How to get arch install wireguard working? Follow these 5 easy steps for a quick VPN setup now.

This guide outlines the steps to install and configure WireGuard on Arch Linux.

Installation

Install the necessary packages using pacman:

sudo pacman -S wireguard-tools

The wireguard-tools package includes wg and wg-quick. The WireGuard kernel module is typically included in the standard Linux kernel on Arch Linux (linux or linux-lts).

Configuration

WireGuard configurations are typically stored in /etc/wireguard/. Each interface will have its own configuration file, for example, .

1. Generate Key Pairs

Generate a private key and its corresponding public key for each peer (server and client).

wg genkey  tee privatekey  wg pubkey > publickey

Important: Keep your private key secure. The public key can be shared.

2. Create Configuration File

Create a configuration file, for example /etc/wireguard/*.

Server Example (/etc/wireguard/* on the server):

[Interface]
Address = 10.0.0.1/24
# Optional: Add IPv6 address, e.g., Address = fd86:ea04:1111::1/64
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
# Optional: Commands to run after interface is up/down

# PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <eth0> -j MASQUERADE
# PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <eth0> -j MASQUERADE
[Peer]
# Client 1
PublicKey = <CLIENT_1_PUBLIC_KEY>

AllowedIPs = 10.0.0.2/32
# Optional: Add IPv6 address, e.g., AllowedIPs = 10.0.0.2/32, fd86:ea04:1111::2/128

Replace <SERVER_PRIVATE_KEY> and <CLIENT_1_PUBLIC_KEY> with the actual keys. Adjust <eth0> in PostUp/PostDown to your server's public network interface if you want to enable NAT for clients.

Client Example (/etc/wireguard/* on the client):

[Interface]
Address = 10.0.0.2/24

# Optional: Add IPv6 address, e.g., Address = fd86:ea04:1111::2/64
PrivateKey = <CLIENT_PRIVATE_KEY>
# Optional: Specify DNS servers for the 加速器 connection
# DNS = 1.1.1.1, 1.0.0.1
[Peer]

# Server
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_IP_OR_HOSTNAME>:51820
AllowedIPs = 0.0.0.0/0, ::/0
# Optional: For split tunneling, change AllowedIPs (e.g., 10.0.0.0/24)

# Optional: Keepalive to maintain connection through NAT
# PersistentKeepalive = 25

Replace <CLIENT_PRIVATE_KEY>, <SERVER_PUBLIC_KEY>, and <SERVER_IP_OR_HOSTNAME> with the appropriate values.

3. Set Permissions

Secure your configuration file and private keys:

sudo chmod 600 /etc/wireguard/*
# If private keys are stored separately:

# sudo chmod 600 /etc/wireguard/privatekey

Managing the WireGuard Interface

Use wg-quick to manage WireGuard interfaces. It integrates with systemd.

Start the Interface

sudo wg-quick up wg0

Stop the Interface

sudo wg-quick down wg0

Enable at Boot

To start the wg0 interface automatically on boot:

sudo systemctl enable wg-quick@*

Start Service Immediately (without reboot)

sudo systemctl start wg-quick@*

Check Service Status

sudo systemctl status wg-quick@*

Verification

After starting the interface, you can check its status and configuration:

sudo wg show

This command will display current interface information, peer details, and latest handshake times.

You can also check if the network interface has been created:

ip addr show wg0

Test connectivity by pinging the IP address of another peer within the WireGuard network.

Firewall Configuration

Ensure your firewall allows UDP traffic on the ListenPort you specified (e.g., 51820) on the server.

Example using iptables:

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

Example using ufw:

sudo ufw allow 51820/udp

Remember to save your firewall rules if necessary (e.g., using iptables-persistent or ufw enable).