iOS

WireGuard Client: iOS

In this tutorial, we setup a WireGuard client on iOS (iPhone, for example). Before following this tutorial, you should already have a WireGuard server running. Install the WireGuard app for iOS.

Get the Server Public Key

From the server, print the server’s public key. We’ll need this soon

$ sudo wg show wg0
interface: wg0
  public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=
  private key: (hidden)
  listening port: 51820

Create Client Keys

Create private and public keys for the WireGuard client. Protect the private key with a file mode creation mask.

$ (umask 077 && wg genkey > wg-private-client.key)
$ wg pubkey < wg-private-client.key > wg-public-client.key

Print the client private key.

$ cat wg-private-client.key
oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g=

Create the Client WireGuard Config

Create the WireGuard client config file at ~/wg-client.conf. (Use a command like nano ~/wg-client.conf.) Notice the syntax of the client config is the same as the server config.

# define the local WireGuard interface (client)
[Interface]

# contents of wg-private-client.key
PrivateKey = oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g=

# the IP address of this client on the WireGuard network
Address=10.0.2.2/32

# define the remote WireGuard interface (server)
[Peer]

# from `sudo wg show wg0`
PublicKey = 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=

# the IP address of the server on the WireGuard network 
AllowedIPs = 10.0.2.1/32

# public IP address and port of the WireGuard server
Endpoint = 35.36.37.38:51820

Configure the Server

Print the client public key.

$ cat wg-public-client.key
IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=

Edit the WireGuard service config file at /etc/wireguard/wg0.conf. (Use a command like sudo nano /etc/wireguard/wg0.conf.) Add a [Peer] section to the bottom.

# define the remote WireGuard interface (client)
[Peer]

# contents of wg-public-client.key
PublicKey = IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=

# the IP address of the client on the WireGuard network
AllowedIPs = 10.0.2.2/32

Apply the server config change.

$ sudo wg syncconf wg0 /etc/wireguard/wg0.conf

Add the Config to the iOS Device

The client config file is on the server. The easy way to copy that config to the client is via QR code. Install qrencode on the WireGuard server.

$ sudo apt install qrencode --assume-yes
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libqrencode4
The following NEW packages will be installed:
  libqrencode4 qrencode
...
Setting up qrencode (4.0.2-1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...

Print the QR code in the server terminal.

$ qrencode --read-from=wg-client.conf --type=UTF8 --level=M
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▄▀▄█ ▀▄ █ ▀  █▀▄   ▀ █▄█▀█ ▄█▄▄█ █▄▀ ▄▄ ██ ▄▄▄▄▄ ████
████ █   █ █▄█▄  █▄▄█▄▄█▄█  ▀▄▄ █▄ ▄ ▀███ ▀ ▄▀▄ █ ▄ ██ █   █ ████
████ █▄▄▄█ █▀ ▄█▄▄▄▀▀▀▄█▄▀ ▄   ▄▄▄ ▄▄▄▄▀██ ▀██ ▄█ ▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ ▀ ▀ █ █ ▀ █ ▀ █ █▄█ ▀ ▀ █ ▀ █ ▀ ▀ █▄█ █▄▄▄▄▄▄▄████
████ ▀▄▀██▄ ▀ ▄ █▄▄█▄▀▄███████▄▄  ▄▀ ▀██▄ █▀ ██▀ ▀███▀█▄▀█▄▀▄████
█████ ▀▀█▄▄▀▄▀▄▄▀  ▄ ▀█▄▀ ▄▄▄ ▄█▄ ▀██ ▀▄ ▀▄▄▀█▀▄ ▄▀█ █▄█▄▄██▄████
████▀   █ ▄██ ▄▀█▄  ▀█▀█  ▄█▄██▄▄▀█▀▄▀██▄▀▄▀▄▀█▀  ▄ █ ▄▄  █ ▄████
████ ▀▄▀▄▄▄▀▀█▀█  ▀ ▄ ▀█▀▄ █▄▄▄ ▄▀▄ ▀  ▀ ▀█▄█▄  ▀ ▄▀▄ ▄▄▀ █▀ ████
████ ▀▄▀  ▄ ▀▄▄▄▀▄ ▀█▀▀▀▄█▀█▄ ▀▀▄▀██▄█▄ ▄▀█▀▄▀▄█▄▀▄ █▀▄█▄██▀▄████
████ █▀ ▀ ▄▀ ▄▄▄█ ▄█ ▄   █▀▄▄▀▄ █▄██  ▄  ▄▄█ █▀▄ ▀██ ▀▀▄▀▄▄▀▄████
████ ▀▀ ▀▀▄██▀ ▄ ▄█▄▀▄  █   ▄█▄▀▄▀█ ▄▀▄▄▄█▄▀█ ▄█▄ █ █ ██▄▄▀ ▄████
████▀   ▄▀▄▀▄█▄███▄ █▄█▀ ▄ █▀█▄▀▀█ ▄ ▄▀▄  █▄ █▄▀ ███▄█ █ ▀█▀ ████
████ █▀▀██▄▄▄█▄▄ ▄▀█▄█▄▄ ▄█▄███  ▀█▀▀ █▀ ▀▄▀  ██▄▄█▀▄ █▀▄▄▄  ████
████▄█ ▄ ▄▄▄ ▄▄▄█▄▄ █▀▀▀▀▄ ▄▄  ▄▄▄ █▀ ▄▄ ██▄▄ █▄▄ █▄ ▄▄▄  ▄▄ ████
████▄▀█▀ █▄█  ▄▄▄▄ ▄ ███▀ ▄▀█  █▄█ █▄█▄ ▄▀▄▀  ▄ ▀▀▄▄ █▄█   ▀▀████
████      ▄▄  ▄▀   ████ ▄▄▀▀▄█ ▄▄ ▄▀▀▄███▄▀ ▄█▀▄ █▄█  ▄▄▄██▄▄████
████ █ █ █▄▄█ ██ ▀▄ ▀█ ▄█    █ ██▀▄   ██▀█▄▀▄▀█ ▄ █▄  ▄▀██▀█ ████
█████▀▀▄▀▄▄ █  ▀▀ ▀▀  ▀██▄█ ▀█▄▀▄▀ █ ▄▀▄▄▄▀█ ▀█▀▄██▀ █    ▄▄█████
████▀ ▄▀▀▀▄▀▀▀█▀ ▀▄██▀▄▄█ ▄▄█▄ ▄  ██▄ ██▄▀▄█▄ ██  █▄▄█▄▄▄▄ ▄▄████
████▀▄▀▀▀▄▄▄ █▀   ▀ ▀ █ ▄  ▀ ▄█ ▄█ █▄ ▄▄   █▄▄▀ ██▄  ▄▀▄█▄█▀▄████
████▀▄█ ██▄█▄▄█▄▀   ▄██ █▀▄ ██▀ ▄▀▄▀  █ ▄▄  ▄ █▀▄▄▄ █▄ ▀██ █▄████
████▄▄▀▀█▀▄▀▄ ▄ ▀ █▄ ▀█ █▄█▄█▄▀ ▄█ ▀ ██▀▀▄▀▄ ▀  ██▀▀ █ ▀█▀▄█▄████
████▀██▄▀▀▄ ▄▄█ ▀█▀▄ █▄▀█ ███▄▄ ▄▄▄▄ ▀▄▄ █▄█  ▄█ ▀█   █▀█ █▄▀████
████ ▀ ▀▀▄▄█▀█▄█  ▄█▄▀ █▄▀█ ▀█▄▀  ▀▄  ▀ ▀▄▀▄▀ █▄▀▀▀▄▄█  ▀▀▄▄ ████
██████████▄█ ██▄▀▄▄ ▀▀ ▄▀▀▀██▄ ▄▄▄ █▄▄ ▄▄▀█▀▄▀█  █▄▄ ▄▄▄ █▄▄ ████
████ ▄▄▄▄▄ █▄█ █▄ █▄█ ▄ ▄ ▀█ ▄ █▄█ ██▄▀▄▄██▄█▄█   ▄▄ █▄█ ██▀ ████
████ █   █ ██ ▄▄▄▀  █ █▄ ▄▄▄▄█   ▄ ▀▄▀██ ▄▄█▄█▀▀▄██▄ ▄ ▄▄▀██▄████
████ █▄▄▄█ █▄▄▀▄▀▄ ▄ █ ▄ ▄▄▄▄▄▄▀  ██ ▄█▀▀█▀ ▀▄█▄▄▀▀█ ▀█▄█▀█▄▄████
████▄▄▄▄▄▄▄█▄█▄█▄▄▄████▄█▄███▄▄▄▄█▄█▄█▄▄▄█▄█▄█▄▄▄█▄█▄█▄▄▄▄██▄████
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████

Import Client Config

From the WireGuard iOS app, tap “Add a Tunnel”, or tap the plus symbol at the upper right corner. In the dialog, tap “Create from QR code”. (Allow the WireGuard app to use the camera.) The camera activates; point the camera at the QR code. Name the tunnel and tap “Save”. (Allow the WireGuard app to add VPN configurations.)

Activate the Tunnel

From the WireGuard app, tap the toggle switch next to your new tunnel.

Test the Tunnel from the Server