Point to Point Example

This setup enables a private network connection to the server, preventing other clients on that network from communicating to other clients. DNS and any network access not directly addressed to the private network will egress through the client’s standard network stack.

This creates a /24 network that all machines use, while only allowing point to point communications from each client to the server.

Server

0600 root root /etc/wireguard/server.conf

[Interface]
Address = 172.31.255.254/24
SaveConfig = False
ListenPort = 51820
PrivateKey = {SERVER PRIVATE KEY}

# Client #1
[Peer]
PublicKey = {CLIENT PUBLIC KEY}
AllowedIPs = 172.31.255.250/32

...

Bring up the tunnel for testing.

systemctl enable wg-quick@server

Clients

0600 root root /etc/wireguard/client.conf

[Interface]
Address = 172.31.255.250/24
PrivateKey = {CLIENT PRIVATE KEY}
SaveConfig = False

# Wireguard server
[Peer]
PublicKey = {SERVER PUBLIC KEY}
EndPoint = {SERVER PUBLIC IP}:51820
AllowedIPs = 172.31.255.254/32

Warning

Windows clients do not use the SaveConfig option. Remove this line if configuring a Windows client.

Bring up the tunnel for testing.

systemctl enable wg-quick@client

Testing

Show server network status and ping a client.

wg
ping 172.31.255.250

Show client network status and ping server. Pinging other clients should fail.

wg
ping 172.31.255.254
ping 172.31.255.100