What Are the Benefits of WireGuard Arch Linux? Enjoy a Faster and More Secure VPN Connection.

Installation

Install the necessary WireGuard tools package:

sudo pacman -S wireguard-tools

Key Generation

WireGuard uses public-key cryptography. Each peer (server and client) needs its own private and public key pair. Keys are typically stored in /etc/wireguard/.

First, create the directory and set appropriate permissions:

sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
cd /etc/wireguard

Generate a private key and its corresponding public key:

wg genkey  sudo tee *  wg pubkey  sudo tee *

Replace and with appropriate names for your server (e.g., server_*, server_*) and each client (e.g., client1_*, client1_*). You will need to securely transfer the client's public key to the server and the server's public key to the client.

Server Configuration

Create a configuration file for the WireGuard interface on the server, for example, /etc/wireguard/*.

[Interface]
Address = 10.0.0.1/24       # 加速器 IP address and subnet for the server
SaveConfig = true
ListenPort = 51820          # Port WireGuard will listen on (UDP)
PrivateKey = <SERVER_PRIVATE_KEY_CONTENT>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <PUBLIC_NETWORK_INTERFACE> -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <PUBLIC_NETWORK_INTERFACE> -j MASQUERADE
[Peer] # Client 1 configuration
PublicKey = <CLIENT1_PUBLIC_KEY_CONTENT>
AllowedIPs = 10.0.0.2/32    # 加速器 IP address assigned to this client
# Add more [Peer] sections for additional clients

#[Peer] # Client 2 configuration
#PublicKey = <CLIENT2_PUBLIC_KEY_CONTENT>
#AllowedIPs = 10.0.0.3/32

Important:

• Replace <SERVER_PRIVATE_KEY_CONTENT> with the actual content of the server's private key file.
• Replace <CLIENT1_PUBLIC_KEY_CONTENT> with the content of Client 1's public key file.
• Replace <PUBLIC_NETWORK_INTERFACE> with your server's public-facing network interface (e.g., eth0, enp3s0). The %i in PostUp/PostDown refers to the WireGuard interface (wg0).

Enable IP forwarding on the server:

sudo sysctl -w **_forward=1

To make this change persistent across reboots, uncomment or add the following line in /etc/sysctl.d/* (or create the file):

**_forward=1

Then apply the changes:

sudo sysctl --system

Client Configuration

Create a configuration file on the client machine, for example, /etc/wireguard/*.

[Interface]
Address = 10.0.0.2/32       # 加速器 IP address for this client (must be unique and in AllowedIPs on server)
PrivateKey = <CLIENT_PRIVATE_KEY_CONTENT>

DNS = 1.1.1.1, 1.0.0.1    # Optional: DNS servers to use when 加速器 is active
[Peer] # Server configuration
PublicKey = <SERVER_PUBLIC_KEY_CONTENT>
AllowedIPs = 0.0.0.0/0      # Route all traffic through the 加速器. For split-tunneling, specify subnets (e.g., 10.0.0.0/24, 192.168.1.0/24)
Endpoint = <SERVER_PUBLIC_IP_OR_HOSTNAME>:51820

PersistentKeepalive = 25    # Optional: helps maintain connection through NAT/firewalls by sending periodic keepalive packets

Important:

• Replace <CLIENT_PRIVATE_KEY_CONTENT> with the content of this client's private key file.
• Replace <SERVER_PUBLIC_KEY_CONTENT> with the content of the server's public key file.
• Replace <SERVER_PUBLIC_IP_OR_HOSTNAME> with the server's actual public IP address or a DNS resolvable hostname.
• The Address for the client (e.g., 10.0.0.2/32) must match one of the AllowedIPs configured for this peer on the server.

Managing the WireGuard Interface

You can manage WireGuard interfaces using the wg-quick utility.

To bring up an interface (e.g., wg0 based on /etc/wireguard/*):

sudo wg-quick up wg0

To bring down an interface:

sudo wg-quick down wg0

To enable the WireGuard interface to start automatically at boot using systemd:

sudo systemctl enable wg-quick@*

To start the service immediately after enabling:

sudo systemctl start wg-quick@*

To check the status of the service:

sudo systemctl status wg-quick@*

To view logs for the service:

journalctl -u wg-quick@wg0

Verification and Status

Once the interface is up on both the server and client, you can check its status and peer information:

sudo wg show

This command displays the current configuration, public keys, listening ports, peer endpoints, allowed IPs, latest handshake times, and data transfer statistics for all active WireGuard interfaces. A recent "latest handshake" indicates a successful connection.

You should also be able to ping the server's 加速器 IP (e.g., ping 10.0.0.1 from the client) and the client's 加速器 IP from the server (e.g., ping 10.0.0.2 from the server).