Skip to content

WireGuard VPN

Server setup

To use the VPN feature you need a running Wireguard server to connect to.

The installation instructions are best covered on the official Wireguard website: https://www.wireguard.com/install/.

Next steps are covered in their quickstart guide: https://www.wireguard.com/quickstart/.

Terminology

While Wireguard uses peers in their terminology, we will refer to the UZG device as peer and to the Wireguard server as server.

Keys

Private/Public key-pair

Peer authentication is achieved using a private/public key-pair. To generate the keys you can use the built-in wg command:

$ mkdir wg-keys
$ cd wg-keys
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
This will create two files with private and public key respectively. You can use those later in the configuration process.

Each peer (and server) should have a unique key-pair. Private keys should only ever be known to the "owner" of the key-pair, wheras public key can be shared with other peers or servers.

Pre-shared key

Optionally, you can add another layer of cryptographic protection to your VPN with the PreSharedKey. It adds a layer of symmetric-key cryptography to the traffic between specific peers.

You can generate the key using the wg command:

$ wg genpsk > psk

Config generator

There is also a handy config generator website: https://www.wireguardconfig.com/. Make sure to note the Random seed so you can replicate the configuration and keys if needed.

Wireguard peer configuration

WireGuard Interface Settings

  • IP address of the local interface

    This is the local peer IP address of the WireGuard interface. It should match AllowedIPs section in server config.

  • Local Subnet

    The subnet for the local peer IP address. If unsure, a safe bet would be 255.255.255.0.

  • Local port

    Port number of the local interface, normally 33333.

  • Local Gateway

    A gateway to use on the VPN interface. It can be either the Wireguard server IP (see Example) or 0.0.0.0.

  • Private key of the local interface

    The private key of the local peer. (see Private/Public key-pair)

  • Address of the endpoint peer

    Address of the WG server

  • Public key of the endpoint peer

    The public key of the WG server. (see Private/Public key-pair)

  • Port of the endpoint peer

    Port of the WG server, normally 51820

  • Allowed IPs

    A comma separated list of the IPs allowed to connect to this device via WG

  • Allowed Subnet

    A comma separated list of the subnets allowed to connect to this device via WG

  • Make default

    Use this as the default Wireguard configuration.

  • Pre-shared key

    Optional key to encrypt traffic between peers (see Pre-shared key). Leave blank if unused.

Example

Demo data

Please generate new keys and use appropriate IP ranges for use in real life scenarios! (see Private/Public key-pair)

Server Peer
Public IP 1.2.3.4 *.*.*.*
Wireguard IP 10.100.0.1 10.100.0.2
Private key Server+PrivateKey= Peer+PrivateKey=
Public key Server+PublicKey= Peer+PublicKey=
Port 51820 33333

Server config

An example entry of the /etc/wg0.conf:

[Interface]
Address = 10.100.0.1/24
ListenPort = 51820
PrivateKey = Server+PrivateKey=

[Peer]
PublicKey = Peer+PublicKey=
AllowedIPs = 10.100.0.2/32

Peer config
IP address of the local interface: 10.100.0.2
Local Subnet: 255.255.255.0
Local port: 33333
Local Gateway: 10.100.0.1
Private key of the local interface: Peer+PrivateKey=
Address of the endpoint peer: 1.2.3.4
Public key of the endpoint peer: Server+PublicKey=
Port of the endpoint peer: 51820
Allowed IPs: 0.0.0.0
Allowed Subnet: 0.0.0.0