> For the complete documentation index, see [llms.txt](https://ghoulsec.gitbook.io/ghoulsec-vault/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/network-security/vpn/vpns/wireguard-tunneling.md).

# Wireguard Tunneling

#### **1. Overview** <a href="#id-1.-overview" id="id-1.-overview"></a>

CommentThis document outlines the process of setting up a WireGuard VPN between a local machine and an AWS EC2 instance, where only specific traffic is routed through the VPN tunnel. Internet traffic will not be routed through the VPN, but only traffic destined for the VPN network or EC2 instance will be.

***

#### **2. Prerequisites** <a href="#id-2.-prerequisites" id="id-2.-prerequisites"></a>

**2.1. AWS EC2 Instance**

* A running **AWS EC2 instance** with:
  * **Public IP** (`13.233.64.77` in this example)
  * **Private IP** (`172.31.13.140` in this example)
  * **WireGuard installed** (`sudo apt install wireguard)`

**2.2. Local Machine**

* A **local machine** with a public IP (`183.87.214.118` in this example).
* **WireGuard installed** on the local machine (`sudo apt install wireguard`).

***

#### **3. WireGuard VPN Configuration** <a href="#id-3.-wireguard-vpn-configuration" id="id-3.-wireguard-vpn-configuration"></a>

**3.1. Server (EC2) Configuration**

1. **Install WireGuard** on the EC2 instance:sudo apt updatesudo apt install wireguard
2. **Generate Server Keys**:wg genkey | tee server\_private\_key | wg pubkey > server\_public\_key
3. **Configure WireGuard** on the EC2 instance:Create the WireGuard configuration file (`/etc/wireguard/wg0.conf`):\[Interface]Address = 10.0.0.1/24 # Server VPN IPListenPort = 51820 # WireGuard portPrivateKey = \<server\_private\_key> # Use the generated server private key​\[Peer]PublicKey = \<client\_public\_key> # Client's public keyAllowedIPs = 10.0.0.2/32 # Client's VPN IP
4. **Enable IP Forwarding on the EC2 instance**:sudo sysctl -w net.ipv4.ip\_forward=1sudo sysctl -p
5. **Set up NAT for internet access**:sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEsudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
6. **Persist iptables rules**:sudo apt install iptables-persistentsudo netfilter-persistent save
7. **Start WireGuard on the EC2 instance**:sudo wg-quick up wg0

***

**3.2. Client (Local Machine) Configuration**

1. **Generate Client Keys**:wg genkey | tee client\_private\_key | wg pubkey > client\_public\_key
2. **Configure WireGuard on the Local Machine**:Create the WireGuard configuration file (`/etc/wireguard/wg0.conf`):\[Interface]Address = 10.0.0.2/24 # Client VPN IPPrivateKey = \<client\_private\_key> # Use the generated client private keyDNS = 8.8.8.8 # DNS server (optional)​\[Peer]PublicKey = \<server\_public\_key> # Server's public keyEndpoint = 13.233.64.77:51820 # EC2 server's public IP and WireGuard portAllowedIPs = 10.0.0.0/24 # Only route traffic to the VPN subnet (no full tunnel)PersistentKeepalive = 25
   * `AllowedIPs = 10.0.0.0/24`: Routes only traffic to the VPN network (i.e., EC2's private network) through the VPN. **Internet traffic will bypass the VPN**.
3. **Start WireGuard on the Local Machine**:sudo wg-quick up wg0

***

#### **4. Verifying the Configuration** <a href="#id-4.-verifying-the-configuration" id="id-4.-verifying-the-configuration"></a>

**4.1. On the EC2 Server (AWS)**

1. **Check the status of WireGuard**:sudo wg show
2. **Ensure IP forwarding is working** by running:sudo sysctl net.ipv4.ip\_forwardCommentThis should return `net.ipv4.ip_forward = 1`.
3. **Check the NAT and routing rules**:sudo iptables -t nat -LCommentEnsure that the `MASQUERADE` rule is present for the VPN interface (`wg0`).

***

**4.2. On the Local Machine**

1. **Verify VPN connection**:
   * Test connectivity to the VPN server's private IP (from the local machine):ping 10.0.0.1
2. **Verify that internet traffic is bypassing the VPN**:

   * Test general internet access:ping google.com # Should use the local machine's regular internet connection

   CommentComment
3. **Check the routing table** to verify that only the VPN network traffic goes through the VPN tunnel:ip routeCommentExpected output:10.0.0.0/24 dev wg0 # VPN traffic routes via wg0default via \<gateway\_ip> # Default traffic goes via the normal interface

***

#### **5. Troubleshooting** <a href="#id-5.-troubleshooting" id="id-5.-troubleshooting"></a>

**5.1. No Internet on Client**

* Ensure that the EC2 instance has IP forwarding enabled and `iptables` NAT rules are configured correctly.
* Check the security group of the EC2 instance to ensure it allows UDP traffic on port 51820 and outbound traffic on port 80 (for internet access).

**5.2. VPN Connection Not Established**

* Ensure that the public keys on the server and client match.
* Verify the WireGuard service is running on both the server and client.
* Check for firewall rules or network issues that may be blocking the connection.

***

#### **6. Optional: Additional Configuration** <a href="#id-6.-optional-additional-configuration" id="id-6.-optional-additional-configuration"></a>

**6.1. Use a Custom DNS Server**

If you'd like to ensure that the client always uses a specific DNS server when connected to the VPN, add the following to the `[Interface]` section of the client configuration:DNS = 8.8.8.8 # Google's DNS (or your preferred DNS)

***

**6.2. Use Policy-Based Routing**

If you need even more control over which traffic goes through the VPN, you can use **policy-based routing** (using `ip rule`) on the local machine. This method allows routing specific applications or destinations through the VPN while other traffic remains on the default route.

***

#### **7. Conclusion** <a href="#id-7.-conclusion" id="id-7.-conclusion"></a>

This setup provides a **WireGuard VPN** that routes **only specific traffic** (i.e., traffic destined for the VPN network) through the VPN tunnel, while all other traffic (including internet access) bypasses the VPN. This ensures selective routing for improved performance and security.<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/network-security/vpn/vpns/wireguard-tunneling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.