Using Wireguard

recently I was visiting my family to celebrate easter, but wanted to be able to have access to my NAS server at home. I had heard about WireGuard before, but never actually looked into it, so I did.

to interface with wireguard interfaces, we use wg(8) and ip(8).

we start off by creating the interfaces;

PRIVKEY="`wg genkey`"
PUBKEY="`echo $PRIVKEY | wg pubkey`"

# we set the server ip to, and the client ip to

# the wg tool requires the private key to be read from a file

ip link add dev $INTERFACE type wireguard
ip addr add dev $INTERFACE $ADDRESS
wg set $INTERFACE listen-port $LISTEN_PORT private-key $PRIVKEYPATH

we do this on both the client-, and server-side.

then we set up the server to accept connections from the client.

wg set $INTERFACE peer "$CLIENT_PUBKEY" allowed-ips

and the reverse on the client side, with the additional endpoint argument.

wg set $INTERFACE peer "$SERVER_PUBKEY" allowed-ips endpoint $SERVER_HOST:$LISTEN_PORT

then on both sides, we bring the interfaces up.

ip link set up dev $INTERFACE

now we can confirm that it works by having the server and client ping eachother.

# ping the server from the client side
ping -c4

# ping the client from the server side
ping -c4

in order to avoid using all of these flags for each client being connected, wg allows for the reading of config files via the setconf argument. in order to get the config of the already established interface we've set up, we do;

wg showconf $INTERFACE | tee WireGuard.conf
ListenPort = 51820
PrivateKey = ABase64RepresentationOfYourPrivateKeyThatShouldBeKeptSecret=

PublicKey = ABase64RepresentationOfYourPublicKeyThatYouCanShareFreely=
AllowedIPs =

now for the future we can load the config by running wg setconf $INTERFACE WireGuard.conf.

as you can see, wireguard doesn't have a clear distinction between server and client, and therefore you can have multiple "server" nodes connected together.


as we can see; the pubkey is a 44 character base64 string, which makes it visually unaesthetic. in order to counter this, we can use a vanity address generator such as warner/wireguard-vanity-address, axllent/wireguard-vanity-keygen, or even just running wg genkey and checking pubkey by pumping it into wg pubkey (though this will have significant overhead.)

if you're connecting with a device like a smartphone, we can generate a QR code with qrencode like so;

qrencode -t $OUTPUT_TYPE <my_wireguard.conf