Build a VPN Tunnel with WireGuard
Building an Interface
The next step is to create one virtual network interface per device for WireGuard. This is the equivalent of eth0
or wlan0
. However, since traffic is tunneled separately with WireGuard, the system requires one interface for routing. The default for the first interface in WireGuard is wg0
(which we will use for simplicity's sake). If you prefer a different name, this is not a problem as long as you use it consistently.
The interface you created requires a specific IP range. In order to distinguish it from the 192.168.<x>.<y> common on LANs, use IPs from the private network address range 10.0.10.x [7] for wg0
, which you then make available to the outside world via masquerading [8]. For the configuration, save Listing 4 (server) and Listing 5 (client) in the /etc/wireguard/wg0.conf
file.
Listing 4
Server Configuration
[Interface] Address = 10.0.10.1/24,fd42:42:42::1/64 SaveConfig = true PrivateKey = <Key from client1.key> ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -A FORWARD -o wg0 -j ACCEPT PostDown = iptables -F; iptables -t nat -F PostDown = ip6tables -F; ip6tables -t nat -F DNS = <IP Address of the WLAN Router> [Peer] PublicKey = <Key from client2.pub> AllowedIPs = 10.0.10.2/32,fd42:42:42::/64
Listing 5
Client Configuration
[Interface] Address = 10.0.10.2/32,fd42:42:42::2/64 PrivateKey = <Key from client2.key> DNS = 10.0.10.1 [Peer] PublicKey = <Key from client1.pub> Endpoint = <beispiel.dyndns.com>:51820 AllowedIPs = 0.0.0.0/0,::/0 PersistentKeepalive = 20
Be sure to enter the cryptographic keys from the key files. You will also want to tell the server to use the WLAN router as a DNS server using the DNS = [...]
line. The WireGuard client, on the other hand, needs to use the DNS = 10.0.10.1
option to query the WireGuard computer as its DNS server. The server configuration includes the same rules for starting up and shutting down the interface.
WireGuard uses port 51820 as the default port. If you want to use a different port, adjust the ListenPort = 51820
line accordingly. You then control the connection setup with the command:
sudo wg-quick up wg0
You can shut down the VPN again by typing:
sudo wg-quick down wg0
The sudo wg
command tells WireGuard to display information on the current status (Figure 3). To activate wg0
automatically at system startup time, type the following command on both computers:
sudo systemctl enable wg-quick@wg0

UFW
The easiest way to configure the port sharing settings is via the Uncomplicated Firewall (UFW) iptables front end (Listing 6), which is preinstalled on Ubuntu and included in most distributions' package sources. There is also the Gufw graphical interface. After installation, if necessary, allow port 22/TCP for SSH on both devices and open 51820/UDP or your chosen port (Figure 4).
Listing 6
Configuring Port Sharing with UFW
$ sudo ufw allow 22/tcp $ sudo ufw allow <51820>/udp ### Or the port chosen by the system $ sudo ufw enable $ sudo ufw status verbose Status: Active Logging: on (low) Default: deny (incoming), allow (outbound), deny (sent) New profiles: skip To Action From -- ------ --- 22/tcp ALLOW IN Anywhere 51820/udp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 51820/udp (v6) ALLOW IN Anywhere (v6)

Conclusions
If you have no errors in the configuration, you should be able to ping the other IP address. From our personal experience, we found that configuration errors can happen easily. However, WireGuard can be set up quite quickly with about an hour of concentrated work. You can then extend the configuration to include additional clients, such as Android smartphones, using the same principle.
Infos
- WireGuard: https://www.wireguard.com/
- "Linux Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later" by Michael Larabel, August 3, 2018, https://www.phoronix.com/scan.php?page=news_item&px=Linus-Likes-WireGuard
- ChaCha20: https://cr.yp.to/chacha.html
- Curve25519: https://cr.yp.to/ecdh.html
- Installation: https://www.wireguard.com/install
- DynDNS Service: https://dyndnss.net/eng/
- Private IP addresses: https://en.wikipedia.org/wiki/Private_network
- Masquerading: https://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.
-
Experimental Wayland Support Planned for Linux Mint 21.3
As with most Linux distributions, the migration to Wayland is in full force. While some distributions have already made the move, Linux Mint has been a bit slower to do so.