is done using private/public keys, like SSH authentication:

$ wg genkey | tee privatekey | wg pubkey > publickey $ ls -lh total 8.0K -rw-rw-r-- 1 ubuntu ubuntu 45 Sep 15 14:31 privatekey -rw-rw-r-- 1 ubuntu ubuntu 45 Sep 15 14:31 publickey

In the server, the/etc/wireguard/wg0.confconfiguration file will look like:

[Interface] PrivateKey = 4MtNd3vq/Zb5tc8VgoigLyuONWoCQmnzLKFNuSYLiFY= Address = 192.168.255.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sysctl net.ipv4.ip_forward=1 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; sysctl net.ipv4.ip_forward=0 [Peer] PublicKey = 0+/w1i901TEFRmEcUECqWab/nwmq0dZLehMzSOKUo04= AllowedIPs = 192.168.255.2/32

Here’s an explanation of its fields:

• PrivateKeyis the server private key. It proves that the server is who it says it is, and the same will be valid for the clients on the other end. One will be able to validate the identity of the other.
• Addressis the IP and network mask for the VPN network.
• ListenPorttells in which UDP port the server will listen for connections.
• PostUpare firewall rules and system commands that are needed for the server to act as a gateway, forwarding all network traffic.PostDownwill disable them when the VPN is deactivated.eth0is the name of the main network interface, which can be something different likeens5ifsystemd’s Predictable Network Interface Namesare being used.
• PublicKeyandAllowedIPsdefines which peers can connect to this server through a combination of IPs/key pairs. It’s important to notice that the IPs defined here are within the VPN network range. Those are not the actual IPs which the client will use to connect to the server over the internet.

The client will also have a/etc/wireguard/wg0.confconfiguration file, but it will be a little bit different:

[Interface] PrivateKey = yDZjYQwYdsgDmySbUcR0X7b+rdwfZ91rFYxz6m/NT08= Address = 192.168.255.2/24 [Peer] PublicKey = e1HJ0ed/lUmCDRUGjCwFZ9Qm2Lt14jNE77TKXyIS1yk= AllowedIPs = 0.0.0.0/0 Endpoint = ec2-34-253-52-138.eu-west-1.compute.amazonaws.com:51820

ThePrivateKeyandAddressfields here have the same meaning as in the server. The difference is that theInterfacesection won’t contain the server parts, like the listening ports and firewall commands. ThePeersection contains the following fields:...