Configuring Wireguard

squirrelito · December 6, 2025, 4:53pm

I’ve been having a hard time setting up a proper server-client wireguard relationship between my rpi (server) and latop (client). The code blocks below are the relevant snippets in the respective configuration.nixs of each machine.

Server Configuration

networking = {
  # Static IP
  interfaces.end0 = {
    ipv4.addresses = [{
      address = "10.0.0.250"; # out of DHCP range?
        prefixLength = 24;
    }];
  };
  defaultGateway = {
    address = "10.0.0.1";
    interface = "end0";
  };

  # Wireguard
  nat = {
    enable = true;
    externalInterface = "end0";
    internalInterfaces = [ "wg0" ];
  };
  firewall = {
    allowedUDPPorts = [
      config.networking.wireguard.interfaces.wg0.listenPort
    ];
  };

  wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.1/24" ];

      listenPort = 51820;

      # Is this correctly written? How do I know?
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o end0 -j MASQUERADE
        '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o end0 -j MASQUERADE
        '';

      privateKey = <server private key>;

      peers = [
        {
          publicKey = "OqPhSy3YCj7FlLtr2zLjdbgEZpsrgVA0Y2JRl6MaYEg=";
          allowedIPs = [ "10.100.0.2/24" ];
        }
      ];
    };
  };
};

Client Configuration

networking = {
  firewall = {
    allowedUDPPorts = [
      config.networking.wireguard.interfaces.wg0.listenPort
    ];
  };
  wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.2/24" ];
      listenPort = 51820;

      privateKey = <client private key>;

      peers = [
        { # server
          publicKey = "j+YYOIFh//kqu8Gt6QwcU7nB3TV+IeoBYO8F8R1QkkE=";

          allowedIPs = [ "0.0.0.0/0" ]; # forward all the traffic via VPN

          # Set this to the server IP and port.
          endpoint = "10.100.0.1:51820";

          persistentKeepalive = 25; # important to keep NAT tables alive
        }
      ];
    };
  };
};

Currently, with these configurations the the output of sudo wg show for each machine is:

interface: wg0
  public key: j+YYOIFh//kqu8Gt6QwcU7nB3TV+IeoBYO8F8R1QkkE=
  private key: (hidden)
  listening port: 51820

interface: wg0
  public key: OqPhSy3YCj7FlLtr2zLjdbgEZpsrgVA0Y2JRl6MaYEg=
  private key: (hidden)
  listening port: 51820

peer: j+YYOIFh//kqu8Gt6QwcU7nB3TV+IeoBYO8F8R1QkkE=
  endpoint: 10.100.0.1:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 14.74 KiB sent
  persistent keepalive: every 25 seconds

Both machines have the wireguard systemd service enabled without an issue, so if they’re both working, I’m not sure why they aren’t connecting to each other.

My overall intention is to have the IP address of my server be 10.0.0.250, and then have the IP address of its wireguard network be 10.100.0.1 and for it to give 10.100.0.2 to my laptop as a client. Any help would be very much appreciated, thank you.

firecat53 · December 6, 2025, 5:45pm

Since you’re routing all traffic through the server, does the server have ip forwarding enabled? net.ipv4.ip_forward=1 if I remember right.