archlinux/notes/wireguard

############
# Key generation
############
for peer in {0..9}
do
    wg genkey | (umask 0077 && tee peer${peer}.key) | wg pubkey > peer${peer}.pub
done

############
# Server configuration
############
/etc/wireguard/wg0.conf
############
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

# substitute eth0 in the following lines to match the Internet-facing interface
# the FORWARD rules will always be needed since traffic needs to be forwarded between the WireGuard
# interface and the other interfaces on the server.
# if the server is behind a router and receives traffic via NAT, specify static routing back to the
# 10.200.200.0/24 subnet, the NAT iptables rules are not needed but the FORWARD rules are needed.
# if the server is behind a router and receives traffic via NAT but one cannot specify static routing back to
# 10.200.200.0/24 subnet, both the NAT and FORWARD iptables rules are needed. 
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# foo
PublicKey = PEER_FOO_PUBLIC_KEY
PresharedKey = PRE-SHARED_KEY
AllowedIPs = 10.200.200.2/32

[Peer]
# bar
PublicKey = PEER_BAR_PUBLIC_KEY
PresharedKey = PRE-SHARED_KEY
AllowedIPs = 10.200.200.3/32

###
# The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 respectively stop wg-quick@interface.service.
###

############
# Client configuration
############
foo.conf
[Interface]
Address = 10.200.200.2/32
PrivateKey = PEER_FOO_PRIVATE_KEY
DNS = 10.200.200.1

[Peer]
PublicKey = SERVER_PUBLICKEY
PresharedKey = PRE-SHARED_KEY
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
bar.conf
[Interface]
Address = 10.200.200.3/32
PrivateKey = PEER_BAR_PRIVATE_KEY
DNS = 10.200.200.1

[Peer]
PublicKey = SERVER_PUBLICKEY
PresharedKey = PRE-SHARED KEY
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0

###
# Note: Users of NetworkManager, may need to enable the NetworkManager-wait-online.service and users of systemd-networkd may need to enable the systemd-networkd-wait-online.service to wait until devices are network-ready before attempting a WireGuard connection.
###
First commit 2025-11-22 23:15:27 +00:00			`############`
			`# Key generation`
			`############`
			`for peer in {0..9}`
			`do`
			`wg genkey \| (umask 0077 && tee peer${peer}.key) \| wg pubkey > peer${peer}.pub`
			`done`

			`############`
			`# Server configuration`
			`############`
			`/etc/wireguard/wg0.conf`
			`############`
			`[Interface]`
			`Address = 10.200.200.1/24`
			`ListenPort = 51820`
			`PrivateKey = SERVER_PRIVATE_KEY`

			`# substitute eth0 in the following lines to match the Internet-facing interface`
			`# the FORWARD rules will always be needed since traffic needs to be forwarded between the WireGuard`
			`# interface and the other interfaces on the server.`
			`# if the server is behind a router and receives traffic via NAT, specify static routing back to the`
			`# 10.200.200.0/24 subnet, the NAT iptables rules are not needed but the FORWARD rules are needed.`
			`# if the server is behind a router and receives traffic via NAT but one cannot specify static routing back to`
			`# 10.200.200.0/24 subnet, both the NAT and FORWARD iptables rules are needed.`
			`PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE`
			`PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE`

			`[Peer]`
			`# foo`
			`PublicKey = PEER_FOO_PUBLIC_KEY`
			`PresharedKey = PRE-SHARED_KEY`
			`AllowedIPs = 10.200.200.2/32`

			`[Peer]`
			`# bar`
			`PublicKey = PEER_BAR_PUBLIC_KEY`
			`PresharedKey = PRE-SHARED_KEY`
			`AllowedIPs = 10.200.200.3/32`

			`###`
			`# The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 respectively stop wg-quick@interface.service.`
			`###`

			`############`
			`# Client configuration`
			`############`
			`foo.conf`
			`[Interface]`
			`Address = 10.200.200.2/32`
			`PrivateKey = PEER_FOO_PRIVATE_KEY`
			`DNS = 10.200.200.1`

			`[Peer]`
			`PublicKey = SERVER_PUBLICKEY`
			`PresharedKey = PRE-SHARED_KEY`
			`Endpoint = my.ddns.example.com:51820`
			`AllowedIPs = 0.0.0.0/0, ::/0`
			`bar.conf`
			`[Interface]`
			`Address = 10.200.200.3/32`
			`PrivateKey = PEER_BAR_PRIVATE_KEY`
			`DNS = 10.200.200.1`

			`[Peer]`
			`PublicKey = SERVER_PUBLICKEY`
			`PresharedKey = PRE-SHARED KEY`
			`Endpoint = my.ddns.example.com:51820`
			`AllowedIPs = 0.0.0.0/0, ::/0`

			`###`
			`# Note: Users of NetworkManager, may need to enable the NetworkManager-wait-online.service and users of systemd-networkd may need to enable the systemd-networkd-wait-online.service to wait until devices are network-ready before attempting a WireGuard connection.`
			`###`