# Setting up Wireguard

## Steps
### Step 1: Install the dependencies
Here you will be needing to install the packages that wireguard needs to work.

```bash
## Debian or Ubuntu
sudo apt install wireguard

## RHEL-based
sudo dnf install wireguard-tools
```

### Step 2: Setup wireguard interface configs
This step requires you to do multiple things:  
1. Generate a private & public key for both the server and client
2. Create a wireguard interface config for both the server & client
	- In this step you will need to choose an IP for both server and client (the usual choice is on a subnet included in 10.0.0.0/8 (ex: 10.200.1.x/24)).

#### A: Create Pub & Priv keys (server & client)
Here we will generate a private and public key for both the server & client.
```bash
## Much of this will be inline commands with pipes, but feel free to seperate them if you feel you need to.
### Generate pub and priv key for server
wg genkey | tee wg0-server-privkey | wg pubkey > wg0-server-pubkey

### Generate pub and priv key for first client
wg genkey | tee wg0-client-privkey | wg pubkey > wg0-client-pubkey

## This is the networks you want your client to have access to (configured in the client's wg0.conf)
networks=10.200.1.0/24,192.168.1.0/24

## This is just my example IPs for a basic setup, you can use your own (it won't matter as long as they are valid addresses)
### The server IP needs to be one that will be on the network 10.200.1.0/24 (with the /24 at the end signifying the subnet mask)
server_ip=10.200.1.1/24

### While you can just use 10.200.1.0/24 on the AllowedIPs, it will cause issues when you are wanting to setup more peers/clients to use that interface.
### to be able to provide VPN connections for multiple clients you will need to scope it down to a specific IP using the /32 netmask
### otherwise all connections will have issues when you try to reload the wg interface config (as it will try to forward all traffic accross all peers)
client_ip=10.200.1.2

masquerade_interface=eno1 # You will need to find out what interface you want/need to use (just look it up with "ip address" or "ifconfig" (whatever your util is))

### This will actually generate the config using bash, but feel free to do it manually (for your choice of IPs you will need to make sure you are consistant between the server and client peer configs)
cat > wg0-server.conf <<EOF
[Interface]
Address = $server_ip
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $masquerade_interface -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $masquerade_interface -j MASQUERADE
## This can be any port, this is just the standard port that most choose when using wireguard
ListenPort = 51820
PrivateKey = $(<wg0-server-privkey)

[peer]
# This needs to be pubkey/public key of the peer
PublicKey = $(<wg0-client-pubkey)
AllowedIPs = $client_ip/32
# This will just have the server ping the client every x seconds to make sure the connection stays alive (since it's using UDP a stateless protocol)
PersistentKeepalive = 24
EOF

: "
Note:
You can configure MULTIPLE peers when creating the server config (to allow it to provide multiple clients VPN services off the same port). 

But when doing so you will need to setup the AllowedIPs of each peer to be a single ip (EX: 10.200.1.x/32) , or else it will confuse wg. To do this you just need to setup an additional peer section with the new peers pubkey and ip.
"

cat > wg0-client.conf <<EOF
[Interface]
Address = $client_ip/24
PrivateKey = $(<wg0-client-privkey)

[peer]
# This needs to be pubkey/public key of the server
PublicKey = $(<wg0-server-pubkey)
### This is where you configure what networks you want your wireguard interface to access on the other end (if the masquerading interface has access to them)
AllowedIPs = $networks 
# This will just have the server ping the server every x seconds to make sure the connection stays alive (since it's using UDP a stateless protocol)
PersistentKeepalive = 24
EOF
```

### Step 3: Configure server to allow interface masquerading
By default most systems don't allow for programs to setup interface masquerading. So you need to change a config in /etc/sysctl.conf to allow for forwarding/masquerading.

In the config file you will either need to add or uncomment the following line to allow for wireguard to masquerade as another interface (giving you access to the network it is connected to).

	net.ipv4.ip_forward=1
	
Afterwards you will likely need to load the change into your system.

```bash
## Can also use "sudo sysctl --system" to just have it reload all configs
sudo sysctl --load=/etc/sysctl.conf

# or just manually set it

sudo sysctl net.ipv4.ip_forward=1
```


### Step 4: Setup persistant service on server (or client)
Here is where you will setup a service to make sure your wg iterface will be restarted/started after boot or reboot.

```bash
# Systemd as init system
## Replace wg# with the wg interface you named/created in step 2
systemctl enable wg-quick@wg#
```

Note: For a distro using another init system (initrc, openrc, sysvinit, etc) you will need to either implement it as an ifup/ifdown script, network-script, or some other method.


### Step 4: Deploy on client and server
This is simple. You just have to put the config we generated in step 2 in the /etc/wireguard directory as wg#.conf (with # being the wireguard interface number (can be anything)) on both the server and client.


### Step 5: Setup port forwarding on router/gateway
For this step you just need to get on your router and port-forward a port on the router to the port configured on your server. I cannot provide the specific how-to for that since I cannot account for all the different devices that you may be using.

### Step 6: Test work
Now all you have to do is test your config work. 

Just go ahead issue this command on your server and client (while off your home network)

```bash
sudo wg-quick up wg#
```

After this you should see packets/traffic (transfer) when running "wg" to see how much data has been transferred to & from the interface. If you experience any issues you can send me an email and I can see if I can troubleshoot with you.