Commands to install and configure wireguard

First published: 2024-12-23 16:09:18
Last updated: 2024-12-23 22:03:32

This is a companion post to Install and configure wireguard with mostly just the necessary commands for quick and easy wireguard setup.

See official install documentation for all supported platforms. In short:

Fedora Linux:
sudo dnf install wireguard-tools

Ubuntu Linux:
sudo apt install wireguard

FreeBSD:
sudo pkg install wireguard

OpenBSD:
doas pkg_add wireguard-tools

Go to the wireguard directory and create the keypair:

Fedora, Ubuntu, OpenBSD:
cd /etc/wireguard

FreeBSD:
cd /usr/local/etc/wireguard

umask 077
wg genkey >private.key
wg pubkey < private.key >public.key

Or do the above with one line:

wg genkey | tee private.key | wg pubkey > public.key

Create a pre-shared key for each peer:

wg genpsk >pre-shared.key

Create file wg0.conf in the wireguard directory with the following content:

[Interface]
PrivateKey = qOncWvsVv7hTlgD2d++5Sx1ULjTa7zeKHKbuTl1J6GI=
Address = 10.0.0.1/32
ListenPort = 51820

[Peer]
PublicKey = lmWvq5Gv8ZyV+9ruZF9APjffGEu0uEDJ5kANdeX6UWY=
PreSharedKey = kgC1FhcRNbKj3w5ew33mF5WvIKwMLGY7f5iuy3PBclY=
AllowedIPs = 10.0.0.2/32
EndPoint: 2.2.2.2:51820

On the peer, their configuration should look like this:

[Interface]
PrivateKey = CCfMo0ytoDPCPqxNPWAVAUka+no+c2NwivtBoNd21EM=
Address = 10.0.0.2/32
ListenPort = 51820

[Peer]
PublicKey = q9jepA++1o/7bi2wbQaBOG2KUE8/2cz0i29aiv0MXlA=
PreSharedKey = kgC1FhcRNbKj3w5ew33mF5WvIKwMLGY7f5iuy3PBclY=
AllowedIPs = 10.0.0.1/32
EndPoint: 1.1.1.1:51820

To test that it is working:

wg-quick up wg0

See the interface and traffic stats: wg

Stop wireguard again to prepare for using the startup scripts:

wg-quick down wg0

Enable start at boot and start it again:

Fedora and Ubuntu:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

FreeBSD:
sudo sysrc wireguard_interfaces="wg0"
sudo sysrc wireguard_enable="YES"
sudo service wireguard start

For OpenBSD create the file /etc/hostname.wg0 with this content:

inet 10.0.0.1 255.255.255.0 NONE
up

!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf

Then start it with sh /etc/netstart wg0

If the wireguard host should function as a router:

Fedora and Ubuntu:
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1

Add this to /etc/sysctl.conf to enable at boot:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

For FreeBSD and OpenBSD:

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

Add to /etc/sysctl.conf to make this permanent:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

If configuration is changed, use system scripts to reload configuration on Fedora, Ubuntu and FreeBSD.

On OpenBSD use wg to sync configuration from file:

wg syncconf wg0 /etc/wireguard/wg0.conf