Building an Interface

The next step is to create one virtual network interface per device for WireGuard. This is the equivalent of eth0 or wlan0. However, since traffic is tunneled separately with WireGuard, the system requires one interface for routing. The default for the first interface in WireGuard is wg0 (which we will use for simplicity's sake). If you prefer a different name, this is not a problem as long as you use it consistently.

The interface you created requires a specific IP range. In order to distinguish it from the 192.168.<x>.<y> common on LANs, use IPs from the private network address range 10.0.10.x [7] for wg0, which you then make available to the outside world via masquerading [8]. For the configuration, save Listing 4 (server) and Listing 5 (client) in the /etc/wireguard/wg0.conf file.

[Interface]
Address = 10.0.10.1/24,fd42:42:42::1/64
SaveConfig = true
PrivateKey = <Key from client1.key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -F; iptables -t nat -F
PostDown = ip6tables -F; ip6tables -t nat -F
DNS = <IP Address of the WLAN Router>
[Peer]
PublicKey = <Key from client2.pub>
AllowedIPs = 10.0.10.2/32,fd42:42:42::/64

[Interface]
Address = 10.0.10.2/32,fd42:42:42::2/64
PrivateKey = <Key from client2.key>
DNS = 10.0.10.1
[Peer]
PublicKey = <Key from client1.pub>
Endpoint = <beispiel.dyndns.com>:51820
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 20

Be sure to enter the cryptographic keys from the key files. You will also want to tell the server to use the WLAN router as a DNS server using the DNS = [...] line. The WireGuard client, on the other hand, needs to use the DNS = 10.0.10.1 option to query the WireGuard computer as its DNS server. The server configuration includes the same rules for starting up and shutting down the interface.

WireGuard uses port 51820 as the default port. If you want to use a different port, adjust the ListenPort = 51820 line accordingly. You then control the connection setup with the command:

sudo wg-quick up wg0

You can shut down the VPN again by typing:

sudo wg-quick down wg0

The sudo wg command tells WireGuard to display information on the current status (Figure 3). To activate wg0 automatically at system startup time, type the following command on both computers:

sudo systemctl enable wg-quick@wg0

Figure 3: The sudo wg command delivers information and statistics on the status of your WireGuard VPN.

UFW

The easiest way to configure the port sharing settings is via the Uncomplicated Firewall (UFW) iptables front end (Listing 6), which is preinstalled on Ubuntu and included in most distributions' package sources. There is also the Gufw graphical interface. After installation, if necessary, allow port 22/TCP for SSH on both devices and open 51820/UDP or your chosen port (Figure 4).

$ sudo ufw allow 22/tcp
$ sudo ufw allow <51820>/udp  ### Or the port chosen by the system
$ sudo ufw enable
$ sudo ufw status verbose
Status: Active
Logging: on (low)
Default: deny (incoming), allow (outbound), deny (sent)
New profiles: skip
To                         Action      From
--                         ------      ---
22/tcp                     ALLOW IN    Anywhere
51820/udp                  ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
51820/udp (v6)             ALLOW IN    Anywhere (v6)

Figure 4: Using UFW, you can allow access via SSH and open up the port for WireGuard. Setting up the iptables firewall is not absolutely necessary, but it does give the system additional security.

Conclusions

If you have no errors in the configuration, you should be able to ping the other IP address. From our personal experience, we found that configuration errors can happen easily. However, WireGuard can be set up quite quickly with about an hour of concentrated work. You can then extend the configuration to include additional clients, such as Android smartphones, using the same principle.