⚠️ Configuration might present security issues.
wg genkey | tee privatekey | wg pubkey > publickey
/etc/wireguard/wg0.conf
), note that the private key is never transferred to another node:[Interface]
PrivateKey = <server private key> # generated in the previous step
Address = 10.x.y.1/24 # IP address used inside the private network and its netmask
ListenPort = 2222 # port used for inbound connections
# Repeat the [Peer] section for each connected user/key
[Peer]
PublicKey = <client public key> # public key generated by the client
AllowedIPs = 10.x.y.2/32 # pool of addresses inside the private network the client can use
wg-quick up wg0
wg syncconf wg0 /etc/wireguard/wg0.conf
wg genkey | tee privatekey | wg pubkey > publickey
/etc/wireguard/wg0.conf
), note that the private key is never transferred to another node:[Interface]
PrivateKey = <client private key> # generated in the previous step
Address = 10.x.y.2/24 # IP address used inside the private network and its netmask
[Peer]
PublicKey = <server public key> # public key generated by the server
Endpoint = A.B.C.D:2222 # public IP address of the server and the port it's listening on
AllowedIPs = 10.x.y.0/24 # the server is allowed to send/forward traffic from any node of the network
# If you want to route all your traffic through the server, use instead the following line:
# AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
wg-quick up wg0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i wg0 -o eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.x.y.2
/sbin/iptables -A POSTROUTING -o wg0 -j MASQUERADE