wg show

wg-quick up wgx

wg-quick down wgx

apt install wireguard-tools

Benötigt Linux Kernel 5.6 oder höher.

Beide seiten benötigen unabhängige Keys.

wg genkey | tee >(wg pubkey)

Für Post-Quanten-Sicheres stuff kann man auch einen PSK generieren. Dieser muss auf beiden Seiten dann identisch sein.

wg genpsk

/etc/wireguard/wgx.conf

[Interface]
Address = 10.99.x.1/30               # this address is the tunnel address
ListenPort = 31037                   # this port is the port that should be listened on.
PrivateKey = 6GcJf56i5dY30t7tyuGExlJFl/vkiYcyfvDrTJoevWg=
# PresharedKey = <psk>               # optional

PostUp = iptables -A FORWARD -i %i -j ACCEPT       # commands here get executed on tunnel up, useful for firewall config for example
PostDown = iptables -D FORWARD -i %i -j ACCEPT
 
[Peer]
#Name = XY
PublicKey = KSODnmNkJG+ASAirrpmZJhEHwnCNoa7fIhvBS/txJQY=
AllowedIPs = 192.168.11.0/24         # IP-Space of the Client that is allowed to be routed through.

/etc/wireguard/wgx.conf

[Interface]
Address = 10.99.x.2/30
#ListenPort = 51820                  # If ListenPort is not set, a random port is chosen. For example for a Client behind NAT this is not needed
PrivateKey = qEX8Ag5QmckFHRGX8Cg308N1XXzfp3VXE2MKYPlA2Eo=
#PresharedKey = <psk>                # optional

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT

[Peer]
PublicKey = 28b1ickTXZiU5XtZbsj6YJuzhkcJXrNP145C3MGBQS0=
AllowedIPs = 0.0.0.0/0               # this means everything is routed. For a split tunnel, only route certain subnets.
Endpoint = 130.83.6.100:31037        # This Client will reach out to the hardcoded Endpoint. It can be specified on both sides.
PersistentKeepalive = 25             # Send a keepalive packet every 25s

wg-quick up wgx

systemctl enable wg-quick@wgx

Dont forget to add the firewall rules!