WireGuard is lightweight VPN with extremely simple configuration. All below was tested on Ubuntu 18.04 as server and Anroid 8.0.0 as client.
Installation from official ppa:
apt-add-repository ppa:wireguard/wireguard
apt update
apt install wireguard
Client and server authenticate each other with asymmetric keys (like in SSH). Keys are generated with management utility wg:
wg genkey
This will be server auth key (client auth key can be generated with the same command or in mobile application, you will need public part in config).
Add configuration file sudo vim /etc/wireguard/wg0.conf:
[Interface]
Address = 10.9.0.1/24
PrivateKey = <generaed by wg0 private key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <public key generated on client (android app)>
AllowedIPs = 10.9.0.2/32
And fix chmod:
chmod 600 /etc/wireguard/wg0.conf
This configuration includes routing internet requests from VPN clients. If you do not need it (communication between server and client is enough), omit MASQUERADE lines.
Enable systemd to autorun service:
sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
Start it manually first time:
wg-quick up wg0
Enable web forwarding if you have kept MASQUERADE lines in the config:
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
Install application from Play
Create configuration from scratch.
wg utility on server and copied from there10.9.0.2/32 in this note)ifconfig wg0)Peer section - server config:
echo public key | wg pubkey)10.9.0.1 if do not want to route all traffic via server, or 0.0.0.0/0 if you want it