Short version: One interface, named peers, least-privilege routes. Keep logs, rotate keys quarterly, and block everything you don’t route.
1) Install
sudo apt update && sudo apt install -y wireguard
# or
sudo dnf install -y wireguard-tools2) Keys
umask 077
wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub
wg genkey | tee ~/client.key | wg pubkey > ~/client.pub3) Server config (/etc/wireguard/wg0.conf)
[Interface]
Address = 10.20.0.1/24
ListenPort = 51820
PrivateKey = (server.key)
# IP forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = nft add rule inet filter forward iifname "wg0" accept
PostDown = nft delete rule inet filter forward iifname "wg0" accept
[Peer]
# Kevin laptop
PublicKey = (client.pub)
AllowedIPs = 10.20.0.10/32
# Optional: route to specific subnet
# AllowedIPs = 10.20.0.10/32,10.30.0.0/244) Client config
[Interface]
Address = 10.20.0.10/32
PrivateKey = (client.key)
DNS = 1.1.1.1
[Peer]
PublicKey = (server.pub)
Endpoint = vpn.example.com:51820
AllowedIPs = 10.20.0.0/24,10.30.0.0/24
PersistentKeepalive = 255) Start & enable
sudo systemctl enable --now wg-quick@wg06) Logging & hygiene
- Log
wg showoutput daily (peers seen, handshakes). - Rotate keys every 90 days; remove stale peers.
- Expose UDP/51820 from trusted sources only (or via port-knocking/ACL).
Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.
With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.