Simple Example of setting up Wireguard on two hosts (expand for many hosts)

host1 and host2

apt install wireguard wireguard-tools
cd /etc/wireguard/
wg genkey | tee key.sec | wg pubkey > key.pub
cat key.sec
cat key.pub

Use key.sec and key.pub in your configs on each host. wg genpsk only on one host

host1 /etc/wireguard/wg0.conf # wg0 will be interface name via "ip a" command

[Interface]
Address = 10.254.1.1/24
ListenPort = 123  # Please change
PrivateKey = <base64 encoded key.sec>  # wg genkey


[Peer]
PublicKey = <base64 encoded key>  # wg genpub
PresharedKey = <base64 encoded key>  # wg genpsk
AllowedIPs = 10.254.1.0/24
Endpoint = <reachable_ip>:333
PersistentKeepalive = 25

host2 /etc/wireguard/wg0.conf # wg0 will be interface name via "ip a" command

[Interface]
Address = 10.254.1.2/24
ListenPort = 123  # Please change
PrivateKey = <base64 encoded key>  # wg genkey


[Peer]
PublicKey = <base64 encoded key>  # wg genpub
PresharedKey = <base64 encoded key>  # wg genpsk
AllowedIPs = 10.254.1.0/24
Endpoint = <reachable_ip>:333
PersistentKeepalive = 25

Don both host1 and host2

wg-quick up wg0
wg show

Test on both host1 and host2

ping -c4 10.254.1.1
ping -c4 10.254.1.2
tcpdump -npi wg0
tcpdump -npi <endpoint interface> port 123

10.254.1.0 should be going through wg0 and you can see port 123 passing udp encapsulated packets (encrypted)

Down/remove interface

wg-quick down wg0

Routing/Firewall

udp port 123 most be opened through firewall. You can force/route traffic into your tunnel as wanted by adjusting AllowedIps. Modify firewall rules as needed.

Notes

# echo <base64 private key> | wg pubkey
# wg genkey | tee key.sec | wg pubkey > key.pub

wg0.conf possible useful options

SaveConfig = true

Refs

• https://www.stavros.io/posts/how-to-configure-wireguard/
• https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
• https://autoize.com/migrating-postgres-with-replication-over-wireguard/