VPN

VPN technologies — WireGuard, IPsec/IKEv2, and OpenVPN tunnel configuration.

WireGuard Key Management

Generate a private key
wg genkey > /etc/wireguard/private.key
chmod 600 /etc/wireguard/private.key
Derive the public key from the private key
wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public.key
Generate a preshared key for additional symmetric encryption between two peers
wg genpsk > /etc/wireguard/preshared.key
Generate private and public keys in one pipeline — no temp files
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key

WireGuard Configuration

Minimal server config — /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.100.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
AllowedIPs = 10.100.0.2/32
Minimal client config — route all traffic through the tunnel
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.100.0.2/24
DNS = 10.50.1.50

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

WireGuard Interface Control

Bring the tunnel up using wg-quick (reads /etc/wireguard/wg0.conf)
sudo wg-quick up wg0
Bring the tunnel down cleanly
sudo wg-quick down wg0
Enable WireGuard at boot via systemd
sudo systemctl enable --now wg-quick@wg0

WireGuard Status & Troubleshooting

Show all interfaces, peers, transfer stats, and last handshake
sudo wg show
Show a specific interface with endpoint and allowed IPs
sudo wg show wg0
Show only the latest handshake timestamps — stale handshake means dead peer
sudo wg show wg0 latest-handshakes
Show transfer counters per peer — useful for verifying traffic flow
sudo wg show wg0 transfer

WireGuard Peer Management

Add a peer to a running interface without restarting
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.100.0.3/32
Remove a peer from a running interface
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> remove
Save the running config back to the conf file (preserves hot changes)
sudo wg-quick save wg0

Tunnel Verification

Confirm the WireGuard interface has an IP and is UP
ip addr show wg0
Check that routes are installed through the tunnel
ip route show dev wg0
Ping through the tunnel to verify end-to-end connectivity
ping -c 3 10.100.0.1
Trace the path to confirm traffic actually traverses the tunnel
traceroute -i wg0 10.100.0.1
Verify UDP port 51820 is open on the server — no response is normal (UDP)
ss -ulnp | awk '$5 ~ /:51820$/'

IPsec Concepts (strongSwan)

Check strongSwan service status
sudo systemctl status strongswan-starter
List all established IPsec SAs — shows encryption algo, SPI, and lifetime
sudo ipsec statusall
Bring up a specific connection defined in ipsec.conf
sudo ipsec up site-to-site
Tear down a specific connection
sudo ipsec down site-to-site
Reload connection definitions after editing ipsec.conf (no tunnel disruption)
sudo ipsec update

OpenVPN

Connect using a client config file — runs in foreground for debugging
sudo openvpn --config /etc/openvpn/client/corporate.conf
Start OpenVPN as a systemd service (config name becomes the unit suffix)
sudo systemctl start openvpn-client@corporate
Check the tunnel interface is up and has an assigned IP
ip addr show tun0
View the OpenVPN log for handshake and auth issues
journalctl -u openvpn-client@corporate --since "10 minutes ago" --no-pager
Test connectivity through the OpenVPN tunnel
ping -I tun0 -c 3 10.8.0.1

See Also

  • Tailscale — WireGuard-based mesh VPN

  • Routing — route tables for split tunneling