Reference: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
- Choose an IPv4 and/or IPv6 network address
IPv6 network choice algorithm:
cat <(date +%s%N) /var/lib/dbus/machine-id | tr -d '\n' | sha1sum | sed -E 's/^.+([0-9a-f]{10}) .*$/fd\1/;s/..../&:/g;s|$|:/64|'-
Set up a Wireguard connection profile on both the server and client
-
Exchange public keys
-
Add each other as a peer
-
Activate the connection using
nmtuiornmclion both machines -
Use
wgto check connection status
- Generate Private/public key pair
wg genkey > /etc/wireguard/private.key
wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public.key-
Use
nmtuito add a Wireguard connection profile -
Set
firewalldzone usingnmcli
nmcli connection modify <CONNECTION_NAME> connection.zone <ZONE>-
Are all the keys correct?
-
Have you opened Wireguard's port (default
51820/tcp) on the server's firewall?
firewalld:
sudo firewall-cmd [--zone=ZONE] --add-service=wireguard
sudo firewall-cmd --runtime-to-permanent-
If the server is behind a NAT, is port forwarding enabled on the gateway?
-
Are the chosen Wireguard network addresses themselves included in
AllowedIPs? -
Have you enabled intra zone forwarding? Or have you added appropriate inter zone forwarding rules?
-
Have you added the appropriate return routes on connected hosts? Or have you set up your routing daemons correctly?
-
If you are using OSPF as your routing protocol, have you added its multicast addresses (
224.0.0.5,224.0.0.6,ff02::5,ff02::6) toAllowedIPs?
- It may be useful to set
Interface.Table = off(equilvant to unchecking "Add peer routes" in NetworkManager) and let your routing daemon add routes (reference)