You read my last post about StrongSwan and thought it was too complicated? I understand. WireGuard is the revolutionary, simple VPN solution that often proves faster and integrates better with modern operating systems like ChromeOS.
While I found my specialized IPsec connection to be slightly faster, WireGuard excels in ease of setup and client usability: the tunnel automatically resumes after sleep/suspend without manual intervention.
1. Server Setup and Key Generation
The WireGuard implementation under Linux is robust and straightforward.
Installation and Key Generation
# Install wireguard on your server / host
apt-get install wireguard
# Create a private and public key pair using secure umask settings
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Initial Configuration (wg0.conf
)
I define the server’s interface, assign an internal network, and set up the necessary firewall rules for NAT (Network Address Translation). The PostUp
/PostDown
rules automate firewall setup upon connection.
# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = -- put the created private key here --
Address = 10.7.0.1/24
ListenPort = 51820
# PostUp/PostDown automate NAT and routing when the interface comes up/down
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens7 -j MASQUERADE
Note: The egress interface (ens7
in this example) should be replaced with your host’s public-facing NIC name.
Enabling the Service
Don’t forget to enable IP Forwarding in the kernel and enable the systemd service for automatic startup after boot.
# Enable IP Forwarding
sysctl -w net.ipv4.ip_forward=1
# Enable systemd service for automatic start
systemctl enable wg-quick@wg0
2. Client Setup (ChromeOS)
WireGuard integrates natively with ChromeOS through a dedicated application. This simplifies the client configuration significantly.
Client Key Generation and Peer Setup
- Install WireGuard on the ChromeOS device and create a new tunnel configuration.
- Generate Keys: Click the key icon in the ChromeOS dialog to generate a secure private/public key pair for the client.
- Client Settings: Set the client’s internal IP (
10.7.0.2/32
) and the desired DNS server. - Peer Setup: Enter the Server’s Public Key, the Endpoint (Server IP:Port), and
Allowed IPs
as0.0.0.0/0
to route all traffic through the tunnel (Full-Tunnel VPN).
Server Peer Integration
The client’s public key must be added to the server’s wg0.conf
file, along with its assigned internal IP address.
# /etc/wireguard/wg0.conf (Server Peer)
[Peer]
PublicKey = --public key of the client--
AllowedIPs = 10.7.0.2/32
The tunnel must be restarted for the changes to take effect:
# Stop and restart the tunnel
root@vpn1:~# wg-quick down wg0
root@vpn1:~# wg-quick up wg0
3. Verification
The wg show
command verifies the successful key exchange and data transfer, confirming the tunnel is up and running.
root@vpn1:~# wg show
interface: wg0
public key: --server-publickey--
private key: (hidden)
listening port: 51820
peer: --client-publickey--
endpoint: xxx.xx.59.15x:46589
allowed ips: 10.7.0.2/32
latest handshake: 3 seconds ago
transfer: 7.02 KiB received, 12.07 KiB sent
This simple setup successfully provides a reliable, persistent VPN connection for the ChromeOS client.
Sources / See Also
Hier sind die Quellen und weiterführenden Links im üblichen Blog-Stil und in englischer Sprache.
- WireGuard Official Documentation. Quick Start Guide for Linux and Cross-Platform Integration.
https://www.wireguard.com/quickstart/
- WireGuard Documentation. Technical Details and Cryptography.
https://www.wireguard.com/protocol/
- Netfilter Project. Working with NAT and MASQUERADE Rules in iptables.
https://www.netfilter.org/documentation/
- Linux Networking (Sysctl). Kernel Parameters for IP Forwarding.
https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
- ChromeOS Help Center. Set up a VPN on your Chromebook (WireGuard client).
https://support.google.com/chromebook/answer/1282338