• View
• Edit
• History
• Print

Hosting

Configure WireGuard without NAT

In this setup, we will configure WireGuard without NAT, giving your user a publically routable IP. This is useful if you want to host at home but you have a dynamic IP or your ISP blocks lots of ports.

wg-tools is required for wg command for the key generation but you can remove it once it is set up.

First, generate 2 keypairs:

wg genkey | tee privatekey_server | wg pubkey > pubkey_server
wg genkey | tee privatekey_client | wg pubkey > pubkey_client

Now, configure /etc/hostname.wg0, replace server_privatekey with the contents of privatekey_server, peer_pubkey with the contents of pubkey_client and ip_for_client with the public IP address for the client. server_mac_address should be replaced with the mac address of the server (em0, vio0, etc). unused_private_ip can be replaced with 172.16.10.1.

# /etc/hostname.wg0
wgkey server_privatekey
wgpeer peer_pubkey wgaip ip_for_client/32
wgport 51820
inet unused_private_ip 255.255.255.255
up
!arp -s ip_for_client server_mac_address pub
!route change ip_for_client unused_private_ip

The user should be given the endpoint (domain or IP of the server), their public IP address, the port, the server's public key and the client's private key. That should be enough to setup the tunnel on their end. You can also give them it in the standard WireGuard configuration file syntax shown below.

[Interface]
PrivateKey = client private key
Address = client address

[Peer]
PublicKey = server public key
Endpoint = server ip:port
AllowedIPs = 0.0.0.0/0