Wireguard

Client Configuration

Set a stricter umask before generating a private and public key (you can use chmod after generation, too):

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Sample client configuration in /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = privateKeyOfClient
Address = 10.0.0.4/24
DNS = 9.9.9.9
#ListenPort = 51820

[Peer]
PublicKey = publicKeyOfServer
AllowedIPs = 0.0.0.0/0
Endpoint = 185.207.105.60:51820
PersistentKeepalive = 25
  • Address: address of the client in the VPN network with correct subnet!
  • DNS: DNS server for client while tunnel is active.
  • AllowedIPs: IPs to which the client is allowed to connect to. 0.0.0.0/0 means everything is routed through the tunnel.
  • Endpoint: IP:PORT of the wireguard server.
  • PersistentKeepalive: Send the sever a keepalive every 25s to keep the connection up. Especially useful if the client is behind a NAT.

You must have some resolvconf installed. If using systemd-resolved for DNS on Arch Linux, install systemd-resolvconf, otherwise the package openresolv.

Enable on Boot

The client can be enabled by default on boot with:

systemctl enable wg-quick@wg0.service