Skip to main content

WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.

Generating Keys

The communication protocols and cryptography is different than SSH but the concepts are the same where both public and private keys are generated by both the client and server and exchanged prior to communication.

All traffic to the server is encrypted with the server-public-key and can only be decrypted with the server-private-key. Similarly all traffic to the client is encrypted with the client-public-key and can only be decrypted wtih the client-private-key.

The steps for both server and client are similar

  1. set the umask so all the files we're about to create to be 700 (rwx------)
  2. use wg to generate a private key and write it to a file and pipe the content to wg to generate a public key that is also written to a file

Server

# umask 077
# wg genkey | tee server.key | wg pubkey > server.pub
# cat server.key
<server-private-key>
# cat server.pub
<server-public-key>

Client

# umask 077
# wg genkey | tee client.key | wg pubkey > client.pub
# cat server.client.key
<client-private-key>
# cat server.client.pub

Generate PresharedKey (optional)

# wg genpsk<client-public-key>

Server Configuration

[Interface]
PrivateKey = <private server-private-key>
Address = 10.0.99.1/24
ListenPort = 51820

[Peer]
PublicKey = <public client-public-key>
AllowedIPs = 10.0.99.2/32

Client Configuration

[Interface]
PrivateKey = <private client-private-key>
Address = 10.0.99.2/32
ListenPort = 51820

[Peer]
PublicKey = <public server-public-key>
AllowedIPs = 0.0.0.0/0

Generate PresharedKey (optional)

# wg genpsk
<psk>

Add the same PresharedKey parameter to both [Peer] sections in server and client configuration files.

[Peer]
...
PresharedKey = <psk>
Back to top