How to add a new Wireguard user

How to add a new Wireguard user

In this post I will show you how to create new users for your Wireguard VPN instance.

For this operation to be possible you will need to have root access to your server. If you don't know how to gain that, please follow our guide.

Generate Wireguard client keys

After logging in the ssh console you need to create the keys for the new user. Wireguard uses these keys to keep track of peers and authenticate them:

docker run --rm cmulk/wireguard-docker:buster genkeys

This will print 2 keys: a public and a private one:

-e Private Key: 8JlkyYRuR/OdFlBOUDVfM+DknvUUsjtnduNoEeqsLWA=
-e Public Key: KglpBFVBdJhCIkrs8ZK/EZhkSkslz873CroBAEsg/2I=

You have to copy both of them so we can go ahead with our next step (ommit the -e Private Key and -e Public Key bits).

Configure the server and add the new user

Now that we have our keys it is time to edit the main configuration file for Wireguardby running:

nano /etc/wireguard/wg0.conf

nano is a console editor and it will let you modify the file which looks something like this when being edited:

[Interface]
Address = 192.168.20.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 5555
PrivateKey = 6IrKiXy2jdMxu9MQwh5Tl+EqxltMWPQvPv9at5YOrlQ=

[Peer]
PublicKey = hgx2jsPIsp6E2cltv1BIgf+YHQVBuazsvt6XuceHTXk=
AllowedIPs = 192.168.20.2/32

We can see there are 2 sections here:

  1. Interface
  2. Peer

The Interface part is about the server and the Peer is actually the first client that is allowed to connect. You can see that the first peer has a PublicKey (like the one you just generated) and an AllowedIPs param. We will need to replicate that and create a new Peer so the new config will look like this:

[Interface]
Address = 192.168.20.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 5555
PrivateKey = 6IrKiXy2jdMxu9MQwh5Tl+EqxltMWPQvPv9at5YOrlQ=

[Peer]
PublicKey = hgx2jsPIsp6E2cltv1BIgf+YHQVBuazsvt6XuceHTXk=
AllowedIPs = 192.168.20.2/32

[Peer]
PublicKey = KglpBFVBdJhCIkrs8ZK/EZhkSkslz873CroBAEsg/2I=
AllowedIPs = 192.168.20.3/32

Look carefully and take note that I added a new Peer with the public key we just generated above and I also incremented the AllowedIPs from 192.168.20.2/32 to 192.168.20.3/32 to avoid any IP space collisions.

You can save the file by pressing CTRL+X and writing the letter y once prompted to save the changes.

Following this change you need to restart the Wireguard instance:

docker restart $(docker ps -aq)

Create the client config file

There's one more step and that is to create the new client config that the new member should use to connect. For this let's create a copy of the original client.config file and edit the Interface part. The Peer, in this case, is the server so that section needs to stay the same:

[Interface]
Address = 192.168.20.3/24
PrivateKey = 8JlkyYRuR/OdFlBOUDVfM+DknvUUsjtnduNoEeqsLWA=
ListenPort = 0 

[Peer]
PublicKey = g4gaGC/F2Fz3E2cH7Ek1ZQTRTEHosZQ4oEOzpf6e/y0=
Endpoint = 165.227.147.194:58281
AllowedIPs = 0.0.0.0/0,::/0 #makes sure ALL traffic routed through VPN
PersistentKeepalive = 25

What I edited here is the Interface Address to the one we allocated to our new user (192.168.20.3) and the PrivateKey which I updated with the private key that we generated above: 8JlkyYRuR/OdFlBOUDVfM+DknvUUsjtnduNoEeqsLWA= . Other than that pretty much remained the same.

That's it! I know it is a bit difficult and we're working on automating this process in the future.