Today I spent some time setting up a Wireguard VPN on a Linode VPS.
Overall the process is not too complicated, but there are some things I was confused about initially. Initially I followed the [cached]guide on the Linode website, but then I switched over to this excellent article: [cached]How to setup a VPN server using WireGuard (with NAT and IPv6).
My biggest confusion was about the distinction between the private IP assigned to the server/client within the VPN, and the externally visible IP of the server (the client does not need a public IP). Importantly, the "Address" in the Interface section of the config refers to the VPN internal private IP. This can be anything you want, as long as it's a valid IP on a subnet that's not used for anything else yet.
My final server config (
/etc/wireguard/wg0.conf) to enable forwarding all traffic through the server looked like this:
[Interface] Address = 192.168.37.1/32 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = <removed> [Peer] PublicKey = <removed> AllowedIPs = 192.168.37.2/32
Similarly, on the client:
[Interface] Address = 192.168.37.2/32 ListenPort = 57841 PrivateKey = <removed> [Peer] PublicKey = <removed> Endpoint = <removed>:51820 AllowedIPs = 0.0.0.0/0,::/0
The only place where you need the public IP of your server is this
Endpoint in the client config!
Also, the private IP you pick in the
Address field should match what the