Cara Setup VPN Server dengan WireGuard di Linux
Cara Setup VPN Server dengan WireGuard di Linux
WireGuard adalah protokol VPN modern yang menawarkan performa tinggi, codebase yang sederhana, dan kriptografi modern. Artikel ini membahas setup lengkap WireGuard VPN server di Linux.
Pengenalan WireGuard
Keunggulan WireGuard:
- Performa tinggi: Lebih cepat daripada OpenVPN dan IPsec
- Codebase minimal: Hanya ~4,000 baris kode (vs 100,000+ OpenVPN)
- Kriptografi modern: ChaCha20, Curve25519, BLAKE2s, SipHash24
- Mudah setup: Konfigurasi sederhana
- Roaming yang baik: Tetap connected saat pindah network
- Cross-platform: Support Linux, Windows, macOS, iOS, Android
Instalasi WireGuard
Ubuntu/Debian
# Update dan install
sudo apt update
sudo apt install -y wireguard wireguard-tools
# Verifikasi
wg --version
Fedora/RHEL/CentOS
# Fedora
sudo dnf install -y wireguard-tools
# RHEL/CentOS (gunakan EPEL)
sudo yum install -y epel-release
sudo yum install -y wireguard-tools
Arch Linux
sudo pacman -S wireguard-tools
Konfigurasi WireGuard Server
1. Generate Key Pair
# Buat directory untuk keys
sudo mkdir -p /etc/wireguard/keys
sudo chmod 700 /etc/wireguard/keys
# Generate private key
cd /etc/wireguard/keys
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey
# Cek keys
sudo cat /etc/wireguard/keys/privatekey
sudo cat /etc/wireguard/keys/publickey
2. Setup Network Interface
# Cek IP server
ip addr show
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Permanent edit
sudo nano /etc/sysctl.conf
# Tambahkan:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
# Apply
sudo sysctl -p
3. Buat Konfigurasi Server
sudo nano /etc/wireguard/wg0.conf
[Interface]
# Server Private Key
PrivateKey = SERVER_PRIVATE_KEY
# IP address untuk interface WireGuard
Address = 10.200.200.1/24
# Listen port
ListenPort = 51820
# PostUp dan PostDown rules untuk NAT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# DNS untuk clients
DNS = 8.8.8.8, 8.8.4.4
# Keepalive (optional, untuk NAT traversal)
# PersistentKeepalive = 25
[Peer]
# Client 1 Public Key
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.200.200.2/32
[Peer]
# Client 2 Public Key
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.200.200.3/32
Ganti placeholder dengan actual values:
SERVER_PRIVATE_KEY: Isi dengan isi file/etc/wireguard/keys/privatekeyCLIENT1_PUBLIC_KEY: Public key dari client (generate nanti)eth0: Ganti dengan interface network server Anda
4. Start WireGuard
# Enable wg-quick service
sudo systemctl enable wg-quick@wg0
# Start WireGuard
sudo systemctl start wg-quick@wg0
# Cek status
sudo systemctl status wg-quick@wg0
# Verifikasi interface
sudo wg show
ip addr show wg0
5. Konfigurasi Firewall
# Allow WireGuard port
sudo ufw allow 51820/udp
# Atau dengan iptables
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
# Enable firewall jika belum
sudo ufw enable
Setup WireGuard Client
Generate Client Keys
# Generate key pair untuk client
cd /etc/wireguard/keys
wg genkey | sudo tee client1-privatekey | wg pubkey | sudo tee client1-publickey
# Simpan public key untuk ditambahkan ke server config
sudo cat /etc/wireguard/keys/client1-publickey
Tambahkan Client ke Server
Edit /etc/wireguard/wg0.conf dan tambahkan peer baru:
sudo nano /etc/wireguard/wg0.conf
Tambahkan di bagian akhir:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.200.200.4/32
Ganti CLIENT_PUBLIC_KEY dengan public key client.
Reload WireGuard:
sudo systemctl restart wg-quick@wg0
Client Configuration File
Buat file konfigurasi untuk client:
sudo nano /etc/wireguard/client1.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.200.200.4/32
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Ganti placeholder:
CLIENT_PRIVATE_KEY: Isi dengan private key clientSERVER_PUBLIC_KEY: Public key server (sudo cat /etc/wireguard/keys/publickey)SERVER_PUBLIC_IP: Public IP atau domain server
Install Client di Berbagai Platform
Linux Client
# Install WireGuard (sama dengan server)
sudo apt install -y wireguard wireguard-tools
# Copy config ke /etc/wireguard/
sudo cp client1.conf /etc/wireguard/
# Enable dan start
sudo systemctl enable wg-quick@client1
sudo systemctl start wg-quick@client1
# Verifikasi
sudo wg show
ip addr show
Windows Client
- Download installer dari https://www.wireguard.com/install/
- Install WireGuard
- Klik “Add Tunnel” → “Add empty tunnel”
- Isi dengan konfigurasi client1.conf
- Klik “Activate”
macOS Client
- Install dari App Store atau https://www.wireguard.com/install/
- Klik “Add empty tunnel”
- Isi konfigurasi
- Klik “Activate”
Android/iOS Client
- Install app dari Play Store/App Store
- Scan QR code atau import dari file
- Tap untuk connect
Advanced Configuration
Split Tunneling (Hanya Route Tertentu)
Untuk hanya route traffic tertentu melalui VPN:
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 192.168.1.0/24, 10.0.0.0/8
Setup untuk Multiple Clients
Script untuk automate client setup:
#!/bin/bash
# add-client.sh
CLIENT_NAME=$1
SERVER_IP=$(curl -s ifconfig.me)
WG_DIR="/etc/wireguard"
if [ -z "$CLIENT_NAME" ]; then
echo "Usage: $0 <client_name>"
exit 1
fi
# Generate keys
CLIENT_PRIVATE=$(wg genkey)
CLIENT_PUBLIC=$(echo "$CLIENT_PRIVATE" | wg pubkey)
SERVER_PUBLIC=$(cat $WG_DIR/keys/publickey)
# Find next available IP
LAST_IP=$(grep AllowedIPs $WG_DIR/wg0.conf | tail -1 | cut -d'.' -f4 | cut -d'/' -f1)
NEXT_IP=$((LAST_IP + 1))
# Add client to server config
cat >> $WG_DIR/wg0.conf <<EOF
[Peer]
PublicKey = $CLIENT_PUBLIC
AllowedIPs = 10.200.200.$NEXT_IP/32
Link Postingan: https://www.tirinfo.com/cara-setup-vpn-wireguard-linux/