Setup WireGuard Client using systemd

Installation

Install:

openresolv wireguard-tools

Uninstall systemd-resolvconf if exits, due to potential DNS leak issue

Configuration

Install the config file to the WireGuard configuration directory on your Linux client: sudo install -o root -g root -m 600 <username>.conf /etc/wireguard/wg0.conf
Start the WireGuard VPN: sudo systemctl start wg-quick@wg0
Check that it started properly: sudo systemctl status wg-quick@wg0
Verify the connection to the AlgoVPN: sudo wg
See that your client is using the IP address of your AlgoVPN: curl ipv4.icanhazip.com
Optionally configure the connection to come up at boot time: sudo systemctl enable wg-quick@wg0

Use openresolv

To configure NetworkManager to use openresolv, set main.rc-manager=resolvconf with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/rc-manager.conf

[main]
rc-manager=resolvconf

Adding a killswitch

Open the WireGuard config file with any text editors: sudo nano /etc/wireguard/wg0.conf
Add the following two lines to the [Interface] section:

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Here’s how the WG config file should look like afterwards:``

[Interface]
PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789=
Address = 172.x.y.z/32
DNS = 172.16.0.1
PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = JPT1veXLmasj2uQDstX24mpR7VWD+GmV8JDkidkz91Q=
Endpoint = us-tx1.wg.ivpn.net:2049
AllowedIPs = 0.0.0.0/0

Testing

One way to test a down tunnel is to delete the IP address from the WireGuard network interface, like this via the Terminal: sudo ip a del [IP address] dev [interface]

In this example, it’s possible to remove 172.x.y.z from the wg0 interface:

sudo ip a del 172.x.y.z/32 dev wg0 The PostUP iptables rule from step 2 above restricts all traffic to the tunnel and all outgoing attempts to get traffic out fail. To gracefully recover from this, you will likely have to use the wg-quick command to take the connection down, then bring it back up.

IP Masquerade (PiVPN Server)

Add these lines to the config file to create an IP table when you connect to WireGuard and masquerade your IP address. NOTE: You might need to change eth0 to be the network interface of your device. However, since you’re using a Raspberry Pi, it’s most likely eth0. Under Address

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE