Host parameters:
Remote host (peer) public IP: 1.2.3.4
Local host public IP: 6.7.8.9
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: xxxx
Local public key: yyyy
Remote public key: zzzz
Remote network address: 10.0.0.0/24
Local network address: 192.168.1.0/24
Create the private key:
wg genkey | tee /etc/wireguard/private.key chmod go= /etc/wireguard/private.key
Create the corresponding public key:
cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key
Create the config file (/etc/wireguard/wg0.conf) with the following content:
[Interface]
Address = 10.10.10.1/32
SaveConfig = true
PostUp = ip rule add table 200 from 6.7.8.9
PostUp = ip route add table 200 default via 6.7.8.9
PreDown = ip rule delete table 200 from 6.7.8.9
PreDown = ip route delete table 200 default via 6.7.8.9
ListenPort = 51820
PrivateKey = xxxx
SaveConfig = true
[Peer]
PublicKey = zzzz
AllowedIPs = 10.0.0.0/24
Endpoint = 1.2.3.4:51820
Add firewall rules to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).
Forward chain:
iifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept oifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
postrouting chain
ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
Remote host (peer) parameters.
Remote host (peer) public IP: 6.7.8.9
Local host public IP: 1.2.3.4
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: jklm (see key generation above)
Local public key: defg (see key generation above)
Remote public key: yyyy
Remote network address: 192.168.1.0/24
Local network address: 10.0.0.0/24
Create the private key:
wg genkey | tee /etc/wireguard/private.key chmod go= /etc/wireguard/private.key
Create the corresponding public key:
cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key
Create the Wireguard config file (/etc/wg0.conf) on the remote host.
[Interface]
Address = 10.10.10.2/32
SaveConfig = true
PostUp = ip rule add table 200 from 1.2.3.4
PostUp = ip route add table 200 default via 1.2.3.4
PreDown = ip rule delete table 200 from 1.2.3.4
PreDown = ip route delete table 200 default via 1.2.3.4
ListenPort = 51820
PrivateKey = jklm
SaveConfig = true
[Peer]
PublicKey = yyyy
AllowedIPs = 10.0.0.0/24
Endpoint = 6.7.8.9:51820
Add firewall rules to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).
Forward chain:
iifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept oifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
postrouting chain
ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
Final steps:
Start the Wireguard service:
systemctl start wg-quick@wg0.service
Check the status:
systemctl status wg-quick@wg0.service
Enable the service at boot:
systemctl enable wg-quick@wg0.service
Ping from both ends to ensure connectivity.
See this Digital Ocean link for further information on how to add ipv6 and a more in depth explanation.