Additional Configuration Options for Wireguard

Wireguard contains some options that may not seem obvious and require quite a bit of digging and searching the internet to find them, which may prove to be useful. Here are some options that you can add to your Wireguard configuration file.

PostUp and PostDown

You can use PostUp and PostDown within your Wireguard configuration file to execute commands. These commands will be executed when you bring up your Wireguard interface or back down. One of the most common use cases would be for iptables rules that may be only used for your tunnel:

[Interface]
PrivateKey = *
Address = 10.1.0.1/32
ListenPort = 51820

PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -F FORWARD; iptables -t nat -F POSTROUTING

Once your Wireguard interface is brought up, it will then add iptables entries for the FORWARD chain and POSTROUTING chain for masquerading. When brought down, it will flush both the FORWARD and POSTROUTING nat chains.

DNS

If you’re forwarding internet traffic through the Wireguard interface, then you will want a place to resolve all of your hostnames. The DNS option allows you to specify an alternate DNS server for your tunnel traffic.

[Interface]
PrivateKey = *
Address = 10.1.0.1/32
ListenPort = 51820
DNS = 8.8.8.8

All hostnames and domains will now be resolved through the Google DNS server. If you’re unable to navigate to websites upon activating your VPN tunnel, then this may be the culprit.

MTU

You can also configure the MTU for your Wireguard interface here as well to make things easier. This is essential in the event that your TCP based services such as FTP, HTTP, or DNS isn’t working through the Wireguard tunnel. Here’s where you should place it under:

[Interface]
PrivateKey = *
Address = 10.1.0.1/32
ListenPort = 51820
MTU = 1300

You will then need to restart your Wireguard tunnel for these changes to take affect. Then view your MTU by simply using ip addr or ip link to make sure that the value is correct.