Server Configuration Details

The wireguard-install script creates several configuration files on the server to ensure WireGuard runs correctly. Understanding these files can be helpful for troubleshooting or manual adjustments.

Main Parameter File

This file stores the choices you made during the interactive installation process. It serves as the single source of truth for the script when it's run again for management tasks.

  • Location: /etc/wireguard/params

Contents

SERVER_PUB_IP=...       # Server's public IP address
SERVER_PUB_NIC=...      # Public network interface (e.g., eth0)
SERVER_WG_NIC=...       # WireGuard interface name (e.g., wg0)
SERVER_WG_IPV4=...      # Server's internal VPN IPv4 address
SERVER_WG_IPV6=...      # Server's internal VPN IPv6 address
SERVER_PORT=...         # WireGuard listening port
SERVER_PRIV_KEY=...     # Server's private key
SERVER_PUB_KEY=...      # Server's public key
CLIENT_DNS_1=...        # Primary DNS for clients
CLIENT_DNS_2=...        # Secondary DNS for clients
ALLOWED_IPS=...         # AllowedIPs mask for clients

WireGuard Server Configuration

This is the core configuration file for the WireGuard interface itself. It's read by the wg-quick utility to bring the VPN interface up.

  • Location: /etc/wireguard/wg0.conf (or a similar name if you chose a different interface name)

Contents

The file is structured into sections:

  • [Interface]: Defines the server-side of the VPN tunnel.
  • [Peer]: Each client has its own [Peer] block defining its public key and allowed IPs within the tunnel.
# Server Interface Configuration
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

# Firewall and routing rules executed when the interface is brought up/down
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

### Client client1
[Peer]
PublicKey = <CLIENT1_PUBLIC_KEY>
PresharedKey = <CLIENT1_PRESHARED_KEY>
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

### Client client2
[Peer]
PublicKey = <CLIENT2_PUBLIC_KEY>
PresharedKey = <CLIENT2_PRESHARED_KEY>
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128

Note: The PostUp and PostDown commands will differ if your system uses firewalld instead of iptables.

IP Forwarding Configuration

For the server to act as a gateway and route traffic from VPN clients to the internet, IP forwarding must be enabled. The script creates a sysctl configuration file to make this change persistent across reboots.

  • Location: /etc/sysctl.d/wg.conf

Contents

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

This configuration is applied automatically by systemd-sysctl on boot, or manually by running sysctl --system.