Install on ubuntu 18.04:
sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update sudo apt-get install wireguard
Create keys for server in /etc/wireguard:
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
To use this box as jumpbox to the LAN:
sysctl -w net.ipv4.ip_forward=1
To survive reboots, create /etc/sysctl.d/50-forward.conf:
net.ipv4.ip_forward = 1
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = contents_of_private_key
When using the box to forward traffic to LAN, add to the [Interface] section in wg0.conf:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Make sure to replace eth0 with the appropriate network adapter.
Add “peers” (clients)
You should have each client generate its own secrets and just share with you the public key.
You should assign a IP for each client in the range you defined for the serve (e.g. 10.0.0.1/24 in this example)
[Peer] PublicKey = public_key_generated_on_client AllowedIPs = 10.0.0.2/32
systemctl start wg-quick@wg0 systemctl enable wg-quick@wg0
When you are trying to use wireguard as a jumpbox to access resources that are not public (e.g. AWS VPC), you may need to use the the DNS resolver of the private network.
For example to access resources in a AWS VPC by their DNS.
Install unbound DNS server in the wireguard jumpbox
sudo apt-get install unbound
Modify the configuration to forward name resolution of amazonaws.com names to VPC DNS resolver. Create a file amazonaws.conf in /etc/unbound/unbound.conf.d:
server: interface: 10.0.0.1 access-control: 0.0.0.0/0 allow forward-zone: name: amazonaws.com forward-addr: 169.254.169.253 forward-zone: name: "." forward-addr: 126.96.36.199 forward-addr: 188.8.131.52
In this case the dns will only respond in the wg0 adapter (10.0.0.1) and will forward all but *.amazonaws.com to google DNS servers.
Now on the configuration in your “local machine” for wireguard modify it to let the client know to use unbound as the DNS resolver when connected to the VPN.
[Interface] DNS = 10.0.0.1