Client Setup

Linux

Prerequisites

sudo apt install wireguard-tools curl python3

On RHEL/Fedora:

sudo dnf install wireguard-tools curl python3

Run

chmod +x setupclient.sh
sudo ./setupclient.sh

What It Does

1. Checks that wg, curl, and python3 are in PATH; requires root.
2. If /etc/wireguard/wg0.conf already exists → runs wg-quick up wg0 and exits.
3. Generates keypair: wg genkey → private key; echo privkey | wg pubkey → public key.
4. Registers with the server:

   curl -sk -X POST \
     -H "Content-Type: application/json" \
     -H "X-Auth-Token: <token>" \
     -d '{"public_key": "<pubkey>"}' \
     https://<SERVER_IP>/addnewpeer
5. Parses the JSON response with python3. Validates status == "ok".
6. Replaces <PASTE_YOUR_PRIVATE_KEY_HERE> with the private key → writes /etc/wireguard/wg0.conf (mode 600).
7. Runs wg-quick up wg0 and enables systemctl enable wg-quick@wg0.

Generated Config Structure

[Interface]
PrivateKey = <client-private-key>
Address = 10.13.26.X/32
DNS = 172.29.144.30
 
[Peer]
PublicKey = <server-public-key>
Endpoint = <SERVER_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. DNS queries go to Pi-hole at 172.29.144.30.

Manage the Tunnel

sudo wg show wg0
sudo wg-quick down wg0
sudo wg-quick up wg0

Windows

Prerequisites

• Windows 10/11, PowerShell 5.1+, Administrator privileges
• WireGuard for Windows — auto-installed via winget if not present

Run

Open PowerShell as Administrator:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\setupclient.ps1

-Scope Process limits the policy change to the current session only.

SSL Certificate Note

The server uses a self-signed certificate. The script handles this automatically:

• PS 7+: uses -SkipCertificateCheck on Invoke-RestMethod
• PS 5.1: sets [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

What It Does

1. Checks for C:\Program Files\WireGuard\wg.exe; if absent, installs via:

   winget install -e --id WireGuard.WireGuard --silent
2. If C:\ProgramData\WireGuard\wg0.conf exists → reinstalls tunnel service and exits.
3. Generates keypair with wg.exe genkey and wg.exe pubkey.
4. Posts to the registration endpoint via Invoke-RestMethod.
5. Replaces <PASTE_YOUR_PRIVATE_KEY_HERE> → writes C:\ProgramData\WireGuard\wg0.conf.
6. Sets NTFS ACLs to SYSTEM:(F) and Administrators:(F) via icacls.
7. Installs the tunnel service with wireguard.exe /installtunnelservice <configpath>.
8. Starts the service and opens the WireGuard GUI.

Manage the Tunnel

Use the WireGuard GUI, or PowerShell as Administrator:

Stop-Service  "WireGuardTunnel`$wg0"
Start-Service "WireGuardTunnel`$wg0"
Get-Service   "WireGuardTunnel`$wg0"