Generating key pairs

umask 077 # all new files are owner rw, group and others no permission
wg genkey | tee private.key | wg pubkey > public.key

AllowedIPs

Controls which IPs are allowed to send packets through the VPN.

If your wireguard network uses 192.168.1.0/24 as its subnet, you would use an IP of 192.168.1.0/24 as the AllowedIP to allow all other wireguard hosts to talk.

If you have a network behind the VPN server you would want to include that in addition to the wireguard subnet.

Example: 192.168.1.0/24, 192.168.2.0/24

0.0.0.0/0 allows all IP4 traffic, ::/0 allows all IP6 traffic.

Creating devices manually

ip link add dev wg0 type wireguard
ip address add dev wg0 192.168.2.1/24
<< configure the device >>
ip link set up dev wg0

Configuring the device

Choose one:

wg setconf wg0 myconfig.conf
wg set wg0 listen-port 51820 private-key /path/to/private-key peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172

• Stavros guide on Wireguard
• Wireguard Quickstart