Install WireGuard [Server] on Arch Linux
This is a very basic tutorial on how to install WireGuard on Arch Linux to use it as a VPN server. For example if you want to access your home LAN from remote locations.
Installation
pacman -S wireguard-tools
Configuration
In this tutorial we'll use wg0 as the name for our WireGuard interface. If you already have a WireGuard configuration named wg0, make sure to use another name for this configuration.
Server configuration
Generate server keys
First up we need to generate our private and public key. The private key should reside in our configuration and the public key will be used by the peers.
wg genkey | tee server1-privatekey | wg pubkey > server1-publickey
Print the keys and copy them for the following configuration.
cat server1-privatekey && cat server1-publickey
[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.2.1/24
ListenPort = 51820
# IF SERVER IS BEHIND NAT YOU WILL NEED THE FOLLOWING TWO RULES, ASSUMING YOUR ETHERNET ADAPTER IS NAMED "eth0" OTHERWISE CHANGE TO MATCH YOUR NAME
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Peer1
[Peer]
PublicKey = <PEER1_PUBLIC_KEY>
PresharedKey = <PEER1_PRE-SHARED-KEY_(OPTIONAL)>
AllowedIPs = 10.0.2.2/32
# Peer2
[Peer]
PublicKey = <PEER2_PUBLIC_KEY>
AllowedIPs = 10.0.2.3/32
Peer configuration
Peers will need to geneate a private and public key as well. Remember that you and the server and are not supposed to know each other's private key. You only need to exchange the public keys. Generate a private and public key for each peer.
wg genkey | tee peer1-privatekey | wg pubkey > peer1-publickey
Peer1 config
Print the keys and copy them for the following configuration.
cat peer1-privatekey && cat peer1-publickey
[Interface]
PrivateKey = <PEER1_PRIVATE_KEY>
Address = 10.0.2.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLICKEY>
PresharedKey = <PRE-SHARED-KEY_OPTIONAL>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER-HOSTNAME-OR-IP>:51820
PersistentKeepalive = 25
Peer2 config
Print the keys and copy them for the following configuration.
cat peer2-privatekey && cat peer2-publickey
[Interface]
PrivateKey = <PEER2_PRIVATE_KEY>
Address = 10.0.2.3/32
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLICKEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER-HOSTNAME-OR-IP>:51820
PersistentKeepalive = 25
Share config to peers
For a computer, share the respective peer config file to the user, e.g. with magic-wormhole. If they are a mobile user you might want to use qrencode and let them scan a QR code. cd to the directory containing the peer config files and generate the QR codes.
qrencode -t ansiutf8 < wg0-peer1.conf
qrencode -t ansiutf8 < wg0-peer2.conf
Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
Make the change permanent:
net.ipv4.ip_forward = 1
Starting WireGuard
Manually bring up the WireGuard interface and check for any errors.
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
You may want to bring up the interface automatically as a service with systemd.
systemctl enable wg-quick@wg0