Here are my notes from when I installed it a couple of years ago. There is no quick-and-easy way to get this running. You need to understand how a VPN works in order to understand what the various parts below mean. Running on FBSD 11.3 presently:
|# pkg search wireguard
|# pkg install ...
|# cd /usr/local/etc/wireguard
|# umask 077
|# wg genkey > server-private.key
|# wg pubkey < server-private.key > server-public.key
|# wg genkey > client0-private.key
|# wg pubkey < client0-private.key > client0-public.key
|# wg genpsk > client0.psk // .psk = pre-shared key
each additional client computer needs its own keys
|# wg genkey > client1-private.key
|# wg pubkey < client1-private.key > client1-public.key
|# wg genpsk > client1.psk
|# touch wg0.conf
|# touch client0.conf
// the 'server' end of the tunnel can see lots of peers (clients)
|# ee wg0.conf
# server
[Interface]
Address = 10.14.28.1/24 #, fc00:23:5::1/64, inside tunnel
ListenPort = 1500
PrivateKey = < server private key>
DNS = 10.0.1.1
# client0
[Peer]
PublicKey = < client0 public key >
PresharedKey = < client0 pre-shared key >
AllowedIPs = 10.14.28.2/32 #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs
# client1
#[Peer]
#PublicKey = < client1 public key >
#PresharedKey = < client1 pre-shared key >
#AllowedIPs = 10.14.28.3/32 #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs
# -EOF-
the server side...
|# sysrc gateway_enabled="YES"
-or-
|# sysctl net.inet.ip.forwarding=1
|# ee /boot/loader.conf
net.inet.ip.forwarding=1
# -EOF-
|# sysrc wireguard_enable=YES
|# sysrc wireguard_interfaces=wg0
be sure the /etc/pf.conf NAT covers all interfaces
|# service wireguard start
check on the wireguard daemon
|# netstat -4rn
|# top
|# ps -auxc
|# sockstat -4l
on the client side...
// the client end of the tunnel can only see one peer (server)
|# ee client0.conf
# client0
[Interface]
PrivateKey = < client0 private key >
Address = 10.14.28.2/24 #, fc00:23:5::2/64
# server
[Peer]
PublicKey = < server public key >
# PresharedKey = < client0 pre-shared key >
Endpoint = 10.0.0.133:1500 # FQDN:1500
AllowedIPs = 0.0.0.0/0 #, ::/0, all traffic thru the tunnel
# -EOF-
the client computer will need a 'client' which talks to the
wireguard server.
fetch from
https://tunsafe.com/
TunSafe-1.4-x64.zip // the windows client is in here
TunSafe-TAP-9.21.2.exe // windows interface
I found these sites very helpful:
<
https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/>
<
https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-android/>