How to Install and Configure Wireguard VPN Server on Arch Linux

Wireguard is a modern and fast VPN software that supports IPv4 and IPv6 connections. It is faster and simpler compared to other VPN software like IPSec and OpenVPN. It is cross-platform and can be installed on all major operating systems including Linux, macOS, Windows, BSD, and Android. It is a point-to-point VPN server and you can easily deploy it on small devices to high-end servers.

In this post, we will show you how to install Wireguard VPN server on Arch Linux.

Step 1 – Configure Repository

By default, the default repository is outdated in Arch Linux, so you will need to modify the default mirror list. You can do it by editing the mirrorlist configuration file:

nano  /etc/pacman.d/mirrorlist

Remove all lines and add the following lines:

## Score: 0.7, United States
Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.8, United States
Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.9, United Kingdom
Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
## Score: 1.5, United Kingdom
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch
## Score: 6.6, United States
Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
## Score: 6.7, United States
Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
## Score: 6.8, United States
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
## Score: 7.1, India
Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
## Score: 10.1, United States
Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch

Save and close the file, then update all the package indexes with the following command:

pacman -Syu

Step 2 – Install Wireguard VPN

Wireguard provides a script that allows you to install it on your system easily.

First, download the Wireguard installation script using the following command:

pacman -S curl
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

Next, set executable permissions on the downloaded script:

chmod +x wireguard-install.sh

Next, run the installation script using the following command:

./wireguard-install.sh

Answer all the questions as shown below:

Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: server-ip
Public interface: ens3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 54781
First DNS resolver to use for the clients: 94.140.14.14
Second DNS resolver to use for the clients (optional): 94.140.15.15

Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars.


Client name: vpn_client
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
Unable to retrieve current interface configuration: Protocol not supported

Here is your client config file as a QR Code:
It is also available in /root/wg0-client-vpn_client.conf
If you want to add more clients, you simply need to run this script another time!

WARNING: WireGuard does not seem to be running.
You can check if WireGuard is running with: systemctl status wg-quick@wg0
If you get something like "Cannot find device wg0", please reboot!

Once the installation is complete, restart your system to apply the changes:

reboot

Step 3 – Verify Wireguard VPN

Next, check the status of Wireguard using the following command:

systemctl status wg-quick@wg0

You will get the following output:

● [email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; preset: disabled)
     Active: active (exited) since Fri 2022-10-28 11:04:25 UTC; 3min 13s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 249 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 249 (code=exited, status=0/SUCCESS)
        CPU: 73ms

Oct 28 11:04:24 archlinux systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Oct 28 11:04:24 archlinux wg-quick[249]: [#] ip link add wg0 type wireguard
Oct 28 11:04:25 archlinux wg-quick[249]: [#] wg setconf wg0 /dev/fd/63
Oct 28 11:04:25 archlinux wg-quick[249]: [#] ip -4 address add 10.66.66.1/24 dev wg0
Oct 28 11:04:25 archlinux wg-quick[249]: [#] ip -6 address add fd42:42:42::1/64 dev wg0
Oct 28 11:04:25 archlinux wg-quick[249]: [#] ip link set mtu 1420 up dev wg0
Oct 28 11:04:25 archlinux wg-quick[249]: [#] iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t >
Oct 28 11:04:25 archlinux systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Wireguard VPN creates a new network interface named wg0 on your system. You can check it with the following command:

ip a

You will get the following output:

4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.66.66.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd42:42:42::1/64 scope global 
       valid_lft forever preferred_lft forever

Wireguard also generates a client configuration file at /root/wg0-client-vpn_client.conf.

Step 4 – Configure Wireguard Client

Next, you will need to install the Wireguard client package on the client machine. You can install it using the following command:

pacman -S wireguard-tools

After the installation, copy the client configuration file from the Wireguard server machine to the client machine:

scp root@server-ip:/root/wg0-client-vpn_client.conf /etc/wireguard/wg0.conf

Next, start the Wireguard client with the following command:

systemctl start wg-quick@wg0

Step 5 – Verify Wireguard VPN Connection

Next, go back to your server machine and run the following command to check the client-server connection:

wg

You should see the following output:

interface: wg0
  public key: v2N2x3+NE2ZhyMmrJToNchobiFQzrRmDN7xbjt06Ziw=
  private key: (hidden)
  listening port: 54781

peer: OydUu+4sdDV2R+H7Ng1l5J7PTIq/cD/GbMdZ3kwNjig=
  preshared key: (hidden)
  endpoint: 209.23.10.169:35718
  allowed ips: 10.66.66.2/32, fd42:42:42::2/128
  latest handshake: 1 minute, 53 seconds ago
  transfer: 148 B received, 380 B sent

Conclusion

In this post, we explained how to install the Wireguard VPN server on Arch Linux. We also installed and configured the Wireguard client to connect to the server machine. You can now use the Wireguard VPN server to hide your identity. Try Wireguard VPN on dedicated hosts from Atlantic.Net!