WireGuard is lightweight VPN with extremely simple configuration. All below was tested on Ubuntu 18.04 as server and Anroid 8.0.0 as client.
Server
Installation from official ppa:
apt-add-repository ppa:wireguard/wireguard
apt update
apt install wireguard
Client and server authenticate each other with asymmetric keys (like in SSH). Keys are generated with management utility wg
:
wg genkey
This will be server auth key (client auth key can be generated with the same command or in mobile application, you will need public part in config).
Add configuration file sudo vim /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.9.0.1/24
PrivateKey = <generaed by wg0 private key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <public key generated on client (android app)>
AllowedIPs = 10.9.0.2/32
And fix chmod:
chmod 600 /etc/wireguard/wg0.conf
This configuration includes routing internet requests from VPN clients. If you do not need it (communication between server and client is enough), omit MASQUERADE
lines.
Enable systemd to autorun service:
sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
Start it manually first time:
wg-quick up wg0
Enable web forwarding if you have kept MASQUERADE lines in the config:
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
Client
Install application from Play
Create configuration from scratch.
- Name is anything
- Private key can be generated with “generate” button or with
wg
utility on server and copied from there - Addresses is the same as in client section of server (
10.9.0.2/32
in this note) - Listen port is any, you can keep 51820 similar to server
- DNS server - any, use Yandex’s 77.88.8.8 or Google’s 8.8.8.8
- MTU copy from server (after starting wireguard service, run
ifconfig wg0
)
Peer section - server config:
- Public key: public part of server key (you can extract it fdom private with
echo public key | wg pubkey
) - Allowed IPS: server IP
10.9.0.1
if do not want to route all traffic via server, or0.0.0.0/0
if you want it - Endpoint: server_host:server port (like myhost.com:51820)