WireGuard Client: iOS
In this tutorial, we setup a WireGuard client on iOS (iPhone, for example). Before following this tutorial, you should already have a WireGuard server running. Install the WireGuard app for iOS.
Get the Server Public Key
From the server, print the server’s public key. We’ll need this soon
$ sudo wg show wg0
interface: wg0
public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=
private key: (hidden)
listening port: 51820
Create Client Keys
Stay at the server console, we’ll generate the client keys from here.
Create private and public keys for the WireGuard client. Protect the private key with a file mode creation mask.
$ (umask 077 && wg genkey > wg-private-client.key)
$ wg pubkey < wg-private-client.key > wg-public-client.key
Print the client private key.
$ cat wg-private-client.key
oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g=
Create the Client WireGuard Config
We’re still on the server for this step.
Create the WireGuard client config file at ~/wg-client.conf.
(Use a command like nano ~/wg-client.conf,
or protect the file read permissions with umask 077 && nano ~/wg-client.conf.)
Notice the syntax of the client config is the same as the server config.
# define the local WireGuard interface (client)
[Interface]
# contents of wg-private-client.key
PrivateKey = oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g=
# the IP address of this client on the WireGuard network
Address=10.0.2.2/32
# define the remote WireGuard interface (server)
[Peer]
# from `sudo wg show wg0 public-key`
PublicKey = 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=
# the IP address of the server on the WireGuard network
AllowedIPs = 10.0.2.1/32
# public IP address and port of the WireGuard server
Endpoint = 35.36.37.38:51820
Configure the Server
Print the client public key.
$ cat wg-public-client.key
IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=
Edit the WireGuard service config file at /etc/wireguard/wg0.conf.
(Use a command like sudo nano /etc/wireguard/wg0.conf.)
Add a [Peer] section to the bottom.
# define the remote WireGuard interface (client)
[Peer]
# contents of wg-public-client.key
PublicKey = IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=
# the IP address of the client on the WireGuard network
AllowedIPs = 10.0.2.2/32
Apply the server config change.
$ sudo wg syncconf wg0 /etc/wireguard/wg0.conf
Prepare the Client Config for the iOS Device
One more step on the server.
The client config file is on the server.
The easy way to copy that config to the client is via QR code.
Install qrencode on the WireGuard server.
$ sudo apt install qrencode --assume-yes
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libqrencode4
The following NEW packages will be installed:
libqrencode4 qrencode
...
Setting up qrencode (4.0.2-1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...
Print the QR code in the server terminal.
$ qrencode --read-from=wg-client.conf --type=UTF8
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▄▀▄█ ▀▄ █ ▀ █▀▄ ▀ █▄█▀█ ▄█▄▄█ █▄▀ ▄▄ ██ ▄▄▄▄▄ ████
████ █ █ █▄█▄ █▄▄█▄▄█▄█ ▀▄▄ █▄ ▄ ▀███ ▀ ▄▀▄ █ ▄ ██ █ █ ████
████ █▄▄▄█ █▀ ▄█▄▄▄▀▀▀▄█▄▀ ▄ ▄▄▄ ▄▄▄▄▀██ ▀██ ▄█ ▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ ▀ ▀ █ █ ▀ █ ▀ █ █▄█ ▀ ▀ █ ▀ █ ▀ ▀ █▄█ █▄▄▄▄▄▄▄████
████ ▀▄▀██▄ ▀ ▄ █▄▄█▄▀▄███████▄▄ ▄▀ ▀██▄ █▀ ██▀ ▀███▀█▄▀█▄▀▄████
█████ ▀▀█▄▄▀▄▀▄▄▀ ▄ ▀█▄▀ ▄▄▄ ▄█▄ ▀██ ▀▄ ▀▄▄▀█▀▄ ▄▀█ █▄█▄▄██▄████
████▀ █ ▄██ ▄▀█▄ ▀█▀█ ▄█▄██▄▄▀█▀▄▀██▄▀▄▀▄▀█▀ ▄ █ ▄▄ █ ▄████
████ ▀▄▀▄▄▄▀▀█▀█ ▀ ▄ ▀█▀▄ █▄▄▄ ▄▀▄ ▀ ▀ ▀█▄█▄ ▀ ▄▀▄ ▄▄▀ █▀ ████
████ ▀▄▀ ▄ ▀▄▄▄▀▄ ▀█▀▀▀▄█▀█▄ ▀▀▄▀██▄█▄ ▄▀█▀▄▀▄█▄▀▄ █▀▄█▄██▀▄████
████ █▀ ▀ ▄▀ ▄▄▄█ ▄█ ▄ █▀▄▄▀▄ █▄██ ▄ ▄▄█ █▀▄ ▀██ ▀▀▄▀▄▄▀▄████
████ ▀▀ ▀▀▄██▀ ▄ ▄█▄▀▄ █ ▄█▄▀▄▀█ ▄▀▄▄▄█▄▀█ ▄█▄ █ █ ██▄▄▀ ▄████
████▀ ▄▀▄▀▄█▄███▄ █▄█▀ ▄ █▀█▄▀▀█ ▄ ▄▀▄ █▄ █▄▀ ███▄█ █ ▀█▀ ████
████ █▀▀██▄▄▄█▄▄ ▄▀█▄█▄▄ ▄█▄███ ▀█▀▀ █▀ ▀▄▀ ██▄▄█▀▄ █▀▄▄▄ ████
████▄█ ▄ ▄▄▄ ▄▄▄█▄▄ █▀▀▀▀▄ ▄▄ ▄▄▄ █▀ ▄▄ ██▄▄ █▄▄ █▄ ▄▄▄ ▄▄ ████
████▄▀█▀ █▄█ ▄▄▄▄ ▄ ███▀ ▄▀█ █▄█ █▄█▄ ▄▀▄▀ ▄ ▀▀▄▄ █▄█ ▀▀████
████ ▄▄ ▄▀ ████ ▄▄▀▀▄█ ▄▄ ▄▀▀▄███▄▀ ▄█▀▄ █▄█ ▄▄▄██▄▄████
████ █ █ █▄▄█ ██ ▀▄ ▀█ ▄█ █ ██▀▄ ██▀█▄▀▄▀█ ▄ █▄ ▄▀██▀█ ████
█████▀▀▄▀▄▄ █ ▀▀ ▀▀ ▀██▄█ ▀█▄▀▄▀ █ ▄▀▄▄▄▀█ ▀█▀▄██▀ █ ▄▄█████
████▀ ▄▀▀▀▄▀▀▀█▀ ▀▄██▀▄▄█ ▄▄█▄ ▄ ██▄ ██▄▀▄█▄ ██ █▄▄█▄▄▄▄ ▄▄████
████▀▄▀▀▀▄▄▄ █▀ ▀ ▀ █ ▄ ▀ ▄█ ▄█ █▄ ▄▄ █▄▄▀ ██▄ ▄▀▄█▄█▀▄████
████▀▄█ ██▄█▄▄█▄▀ ▄██ █▀▄ ██▀ ▄▀▄▀ █ ▄▄ ▄ █▀▄▄▄ █▄ ▀██ █▄████
████▄▄▀▀█▀▄▀▄ ▄ ▀ █▄ ▀█ █▄█▄█▄▀ ▄█ ▀ ██▀▀▄▀▄ ▀ ██▀▀ █ ▀█▀▄█▄████
████▀██▄▀▀▄ ▄▄█ ▀█▀▄ █▄▀█ ███▄▄ ▄▄▄▄ ▀▄▄ █▄█ ▄█ ▀█ █▀█ █▄▀████
████ ▀ ▀▀▄▄█▀█▄█ ▄█▄▀ █▄▀█ ▀█▄▀ ▀▄ ▀ ▀▄▀▄▀ █▄▀▀▀▄▄█ ▀▀▄▄ ████
██████████▄█ ██▄▀▄▄ ▀▀ ▄▀▀▀██▄ ▄▄▄ █▄▄ ▄▄▀█▀▄▀█ █▄▄ ▄▄▄ █▄▄ ████
████ ▄▄▄▄▄ █▄█ █▄ █▄█ ▄ ▄ ▀█ ▄ █▄█ ██▄▀▄▄██▄█▄█ ▄▄ █▄█ ██▀ ████
████ █ █ ██ ▄▄▄▀ █ █▄ ▄▄▄▄█ ▄ ▀▄▀██ ▄▄█▄█▀▀▄██▄ ▄ ▄▄▀██▄████
████ █▄▄▄█ █▄▄▀▄▀▄ ▄ █ ▄ ▄▄▄▄▄▄▀ ██ ▄█▀▀█▀ ▀▄█▄▄▀▀█ ▀█▄█▀█▄▄████
████▄▄▄▄▄▄▄█▄█▄█▄▄▄████▄█▄███▄▄▄▄█▄█▄█▄▄▄█▄█▄█▄▄▄█▄█▄█▄▄▄▄██▄████
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
Import Client Config
Finally, we switch to the client.
From the WireGuard iOS app, tap “Add a Tunnel”, or tap the plus symbol at the upper right corner. In the dialog, tap “Create from QR code”. (Allow the WireGuard app to use the camera.) The camera activates; point the camera at the QR code. Name the tunnel and tap “Save”. (Allow the WireGuard app to add VPN configurations.)
Activate the Tunnel
From the WireGuard app, tap the toggle switch next to your new tunnel.