# Automated Wireguard Setup Before we start, you will need an Ubuntu 16+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your ubuntu 10 server. You can use DuckDNS to get a free domain name: ![](0.png) [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] → ssh root@ech4.duckdns.org The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@debian-s-1vcpu-1gb-lon1-01:~# ## **Initial Setup** First update Ubuntu and install curl apt update -y && apt upgrade -y apt install curl -y Then get angristan's script: curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh chmod +x wireguard-install.sh ./wireguard-install.sh And then just hit enter at everything: ![](1.png) ![](2.png) Then get your wireguard client config in the /root/ folder: root@wired:~# cat /root/wg0-client-nowhere.conf [Interface] PrivateKey = sIanEImIYOURKEY9ec1ttVFU= Address = 10.66.66.2/32,fd42:42:42::2/128 DNS = 176.103.130.130,176.103.130.131 [Peer] PublicKey = uA+TgpwXFYWZjYOURKEYWqF0cC0M= PresharedKey = FpWeYyYOURKEY8feFjN4EUzvg= Endpoint = 278.276.383.1:52225 AllowedIPs = 0.0.0.0/0,::/0 ## **Setting up a client** Save it locally in /etc/wireguard: sudo nano /etc/wireguard/wg0.conf And then just run wg-quick to launch wireguard, and wg to check the status. echo "deb http://deb.debian.org/debian/ buster-backports main " | \ sudo tee /etc/apt/sources.list.d/buster-backports.list sudo apt update sudo apt install -t buster-backports wireguard-dkms wireguard-tools [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → sudo apt install wireguard-tools resolvconf -y [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → which wg-quick /usr/bin/wg-quick [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] → wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.66.66.2/32 dev wg0 [#] ip -6 address add fd42:42:42::2/128 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a wg0 -m 0 -x [#] wg set wg0 fwmark 51820 [#] ip -6 route add ::/0 dev wg0 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip6tables-restore -n [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] → sudo wg interface: wg0 public key: Zhjn3QNON+LYOURKEYU0bjyE= private key: (hidden) listening port: 42771 fwmark: 0xca6c peer: uA+TgpwXFYWZjYOURKEYqF0cC0M= preshared key: (hidden) endpoint: 278.276.383.1:52225 allowed ips: 0.0.0.0/0, ::/0 latest handshake: 4 seconds ago transfer: 4.26 KiB received, 6.11 KiB sent You can check your own IP with the following command: [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] → curl ifconfig.me 278.276.383.1 ## **Advanced Usage** You can use the following command to run wireguard when the system starts: systemctl enable --now wg-quick@wg0 Now once wireguard is active, you won't be able to access the local subnets: → ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. ^C --- 192.168.0.1 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3070ms As you can see, with the wireguard connection i cannot access my home router: ![](3.png) So to fix this, i add the routes to the subnets **10.0.0.0/24** and **192.168.0.0/24** manually: [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → **sudo ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0** [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=3.42 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=5.03 ms ^C --- 192.168.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 3.419/4.222/5.025/0.803 ms [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → **sudo ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0** [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. ^C --- 192.168.0.1 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4077ms If you need to access local networks (like 192.168.0.0/24 or 10.2.0.0/16 and such) while still having the wireguard connection, you can modify your client config as follows using the PostUp and PostDown parameters: [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → sudo vim /etc/wireguard/wg0.conf [Interface] PrivateKey = AAAA= Address = 10.66.66.2/32,fd42:42:42::2/128 DNS = 1.1.1.1, 1.0.0.1 **PostUp = ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0** **PostDown = ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0** [Peer] PublicKey = BBBBBB= PresharedKey = CCCCCC= Endpoint = 78.x.x.x:57692 AllowedIPs = 0.0.0.0/0, ::/0 :wq With this configuration you can even specify local DNS servers, for example i have 2 local piholes at **192.168.0.198** and **192.168.0.199** , thanks to the ip route rules, i am able to access them, so i can use them like so: [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] → sudo vim /etc/wireguard/wg0.conf [...] DNS = 192.168.0.199,192.168.0.198 [...] :wq Note: that solution isn't the best because this will probably leak your actual location. You can see it on DNSLeakTest [here](https://www.dnsleaktest.com/results.html), so instead i recommend choosing public DNS server IPs by location on public-dns.info [here](https://public-dns.info/#countries), simply pick 2 DNS servers which are inthe same country as your VPS. Then restart wireguard to refresh the configuration : [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → sudo wg-quick down wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip -6 rule delete table 51820 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f [#] nft -f /dev/fd/63 [#] ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0 [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.66.66.2/32 dev wg0 [#] ip -6 address add fd42:42:42::2/128 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a tun.wg0 -m 0 -x [#] wg set wg0 fwmark 51820 [#] ip -6 route add ::/0 dev wg0 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] nft -f /dev/fd/63 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] nft -f /dev/fd/63 [#] ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0 You can also do it with systemctl directly: [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → systemctl stop wg-quick@wg0 ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to stop 'wg-quick@wg0.service'. Authenticating as: nothing,,, (nothing) Password: ==== AUTHENTICATION COMPLETE === [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → systemctl start wg-quick@wg0 ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to start 'wg-quick@wg0.service'. Authenticating as: nothing,,, (nothing) Password: ==== AUTHENTICATION COMPLETE === [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] → systemctl status wg-quick@wg0 ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2021-06-11 19:12:53 CEST; 1s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 3988248 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 3988248 (code=exited, status=0/SUCCESS) CPU: 143ms You can also just do a zshrc / bashrc function to do this automatically: [ 10.66.66.2/32 ] [ /dev/pts/16 ] [blog/servers/wireguard_auto] → vim ~/.zshrc [...] temple(){ GREEN="\033[0;32m" RED="\033[0;31m" ORANGE="\033[0;33m" NC="\033[0m" if [ $(ip a | grep wg0 | wc -l) -eq "0" ]; then echo -en "${GREEN}[+]${NC} WireGuard is ${RED}DOWN${NC}, ${ORANGE}connecting to Temple...${GREEN}\n\n" sudo wg-quick up wg0 echo -en "\n${GREEN}[+]${NC} your public ip is : ${GREEN} $(curl ifconfig.me) ${NC}" else echo -en "${GREEN}[+]${NC} WireGuard is ${GREEN}UP, ${ORANGE}disconnecting from Temple...${RED}\n\n" sudo wg-quick down wg0 echo -en "\n${GREEN}[+]${NC} your public ip is : ${ORANGE} $(curl ifconfig.me) ${NC}" fi } [...] :wq