WireGuard adalah protokol VPN modern yang menawarkan performa tinggi, codebase yang sederhana, dan kriptografi modern. Artikel ini membahas setup lengkap WireGuard VPN server di Linux.
Pengenalan WireGuard
Keunggulan WireGuard:
- Performa tinggi: Lebih cepat daripada OpenVPN dan IPsec
- Codebase minimal: Hanya ~4,000 baris kode (vs 100,000+ OpenVPN)
- Kriptografi modern: ChaCha20, Curve25519, BLAKE2s, SipHash24
- Mudah setup: Konfigurasi sederhana
- Roaming yang baik: Tetap connected saat pindah network
- Cross-platform: Support Linux, Windows, macOS, iOS, Android
Instalasi WireGuard
Ubuntu/Debian
# Update dan install
sudo apt update
sudo apt install -y wireguard wireguard-tools
Verifikasi
wg --version
Fedora/RHEL/CentOS
# Fedora
sudo dnf install -y wireguard-tools
RHEL/CentOS (gunakan EPEL)
sudo yum install -y epel-release
sudo yum install -y wireguard-tools
Arch Linux
sudo pacman -S wireguard-tools
Konfigurasi WireGuard Server
1. Generate Key Pair
# Buat directory untuk keys
sudo mkdir -p /etc/wireguard/keys
sudo chmod 700 /etc/wireguard/keys
Generate private key
cd /etc/wireguard/keys
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey
Cek keys
sudo cat /etc/wireguard/keys/privatekey
sudo cat /etc/wireguard/keys/publickey
2. Setup Network Interface
# Cek IP server
ip addr show
Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
Permanent edit
sudo nano /etc/sysctl.conf
Tambahkan:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Apply
sudo sysctl -p
3. Buat Konfigurasi Server
sudo nano /etc/wireguard/wg0.conf
[Interface]
# Server Private Key
PrivateKey = SERVER_PRIVATE_KEY
IP address untuk interface WireGuard
Address = 10.200.200.1/24
Listen port
ListenPort = 51820
PostUp dan PostDown rules untuk NAT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
DNS untuk clients
DNS = 8.8.8.8, 8.8.4.4
Keepalive (optional, untuk NAT traversal)
PersistentKeepalive = 25
[Peer]
Client 1 Public Key
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.200.200.2/32
[Peer]
Client 2 Public Key
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.200.200.3/32
Ganti placeholder dengan actual values:
– SERVER_PRIVATE_KEY: Isi dengan isi file /etc/wireguard/keys/privatekey
– CLIENT1_PUBLIC_KEY: Public key dari client (generate nanti)
– eth0: Ganti dengan interface network server Anda
4. Start WireGuard
# Enable wg-quick service
sudo systemctl enable wg-quick@wg0
Start WireGuard
sudo systemctl start wg-quick@wg0
Cek status
sudo systemctl status wg-quick@wg0
Verifikasi interface
sudo wg show
ip addr show wg0
5. Konfigurasi Firewall
# Allow WireGuard port
sudo ufw allow 51820/udp
Atau dengan iptables
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
Enable firewall jika belum
sudo ufw enable
Setup WireGuard Client
Generate Client Keys
# Generate key pair untuk client
cd /etc/wireguard/keys
wg genkey | sudo tee client1-privatekey | wg pubkey | sudo tee client1-publickey
Simpan public key untuk ditambahkan ke server config
sudo cat /etc/wireguard/keys/client1-publickey
Tambahkan Client ke Server
Edit /etc/wireguard/wg0.conf dan tambahkan peer baru:
sudo nano /etc/wireguard/wg0.conf
Tambahkan di bagian akhir:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.200.200.4/32
Ganti CLIENT_PUBLIC_KEY dengan public key client.
Reload WireGuard:
sudo systemctl restart wg-quick@wg0
Client Configuration File
Buat file konfigurasi untuk client:
sudo nano /etc/wireguard/client1.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.200.200.4/32
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Ganti placeholder:
– CLIENT_PRIVATE_KEY: Isi dengan private key client
– SERVER_PUBLIC_KEY: Public key server (sudo cat /etc/wireguard/keys/publickey)
– SERVER_PUBLIC_IP: Public IP atau domain server
Install Client di Berbagai Platform
Linux Client
# Install WireGuard (sama dengan server)
sudo apt install -y wireguard wireguard-tools
Copy config ke /etc/wireguard/
sudo cp client1.conf /etc/wireguard/
Enable dan start
sudo systemctl enable wg-quick@client1
sudo systemctl start wg-quick@client1
Verifikasi
sudo wg show
ip addr show
Windows Client
- Download installer dari https://www.wireguard.com/install/
- Install WireGuard
- Klik “Add Tunnel” → “Add empty tunnel”
- Isi dengan konfigurasi client1.conf
- Klik “Activate”
macOS Client
- Install dari App Store atau https://www.wireguard.com/install/
- Klik “Add empty tunnel”
- Isi konfigurasi
- Klik “Activate”
Android/iOS Client
- Install app dari Play Store/App Store
- Scan QR code atau import dari file
- Tap untuk connect
Advanced Configuration
Split Tunneling (Hanya Route Tertentu)
Untuk hanya route traffic tertentu melalui VPN:
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 192.168.1.0/24, 10.0.0.0/8
Setup untuk Multiple Clients
Script untuk automate client setup:
“`bash
!/bin/bash
add-client.sh
CLIENT_NAME=$1
SERVER_IP=$(curl -s ifconfig.me)
WG_DIR=”/etc/wireguard”
if [ -z “$CLIENT_NAME” ]; then
echo “Usage: $0
exit 1
fi
Generate keys
CLIENT_PRIVATE=$(wg genkey)
CLIENT_PUBLIC=$(echo “$CLIENT_PRIVATE” | wg pubkey)
SERVER_PUBLIC=$(cat $WG_DIR/keys/publickey)
Find next available IP
LAST_IP=$(grep AllowedIPs $WG_DIR/wg0.conf | tail -1 | cut -d’.’ -f4 | cut -d’/’ -f1)
NEXT_IP=$((LAST_IP + 1))
Add client to server config
cat >> $WG_DIR/wg0.conf <<EOF
[Peer]
PublicKey = $CLIENT_PUBLIC
AllowedIPs = 10.200.200.$NEXT_IP/32
Ditulis oleh
Hendra Wijaya