WireGuard Cheatsheet

Windows

Start or Stop WireGuard Tunnel on Windows

To start a WireGuard tunnel, go to the start menu and type services.msc. Click “Yes” to any security warning. Scroll down to the bottom and you will see the available WireGuard tunnels. Right-click and select Start or Stop, as appropriate.

WireGuard tunnels in services.msc
services.msc

To manually start or stop the service from an administrative command line, enter:

C:\>net stop WireGuardTunnel$london
The WireGuard Tunnel: london service is stopping.
The WireGuard Tunnel: london service was stopped successfully.

C:\>net start WireGuardTunnel$london
The WireGuard Tunnel: london service is starting..
The WireGuard Tunnel: london service was started successfully.

Install or Remove a WireGuard Tunnel on Windows

From an Administrative command prompt enter the following:

C:\>wireguard /installtunnelservice {full-path-to-config-file}\{interface}.conf

C:\>wireguard /uninstalltunnelservice {interface}

There is no text returned for successfully installing or removing the service.

Linux

Installing

# Install wireguard and resolvconf (for dns to work properly)
sudo apt install wireguard resolvconf

Starting and Stopping WireGuard Tunnel on Linux

sudo wg-quick up {interface}

sudo wg-quick down {interface}

Enabling WireGuard on Startup with systemd

sudo systemctl enable wg-quick@{interface}.service
sudo systemctl start wg-quick@{interface}.service

Subnet Routing

PostUp=iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown=iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Also be sure the configure the AllowedIPs for the host doing the routing, on each client, specifying the subnet being routed, for example, 10.0.0.0/24.

PublicKey = +xISS...
PresharedKey = HdMrT...
Endpoint = 18.xx.yy.zz:ppppp
AllowedIPs = 10.0.0.1/32, 10.0.0.0/24

Bridging

PostUp=iptables -A FORWARD -i wlan0 -o korea -j ACCEPT; iptables -A FORWARD -i  korea -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o korea -j MASQUERADE
PostDown=iptables -A FORWARD -i wlan0 -o korea -j ACCEPT; iptables -A FORWARD -i korea -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A  POSTROUTING -o korea -j MASQUERADE

On each client add 0.0.0.0/0 to the AllowedIPs for the bridge host.

Statistics

wg

These commands apply to both Windows and Linux

wg

wg show all transfer
wg show {interface} transfer
wg show all dump