Your guide helped me to finally configure WireGuard without an issue, except I needed to upgrade my Kernel from 5.4.* to 5.7.*, which was not obvious from the beginning. Now I need to teach WG to mimic http/s traffic, because my mobile carrier doesn't like any traffic except http/s. Keep filming more videos, dude.
@@christianlempa At the very basic, yes. Unfortunately, unlike OpenVPN, WireGuard is not deigned to obfuscate traffic and fool DPI, it's a known limitation www.wireguard.com/known-limitations/. I need some workaround to achieve it, most likely with some third party tool. It'll be grade if you make a video about this topic sometime in the future
Be aware that Wireguard is UDP only. This can be a pretty big limitation if you are planning to use this over public networks like hotels, or public hotspots, since UDP can be simply blocked there and you will not be able to connect to your server (e.g. I can't connect to my home PC when I'm on my mobile hotspot, UDP gets blocked somewhere on the way to my router). Setting wireguard with TCP wrapping is a pain in the butt, and I wish Wireguard devs wouldn't be so stubborn and just supported both TCP and UDP out of the box for the users' convenience (I really don't buy their argument about performance, it is UDP or nothing, and I would agree on lower performance with TCP if the alternative is "nothing").
@@novianindy887 2 layers of TCP is not really useful and can lead to performance loss. VPNs generally should be UDP except in circumstances when UDP is blocked and you're forced to use TCP.
WOW! The video was great. I understood completely the structure of how to configure. Thank you for that. What I didn't see in your video that would apply to my case is: a) If one peer connected to the server can ping or connect to another peer connected to the same server, and b) If the server can ping the client and connect for example through VNC to the client. Thanks!
Whilst setting this up it is worth noting on the server side the iptables mentions "eth0" - however on virtual machines this can be enp0s3 or on new ubuntu servers eno1 - or another number depending on the number of interfaces you have. Hope this saves others time :-)
Excellent tutorial, very clear and concise. I went along and it worked perfectly. Did the setup in my Proxmox virtual environment. Now need to experiment further. Thank you!
"I think, that is not too complicated..." You know what is not too complicated? My thinking processes. As for THIS... Аnyway, great video, sir! My tunnel works as swiss watch now! Subscribed.
probably one of the best videos on this topic even though wireguard has changed slightly it does take longer than 18 minutes to setup the first time LOL :XD
Could you please help me , I need to set it up on my vps and synology nas so that I might setup a plex server accessible outside my home network as my isp blocks all ports and ip is dynamic with double NAT thanks
This is not a port, this is the subnet mask, which defines how large the network is. A subnetmask of 8 means the network contains all IP addresses from: 10.0.0.1 to 10.255.255.254 and a subnetmask of 32 means only 1 IP address. If I would change the command at11:30 to 10.0.0.2/8 that would mean to allow all IP addresses between 10.0.0.1 to 10.255.255.254. If you want to learn more about this, just search for "subnetting", you should find some tutorials about it. I hope that helped you :)
Good day Christian, Was thinking if you can consider doing a video on Wireguard Docker Site-to-Site, specifically Home Server to VPS always-on Wireguard Tunnel ? Many Thanks in advance.
Does this even support layer 2 tunnels like openvpn? I don't think so... Does it support that the traffic cannot even be decrypted later on with the key like ipsec does? I don't think so...
What is first time wg genkey and private public key create where is location first time created desktop and /etc where can created you am confusing. You are explean all method
Very well explained. I’m a newbie , Wondering how to implement this approach for 2 IPPBX one in LAN the other one in the cloud . Server at cloud same IPPBx ? Client at premises ? Any hint ?
Hi Christian, love your tutorials these are very helpful. I'm wondering, is it gonna work if I set up tunel like in your video to connect remotely to my PC with ubuntu from different network? The problem is that my router changing the IP, it's not static. If you have any tip, please share :)
Thanks for this video it is really helpful. I learned that tunnel must be started after each system start. Could you please guide me how to start tunnel automatically? Thanks!
Hello, do you happen to have any videos about setting up WireGuard on TrueNAS? Because I really need some step by step guide on how to do that. Please and thank you. :)
Kudos.. Could you possibly do a video about Wireguard with udp hole punching... Or recommend a working open source VPN that implements udp hole punching
how can i configure the server so it forwards all incoming request on wg0 to all the connected peers in the same subnet of that interface? that's so i can have communication between every peer within 10.0.0.X
For me, this works and packets can be traced but it blocks the internet connection on my client VM (server is physical machine and can access internet fine). How to fix this?
Well configuring the interface my server suddenly shutdown then had a weird garbled graphic on reboot. I've tried setting this up already but as soon as I activated the client my terminal to ubuntu server suddenly disconnects and I cannot connect to any websites. What am I doing wrong? And now my server PC just shuts down while adding the wg0.config. I obviously cannot install this properly as my PC just shutdown again while editing the wg0.conf file.
Hi, I installed wireguard on 2 servers and the conf file setup is quite simple. That being said, I cannot ping from master to peer or peer to master using the interface I setup. I used a 10.X.X.X like your example What should I be looking at on the physical server that may not be configured correctly? I also shutdown the firewall and still the ping failed
hi i am using mikrotik to mikrotik wireguard tunnel but when my client side mikrotik reboot due to any reason my tunnels can reconnect automaticly i need to change public key and re submit in server side to reconnect my tunnel again Please help me in this regard . am also using change mss rule in mangle /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn
You forgot the part where you put the allowed peers in the server configuration, so that when you reboot the server the peers can connect again. The way you showed, the peer entries in the server are only temporary and are lost after a reboot.
Hi vielen Dank für das Video! Ich beiße mir leider seit gestern die Zähne daran aus :) Ich habe in einem Rechenzentrum einen Wireguard server in Openstack Ubuntu, der über eine Floating IP erreichbar ist. Zu hause habe ich einen mac, mit dem ich zum Server einen Tunnel aufbauen möchte. Die Verbindung scheint zustande zu kommen, der Handshake wird angezeigt. Ich kann aber weder Server noch Client Pingen (ICMP ist in Security Group freigegeben). Auf dem wg0 Server Int kommt scheinbar nichts an. Hast Du eine Idee, was es noch sein könnte? An meiner Fritzbox muss ich nichts freieben, da die Verbindung zustande kommt, oder?
Danke! Wegen dem Fehler bin ich leider nicht sicher. Solange der Handshake funktioniert sollte der Tunnel stehen. Eventuell ist hier was mit dem Routing nicht korrekt.
Forgive me, I have tried what you have in this episode, and I have no doubt that you are doing what is correct, it just isn't as easy for me. I am running pclinuxos 2022 MATE, could I trouble you for a link to a step by step guide for this system?
im looking for a way to host my gameserver with a tunnel/proxy, only got dslite (no public ipv4) ssh tunnl (only works with tcp and wrapping udp to tcp -> latency) i try it now with this.
At 5:53 while you are creating the rules in /etc/wireguard/wg0.conf file.... the eth0 should correspond to anyones adapter? For instance someone else should put there enp2s0 if that is his adapter giving him connection to net or eth0 is the name of the virtual adapter upon which wireguard will run? What if the server's adapter is also setup on eth0? Shouldn t be a conflict there? Also if the client OS is windows, the client gui also has an add a wireguard file option. Nothing else to generate those keys to put it back on the server side ... so is this situation viable only when both server and client using Linux OS? PS PIvpn has a scrip which makes the process wayyyyyyyyyyyyyyyy more easy than all this procedure. And the server generates everything. Client only imports the key and connect and thats it. Thank you
Thank you a lot for great tutorial I watched it and did as you said and was able to run it on my linux client but no success on windows Would you plz created another tutorial for windows clients and a bit of help about the dns settings and what should we do to get dns requests straight from von server
Thank you for such an amazing video! It really made it a lot easier to set things up. However, I have an issue. Everything is working just as it does for you in the video, only I cannot seem to be able to ping neither the server nor any other IP addresses. I have tried a few things, but cannot figure it out. Do you maybe have any ideas? Thank you in advance!
Thank you ☺️, check if you have set up the IPtable rules correctly and if set up the IP addresses. Hard to tell without checking your config, so if you have still issues, why not join our discord and share your config, that will help a lot 😊
@@christianlempa Thank you so much for such a quick response! I will check the IPtable rules first and if that does not help, then I will certainly have to join Discord 😁
very powerful, i need one hand. i have a remote camera rear a snat unreachable ip, have installed a server on gcp and client on raspberry. from my pc i reach raspberry. but i want to make a routing to reach a camera subnet directly, how make this routing? very tnx
Excellent tutorial, Danke. The second time I generated pub/privatekey for the client and tried to run this command "sudo vim /etc/wireguard/wg0.conf" to be able to write the next configuration, it pop up the old vim file where I wrote things about server, so there is where I lost the track. Help plz.
Everything was going good until the last part. Setting up forwarding. It seems to revert back to 0 and not allow up forwarding. Any ideas as to why? How can I make this change persistent?
I know this is old, but I've been stuck on setting up wireguard forever and this is the only video that worked for me. Never delete this!!
Important to also "sudo ufw allow 51820/udp" on server machine otherwise no connection. Awesome tutorial thanks saved me a lot of time
Can I just even a little under 3ish years this is is the best wireguard setup video. Simple, short, straight to the point and still works.
thank you so much :)
Thank you very much. The narration is technical and simple, the details are well explained, the practical demonstration is extremely useful.
Thank you! 😉
2 years later and you still saving lifes! 🥰
I really like your voice, so germanish
Haha thanks man 🇩🇪😎
This video deserves more views.
Excellent walkthrough.
Thank you so much! And yes, I agree with you :D
Thank you, for your help. My mini-project at my university is done thanks to you :)
Even better than the official wireguard tutorial. Viel'n Dank, Kumpel!
Your guide helped me to finally configure WireGuard without an issue, except I needed to upgrade my Kernel from 5.4.* to 5.7.*, which was not obvious from the beginning. Now I need to teach WG to mimic http/s traffic, because my mobile carrier doesn't like any traffic except http/s. Keep filming more videos, dude.
Thank you! That's pretty interesting, I suppose you needed to change the WG port to 443 or did you need to make any additional changes?
@@christianlempa At the very basic, yes. Unfortunately, unlike OpenVPN, WireGuard is not deigned to obfuscate traffic and fool DPI, it's a known limitation www.wireguard.com/known-limitations/. I need some workaround to achieve it, most likely with some third party tool.
It'll be grade if you make a video about this topic sometime in the future
@@user-yt9he6ud5r thanks for sharing this. I'll have a look into that because that's a topic I'm also interested in a lot!
Be aware that Wireguard is UDP only. This can be a pretty big limitation if you are planning to use this over public networks like hotels, or public hotspots, since UDP can be simply blocked there and you will not be able to connect to your server (e.g. I can't connect to my home PC when I'm on my mobile hotspot, UDP gets blocked somewhere on the way to my router). Setting wireguard with TCP wrapping is a pain in the butt, and I wish Wireguard devs wouldn't be so stubborn and just supported both TCP and UDP out of the box for the users' convenience (I really don't buy their argument about performance, it is UDP or nothing, and I would agree on lower performance with TCP if the alternative is "nothing").
Fair point! But watch my newest video, that is the solution to this: th-cam.com/video/Kzyolu9yn0E/w-d-xo.html
if it's UDP it means it's possible for packet loss to happen without retransmitting it??
@@novianindy887 2 layers of TCP is not really useful and can lead to performance loss. VPNs generally should be UDP except in circumstances when UDP is blocked and you're forced to use TCP.
Who blocks udp? That would break so many applications, like anything that streams video
Saved the day ! Changing "FORWARD -i %i" to "FORWARD -i wg0" solved problem with no LAN and internet access. THANKS !
you're welcome friend :)
WOW! The video was great. I understood completely the structure of how to configure. Thank you for that. What I didn't see in your video that would apply to my case is: a) If one peer connected to the server can ping or connect to another peer connected to the same server, and b) If the server can ping the client and connect for example through VNC to the client. Thanks!
Thank you so much! :)
Thank you! The best installation guide on WG ever..
Loved this very much! A network pro!
This video has clearly explained what I have researched for a long time. I have made some dollars as well from a client. Thank you, Christian.
Thanks! Glad it helped you 👍
Whilst setting this up it is worth noting on the server side the iptables mentions "eth0" - however on virtual machines this can be enp0s3 or on new ubuntu servers eno1 - or another number depending on the number of interfaces you have. Hope this saves others time :-)
thanks for highlighting this! 😉
Thank you so much, I was so lost configuring the client and it was so easy following your tutorial. Definitely suscribed!
Glad it helped!
Now all i need is a video explaining how to assign a free public IP on my server to the client that is connecting and im golden.
Christian! Thank you very much for your video! I could set up wireguard between routerOS and Ubuntu only after watching that :)
Thank you very much, this saved me from madness
Glad it helped!
Excellent tutorial, very clear and concise. I went along and it worked perfectly. Did the setup in my Proxmox virtual environment. Now need to experiment further. Thank you!
Thank you so much! :) Keep on experimenting :D
Very clear and complete tutorial, thanks.
Glad it was helpful!
Thank you!! That ipv4 forward thing was exactly what I needed. Finally I can use WG instead of OpenVPN! :)
Thank you soo much.
This helped me a lot.
Keep this good work up!
Thank you! :)
"I think, that is not too complicated..."
You know what is not too complicated? My thinking processes. As for THIS...
Аnyway, great video, sir! My tunnel works as swiss watch now! Subscribed.
Great to hear I could help you and it's working! 😋
Great explanation, thank you
probably one of the best videos on this topic even though wireguard has changed slightly it does take longer than 18 minutes to setup the first time LOL :XD
Thank you so much :D
Another great video from you ! Well explained, thank you for this !
Thank you mate! :)
excellent.
Doing this using docker compose, I want that video which will be helpful for docker fans!
I saw you found it already 😊 cheers!
This is a great video ... explained perfectly
Thanks 😊
Thank you so much, after look your video i already tried success
Thank you for this video. I will try on RHEL8 now.
Nice! You're welcome ;)
Great stuff, thanks a lot
Nice video. Saludos desde Perú.
Thank you man!
very quality lession, keep up hardwork, i'm in :D
Thanks, will do!
Thanks - an excellent guide.
Great video bro, thanks
Gran video bro, gracias.
from Syria ,
best require
Excellent tutorial, thanks
You're welcome
waw an fantastic thanks for your effort
So nice of you
thanks a lot !
Thank you. Very good Video. It was very helpful
I'm glad it helped 😊
im having trouble to run openvpn as so this is perfect alternative for that..
how nicely put tutorial. Thanks. Subscribed.
Thanks ;)
Excellent video!
Thank you very much!
I have followed your tuto, but at the end, I SSH is not responding...
Big thankss for this tutorial 👍👍👍
Thank you! ☺️
Man you rally made my day!
I had been struggling with openvpn for a while...
But with your video i could set up wireguard in no time. Thanks!!!
Thanks man 😊, I'm glad it helped you!
very nice tutorial ... TY :)
Glad it was helpful!
please explain if there is differencies in configuring the wireguard server on centos
awesome
very good
Thank you! Cheers!
Good video my friend! You saved us, i wish god can pay you, cause i can't!💪
Thank you!
BIG THANX ❤
You're welcome 😀
You are created double file /etc/wg0.conf i dont understand help me
Could you please help me , I need to set it up on my vps and synology nas so that I might setup a plex server accessible outside my home network as my isp blocks all ports and ip is dynamic with double NAT
thanks
Thanks!
11:30 Why it is port 32 in the end, instead of port 8 as shown at 8:05?
This is not a port, this is the subnet mask, which defines how large the network is. A subnetmask of 8 means the network contains all IP addresses from: 10.0.0.1 to 10.255.255.254 and a subnetmask of 32 means only 1 IP address. If I would change the command at11:30 to 10.0.0.2/8 that would mean to allow all IP addresses between 10.0.0.1 to 10.255.255.254. If you want to learn more about this, just search for "subnetting", you should find some tutorials about it. I hope that helped you :)
@@christianlempa Thank you for explaining this. Very informative and helpful!
What app did you use to run the servers? Beside the WireGuard
You are created two file wgo.conf in wireguard how reaply me
Good day Christian,
Was thinking if you can consider doing a video on Wireguard Docker Site-to-Site, specifically Home Server to VPS always-on Wireguard Tunnel ?
Many Thanks in advance.
Does this even support layer 2 tunnels like openvpn? I don't think so... Does it support that the traffic cannot even be decrypted later on with the key like ipsec does? I don't think so...
It definitely did not hold that ip_forward setting after a reboot. This is confusing.
What is first time wg genkey and private public key create where is location first time created desktop and /etc where can created you am confusing. You are explean all method
what is terminal of at 2.20. i didnt understand
Very well explained. I’m a newbie , Wondering how to implement this approach for 2 IPPBX one in LAN the other one in the cloud . Server at cloud same IPPBx ? Client at premises ? Any hint ?
Thanks! It should work well with any Protocol, so give it a try 😁
what does the net.ipv4.ip_forward do?
this enables the packet forwarding feature in Linux, basically what a router does :)
Hi Christian, love your tutorials these are very helpful.
I'm wondering, is it gonna work if I set up tunel like in your video to connect remotely to my PC with ubuntu from different network?
The problem is that my router changing the IP, it's not static.
If you have any tip, please share :)
Thanks for this video it is really helpful. I learned that tunnel must be started after each system start. Could you please guide me how to start tunnel automatically? Thanks!
I'm glad it helps you :) Sure you can simply add the wg0 interface to systemd: sudo systemctl enable --now wg-quick@wg0.service
Ty
Hello, do you happen to have any videos about setting up WireGuard on TrueNAS? Because I really need some step by step guide on how to do that. Please and thank you. :)
Need a install vid on Arch Arm Wireguard client.
I don’t use Arch btw
Kudos..
Could you possibly do a video about Wireguard with udp hole punching...
Or recommend a working open source VPN that implements udp hole punching
Thanks for the good suggestion. I just solved this with DNAT rules and Keep-Alive packets, but I'll have look into this
"etc/wireguard/wg0.conf" E212: Can't open file for writing bro i am getting this error
will also all of my Ipv6 traffic be routed through this vpn tunnel? or is in this configuration an ipv6 leak possible?
You can also configure IPv6 addresses in the config files.
how can i configure the server so it forwards all incoming request on wg0 to all the connected peers in the same subnet of that interface? that's so i can have communication between every peer within 10.0.0.X
For me, this works and packets can be traced but it blocks the internet connection on my client VM (server is physical machine and can access internet fine). How to fix this?
Well configuring the interface my server suddenly shutdown then had a weird garbled graphic on reboot. I've tried setting this up already but as soon as I activated the client my terminal to ubuntu server suddenly disconnects and I cannot connect to any websites. What am I doing wrong? And now my server PC just shuts down while adding the wg0.config. I obviously cannot install this properly as my PC just shutdown again while editing the wg0.conf file.
good, as you can add PresharedKey to peer, by command
Hi, I installed wireguard on 2 servers and the conf file setup is quite simple.
That being said, I cannot ping from master to peer or peer to master using the interface I setup. I used a 10.X.X.X like your example
What should I be looking at on the physical server that may not be configured correctly?
I also shutdown the firewall and still the ping failed
hi i am using mikrotik to mikrotik wireguard tunnel but when my client side mikrotik reboot due to any reason my tunnels can reconnect automaticly i need to change public key and re submit in server side to reconnect my tunnel again Please help me in this regard .
am also using change mss rule in mangle
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
You forgot the part where you put the allowed peers in the server configuration, so that when you reboot the server the peers can connect again.
The way you showed, the peer entries in the server are only temporary and are lost after a reboot.
Thx for letting me know!
How do I do that
Man this works on android windows but doesn't seems to work on linux for me
@15:00
Can't I just edit the "ip_forward" file and change the value to from 0 to 1?
hi there, can you give examples how can i access internet via browsers ? it gives me "dns probe finished bad config", thx
How can i create a QR code ?
Any pdf all the steps please share
Hi vielen Dank für das Video!
Ich beiße mir leider seit gestern die Zähne daran aus :)
Ich habe in einem Rechenzentrum einen Wireguard server in Openstack Ubuntu, der über eine Floating IP erreichbar ist. Zu hause habe ich einen mac, mit dem ich zum Server einen Tunnel aufbauen möchte. Die Verbindung scheint zustande zu kommen, der Handshake wird angezeigt. Ich kann aber weder Server noch Client Pingen (ICMP ist in Security Group freigegeben). Auf dem wg0 Server Int kommt scheinbar nichts an. Hast Du eine Idee, was es noch sein könnte? An meiner Fritzbox muss ich nichts freieben, da die Verbindung zustande kommt, oder?
Danke! Wegen dem Fehler bin ich leider nicht sicher. Solange der Handshake funktioniert sollte der Tunnel stehen. Eventuell ist hier was mit dem Routing nicht korrekt.
Forgive me, I have tried what you have in this episode, and I have no doubt that you are doing what is correct, it just isn't as easy for me. I am running pclinuxos 2022 MATE, could I trouble you for a link to a step by step guide for this system?
Hi all, How do I achieve the reverse? eg: all requests from server should be forwarded to the client and client will act as the proxy.
im looking for a way to host my gameserver with a tunnel/proxy, only got dslite (no public ipv4) ssh tunnl (only works with tcp and wrapping udp to tcp -> latency) i try it now with this.
Not sure if that's a solution for that
At 5:53 while you are creating the rules in /etc/wireguard/wg0.conf file.... the eth0 should correspond to anyones adapter?
For instance someone else should put there enp2s0 if that is his adapter giving him connection to net or eth0 is the name of the virtual adapter upon which wireguard will run? What if the server's adapter is also setup on eth0?
Shouldn t be a conflict there?
Also if the client OS is windows, the client gui also has an add a wireguard file option. Nothing else to generate those keys to put it back on the server side ... so is this situation viable only when both server and client using Linux OS?
PS PIvpn has a scrip which makes the process wayyyyyyyyyyyyyyyy more easy than all this procedure. And the server generates everything. Client only imports the key and connect and thats it.
Thank you
Thank you a lot for great tutorial
I watched it and did as you said and was able to run it on my linux client but no success on windows
Would you plz created another tutorial for windows clients and a bit of help about the dns settings and what should we do to get dns requests straight from von server
Thanks for the reply :) Yea may be a good idea, let me do a quick video about it soon!
Thank you for such an amazing video! It really made it a lot easier to set things up. However, I have an issue. Everything is working just as it does for you in the video, only I cannot seem to be able to ping neither the server nor any other IP addresses. I have tried a few things, but cannot figure it out. Do you maybe have any ideas? Thank you in advance!
The handshake works, but not ping
Thank you ☺️, check if you have set up the IPtable rules correctly and if set up the IP addresses. Hard to tell without checking your config, so if you have still issues, why not join our discord and share your config, that will help a lot 😊
@@christianlempa Thank you so much for such a quick response! I will check the IPtable rules first and if that does not help, then I will certainly have to join Discord 😁
very powerful, i need one hand. i have a remote camera rear a snat unreachable ip, have installed a server on gcp and client on raspberry. from my pc i reach raspberry. but i want to make a routing to reach a camera subnet directly, how make this routing? very tnx
Excellent tutorial, Danke. The second time I generated pub/privatekey for the client and tried to run this command "sudo vim /etc/wireguard/wg0.conf" to be able to write the next configuration, it pop up the old vim file where I wrote things about server, so there is where I lost the track. Help plz.
Np mate! Have you checked out our Discord for help?
Hey thanks for your videos ! :)
Where can i find the top menu on your windows where displayed cpu informations .. ??
It's a rainmeter plugin you can find on my github dotfiles repository
@@christianlempa Ok thanks
Everything was going good until the last part. Setting up forwarding. It seems to revert back to 0 and not allow up forwarding. Any ideas as to why? How can I make this change persistent?
Thanks for giving me a heads up. You need to make the changes persistent in the: /etc/sysctl.conf file. For some reason I forgot it in this video :/