Setup a WireGuard server with client config as QR codes

There are plenty of guides on how to set up a WireGuard, this is mine. It aims to be quick and easy to set up, and is specifically for the “road warrior” scenario for my phone when I’m out on the move.

I’ve also noticed that some guides make it overly complicated to configure the WireGuard app, when it’s easy using a QR code generated right from the command line using qrencode.

Pre-requisites

Install the following pre-requisites

sudo apt update
sudo apt install -y wireguard qrencode

Generate your server (gateway) keys

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Generate your server configuration

sudo su -c 'cat <<EOF > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = `cat /etc/wireguard/private.key`
Address = 10.32.0.1/24
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF'

Start the WireGuard server

sudo systemctl enable [email protected]
sudo systemctl start [email protected]

Once started, check the status.

sudo systemctl status [email protected]

Generate client (peer) keys and configuration

The below bash script generated client keys and a configuration to route all traffic over the WireGuard tunnel. The configuration is piped out to qrencode to generate a QR code that you can use to configure your phone.

# Careful: Don't do this on a shared system
export PEER_PRIVATE_KEY=`wg genkey`
export PEER_PUBLIC_KEY=`echo $PEER_PRIVATE_KEY | wg pubkey`
# Attempt to get the interface facing address of the gateway
export ENDPOINT_IP=`curl -s ipinfo.io/ip`

sudo wg set wg0 peer $PEER_PUBLIC_KEY allowed-ips 10.32.0.2/32

cat <<EOF | qrencode -t utf8
[Interface]
PrivateKey = $PEER_PRIVATE_KEY
DNS = 1.1.1.1
Address = 10.32.0.2/32

[Peer]
PublicKey = `sudo cat /etc/wireguard/public.key`
AllowedIPs = 0.0.0.0/0
Endpoint = $ENDPOINT_IP:51820
EOF

unset PEER_PRIVATE_KEY

After the above has finished executing a QR code will be output in your console, ready to scan.

WireGuard quick reference commands

Below are some quick reference commands to help manage WireGuard

Show status

sudo wg

Remove a specific peer

sudo wg set wg0 peer $PEER_PUBLIC_KEY remove

Remove all peers

sudo wg show wg0 peers | while read -r line; do sudo wg set wg0 peer "$line" remove; done

Restart WireGuard service

sudo systemctl restart [email protected]