Skip to content

Instantly share code, notes, and snippets.

@brennanMKE

brennanMKE/README.md

Created April 4, 2025 20:26
Show Gist options
  • Save brennanMKE/9cab982bae492eea8219f362e276853a to your computer and use it in GitHub Desktop.
Save brennanMKE/9cab982bae492eea8219f362e276853a to your computer and use it in GitHub Desktop.
Download ZIP
Tailscale and WireGuard
Raw
README.md

Tailscale and WireGuard

(via ChatGPT)

πŸ”§ Overview: Platform Features Supporting WireGuard & Tailscale

Modern OSes like macOS, Linux, Windows, and iOS have built-in support for networking features that make tools like WireGuard and Tailscale work smoothly:

πŸ’‘ Core Platform Features Used

Feature Description Used By
TUN/TAP Interfaces Virtual network interfaces used to send/receive encrypted packets WireGuard & Tailscale
Kernel Networking Stack Handles IP routing, NAT traversal, and packet filtering WireGuard (kernel module), Tailscale (user-space)
UDP Sockets Used to send encrypted WireGuard packets Both
Multicast DNS (mDNS) & UPnP/NAT-PMP Helps local device discovery and NAT traversal Tailscale
System Keychain/Secrets Used to securely store private keys and credentials Tailscale clients on macOS/iOS
LaunchAgents / Daemons Background service support on macOS Tailscale client

πŸ”’ WireGuard vs Tailscale

Feature WireGuard Tailscale
Peer-to-peer VPN βœ… βœ…
Encryption βœ… (ChaCha20, Curve25519) βœ… (via WireGuard)
Key Management ❌ Manual βœ… Automatic
NAT Traversal ❌ Needs config βœ… Built-in with DERP/STUN
Device Discovery ❌ βœ… MagicDNS, etc.
Access Control ❌ βœ… ACLs, admin panel
Source Fully open source Mostly open source with closed coordination backend

πŸ‘£ Step-by-Step: Manually Setting Up WireGuard Between Two Devices

Let’s create a simple peer-to-peer WireGuard VPN between two devices β€” say, your MacBook and a remote Linux server.

⚠️ This is a manual setup for learning β€” Tailscale automates this for you.

🧰 Prerequisites

  • WireGuard installed on both devices
  • SSH access to your remote server
  • A public IP or port-forwarded address for the server

πŸ”‘ Step 1: Install WireGuard

On macOS:

brew install wireguard-tools

On Linux:

sudo apt install wireguard

πŸ” Step 2: Generate Key Pairs

On each device (MacBook and Server):

wg genkey | tee privatekey | wg pubkey > publickey

You’ll now have:

  • privatekey
  • publickey

πŸ“ Step 3: Create Config Files

Let’s say:

Device Internal VPN IP Public IP
MacBook 10.0.0.2 (dynamic)
Server 10.0.0.1 203.0.113.1

πŸ“„ On the MacBook (/usr/local/etc/wg0.conf or wherever your wg-quick expects):

[Interface]
PrivateKey = <MacBook_Private_Key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 203.0.113.1:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

πŸ“„ On the Server (/etc/wireguard/wg0.conf):

[Interface]
PrivateKey = <Server_Private_Key>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <MacBook_Public_Key>
AllowedIPs = 10.0.0.2/32

πŸ”„ Step 4: Start the WireGuard Interface

On Linux Server:

sudo wg-quick up wg0

On macOS:

sudo wg-quick up wg0

βœ… You can now ping 10.0.0.1 from your MacBook and vice versa.

βœ… Step 5: Test & Use

Try:

ping 10.0.0.1

Or SSH via the VPN IP:

ssh [email protected]

πŸŽ‰ You now have a working private VPN between two devices.

πŸ’‘ Bonus: Why Use Tailscale?

Tailscale:

  • Automates everything above
  • Sets up a mesh network (all devices connect directly or relay if needed)
  • Adds security, identity (SSO), and DNS without you needing to touch config files
  • Great for teams, personal use, or remote IoT devices

You can still use WireGuard manually if you want full control, especially for self-hosted setups or learning purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment