====== Wireguard VPN ======

===== Installation =====
Linux: see [[admin:linux:wireguard|Wireguard on Linux]]

===== create keys =====
<code bash>cd /etc/wireguard
wg genkey | tee /dev/tty | wg pubkey
# or, if you want to output to file:
wg genkey | tee privkey | wg pubkey > pubkey
</code>

===== config =====

==== Server ====
<file ini /etc/wireguard/wg0.conf>
[Interface]
PrivateKey = <server privkey>
Address    = <server address>/24
ListenPort = 5226
PostUp     = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
</file>

==== Peer ====
<file ini /etc/wireguard/wg0.conf>
[Interface]
Address = <peer IP address>/24
PrivateKey = <peer privkey>

[Peer]
PublicKey = <server pubkey>
Endpoint = <server IP or hostname>:5226
AllowedIPs = 0.0.0.0/0
</file>

===== add peer =====
<code bash>wg set wg0 peer `cat clients/<peer>_public.key` allowed-ips <peer IP>/32</code>

===== Tutorials =====
  * [[https://www.reddit.com/r/sysadmin/comments/9dime7/wireguard_vpn_walkthrough/]]
  * [[https://www.stavros.io/posts/how-to-configure-wireguard/]]
  * [[https://wiki.archlinux.org/index.php/WireGuard|Arch Wiki: Wireguard]]
  * [[https://technofaq.org/posts/2017/10/how-to-setup-wireguard-vpn-on-your-debian-gnulinux-server-with-ipv6-support/]]
  * [[https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/]]

===== Public servers =====
  * [[https://tunsafe.com/vpn|Tunsafe VPN]]

===== Windows =====
There's a [[https://lists.zx2c4.com/pipermail/wireguard/2021-August/006887.html|Kernel mode implementation since August 2021]], which is enabled by default.

===== Tools =====
  * [[https://github.com/gravitl/netmaker|Netmaker]] – Wireguard web interface.