Quick and simple VPN using Wireguard

February 10, 2018 — Asem Arafa

OpenVPN has been the go-to solution that I use for years now, whether for work as a tunnel to the servers I manage or personally when I use it to mask my traffic when I am connected to insecure networks.

My real issue with it was mainly the performance, the connection always suffers from latency even with thorough tuning.
But since OpenVPN was for me the easiest to setup and cross-platform, I never searched for alternatives.

Until I stumbled upon Wireguard when it made news recently because it’s upcoming integration with systemd, so I decided to give it a try.

Wireguard main advantage is its simplicity and minimal code base, the whole project at the time of writing this post has less than 4000 lines of code.
It’s installed as a kernel module and can be configured using the tools from iproute package and the included wireguard scripts.

So now i will demonstrate how simply can you set up a VPN server that routes all traffic from a connected client.

Both my server and client are running archlinux but the tools I use should work on any modern Linux distro.


For ArchLinux, wireguard is already in the main repos so you can install it directly.

 $ sudo pacman -Sy wireguard-dkms wireguard-tools  

Ubuntu users can install using this PPA

 $ sudo add-apt-repository ppa:wireguard/wireguard
 $ sudo apt-get update
 $ sudo apt-get install wireguard-dkms wireguard-tools


Wireguard authentication is like SSH, both the server and the client need to exchange public keys to establish an encrypted connection.
So you need to run the following command on both servers.

 $ wg genkey | tee privatekey | wg pubkey > publickey

Now you need to write the configuration files for both server and client.
In the example below, i use the network as the internal VPN network range and port 5656 for the UDP port that the server will listen on.


 $ cat /etc/wireguard/wg0server.conf
 Address =
 PostUp = firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload 
 PostDown = firewall-cmd --remove-masquerade --permanent ; firewall-cmd --reload 
 ListenPort = 5656
 PrivateKey = [Server private key in plain text]
 PublicKey = [Client public key in plain text]
 AllowedIPs =

Then you can start the server by simply enabling and starting the systemd service like so

 $ sudo systemctl enable [email protected]
 $ sudo systemctl start [email protected]

You need to add a wireguard service to the firewalld configuration, as per my example above the server listens to port 5656.

To add a service to firewalld, write the following XML file

 # cat  /etc/firewalld/services/wireguard.xml 
 <?xml version="1.0" encoding="utf-8"?>
   <port protocol="udp" port="5656"/>

Then add it to your zone and reload

 # firewall-cmd --add-service=wireguard --permanent
 # firewall-cmd --reload 

If your default firewalld zone is restrictive like DROP, you might need to add the wireguard interface to another zone

 # firewall-cmd --permanent --zone=internal --add-interface=wg0server
 # firewall-cmd --zone=internal --permanent  --add-rich-rule='rule family="ipv4" source address="" accept'
 # firewall-cmd --reload 


 $ cat /etc/wireguard/wg0.conf
 Address =
 PrivateKey = [Client private key in plain text]
 DNS =
 PublicKey = [Server public key in plain text]
 AllowedIPs =
 Endpoint = [Server internet facing IP]:5656
 PersistentKeepalive = 25

That’s it, you can now start your client using

 # wg-quick up wg0 


I have been using wireguard for a while now and I can see it replace OpenVPN very soon.

It’s supported on OpenWRT which I use for my home router and support is coming to Network Manager so expect even easier client setup soon.

Android support is coming too, there is an app already in the Play Store, but for now, you need a custom ROM which has the Wireguard module enabled.

To learn more about Wireguard, I suggest heading to the official website and check the presentations

Tags: wireguard, openvpn, vpn, firewalld, archlinux, systemd

comments powered by Disqus