Created
June 22, 2025 18:20
-
-
Save jamesmcm/0f3d97ba15406bdd8fc867f727bb456b to your computer and use it in GitHub Desktop.
Wireguard self-hosted VPN config for both IPv4 and IPv6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the client config, run on the client machine with: | |
| # sudo wg-quick up ./foo.conf | |
| # from wireguard-tools | |
| [Interface] | |
| Address = 10.200.200.2/32, fd42:42:42::2/128 | |
| PrivateKey = clientprivatekey # CHANGEME: Set client private key here | |
| # Google DNS | |
| DNS = 8.8.8.8 | |
| DNS = 2001:4860:4860::8888 | |
| [Peer] | |
| PublicKey = serverpublickey # CHANGEME: Set server public key here | |
| # This could also be ipv4, ipv6 for demonstration - note the square brackets needed | |
| Endpoint = [serveripv6]:51820 # CHANGEME: Change serveripv6 here! If IPv4 do not need square brackets | |
| AllowedIPs = 0.0.0.0/0, ::/0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the server config | |
| # Place in /etc/wireguard/wg0.conf | |
| # Install wireguard-tools | |
| # Then start with: | |
| # sudo wg-quick up wg0 | |
| # You can also set up a service with systemd | |
| # systemctl enable [email protected] | |
| # systemctl start [email protected] | |
| # Generate Wireguard keypairs with: | |
| # wg genkey | (umask 0077 && tee peer_A.key) | wg pubkey > peer_A.pub | |
| # Do this once for the server pair, and once for each client pair | |
| [Interface] | |
| Address = 10.200.200.1/24, fd42:42:42::1/64 | |
| ListenPort = 51820 | |
| PrivateKey = serverprivatekey # CHANGEME: Set server private key here | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| PostUp = echo 1 > /proc/sys/net/ipv6/conf/all/forwarding | |
| PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/forwarding | |
| PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
| PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
| [Peer] | |
| # foo | |
| PublicKey = clientpublickey # CHANGEME: Set client public key here | |
| AllowedIPs = 10.200.200.2/32, fd42:42:42::2/128 | |
| [Peer] | |
| # bar | |
| PublicKey = client2publickey # CHANGEME: Set client2 public key here | |
| AllowedIPs = 10.200.200.3/32, fd42:42:42::3/128 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment