Ubuntu setup Wireguard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and supercomputers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
https://www.wireguard.com/

Installation step

Env: Ubuntu 18.04 64bit / Debian 9 sid 

// Ubuntu
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard
 
// Debian9 
Install linux-headers first (Hetnzer VPS issue)

apt install linux-headers-$(uname -r)

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list

printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable

apt update
apt install wireguard

Generate the public and private key

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)

wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Edit the wg0.conf file

## Vultr server has to change eth0 into ens3
# Edit wg0.conf
nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 993 # UDP
SaveConfig = false
Address = 192.168.2.1/24, fd86:ea04:1115::1/128

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true

[Peer] ## Generate from Android or other device
PublicKey = PUBLIC_KEY_ON_ANDROID
AllowedIPs = 192.168.2.2/32, fd86:ea04:1115::2/128

Save and fire it up!

wg-quick down wg0
wg-quick up wg0

Make it auto start on boot

systemctl enable [email protected]

Enable port forwarding

nano /etc/sysctl.conf 

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

//Save
sysctl -p 

Client config

[Interface]
PrivateKey = <Output of privatekey file that contains your private key>
Address = 192.168.2.2/32, fd86:ea04:1115::2/128
DNS= 192.168.2.1
MTU = 1360
 
[Peer]
PublicKey = <Server's public key from *wg show* command on server>
Endpoint = <Linux server's Public IP>:993
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25