Generating WireGuard QR codes for fast mobile deployments

Part 5 of 7 in Gain flexibility & increase privacy with WireGuard VPN
Jay Rogers avatar
Jay Rogers May 26th, 2020

If you have been following along on my Gain Flexibility & Increase Privacy with WireGuard VPN “mini-course”, you’ll notice that there are a few areas that we need apply configurations in order for our devices to get connected.

Typing all of this in manually on mobile can be a massive pain, especially if you are supporting a remote device for a user.

QR Codes to the rescue!

We can use QR codes to send VPN configuration files out. This is brilliant engineering on WireGuard’s part.

Prerequisites

Installing the package is easy. Run this command on your SERVER:

sudo apt install qrencode

Creating the client keys

Unlike macOS and Windows (where our keys are generated on the server), we will need to create the configuration on the server itself.

I like to keep my client configurations in “/etc/wireguard/clients”, so let’s make that directory on the server. I am also going to create a keypair called mobile, so you will see me reference this name again throughout my post.

sudo mkdir -p /etc/wireguard/clients; wg genkey | sudo tee /etc/wireguard/clients/mobile.key | wg pubkey | sudo tee /etc/wireguard/clients/mobile.key.pub

IMPORTANT NOTE: Be sure to change the mobile name in that command to a descriptive client name of your choice (for both the private and public key).

Creating the client configuration file

We’ll then need to create a client configuration file to be encoded into a QR code. We’ll use nano to do the trick:

sudo nano /etc/wireguard/clients/mobile.conf

This is what we will want our “/etc/clients/mobile.conf” file to look like:

[Interface]
PrivateKey = abcdefghijklmnopqrstuvwxyz1234567890=+
Address = YOUR_VPN_PRIVATE_IP/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = YOUR_SERVER_WAN_IP:51820

IMPORTANT: You need to replace YOUR_SERVER_PUBLIC_KEY, YOUR_VPN_PRIVATE_IP and YOUR_SERVER_WAN_IP

ALSO IMPORTANT: Paste in the contents of your “mobile.key” for the value of PrivateKey. I used the example of abcdefg... but you can get the contents of your key by running the cat command in a separate window:

cat /etc/wireguard/clients/mobile.key

TO SAVE: While in nano, press CTRL + O to save and CTRL + X to quit.

Generate your QR code

Now that we have our file ready, we can now generate a QR code with it:

qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf

It will output an image like this:

Treat this QR code like a password! Don’t just email it. You can take a screenshot and securely send it to your user so only they have access to it.

Load it into the app

All you need your user to do is open the app on their phone and hold their camera up to the QR code. You can see the entire process here:

Hope this helps!

Get more stuff like this in your inbox or you can always follow me on Twitter for the latest updates.

Keep Reading
View the course View the Course Gain flexibility & increase privacy with WireGuard VPN
Up Next → How to configure a WireGuard iOS client

Support future content

The Ultimate Guide to Building APIs and Single-Page Applications with Laravel + VueJS + Capacitor book cover.

Psst... any earnings that we make off of our book is being reinvested to bringing you more content. If you like what you read, consider getting our book or get sweet perks by becoming a sponsor.

Written By Jay

Jay Rogers avatar Jay Rogers

I’m a DevOps engineer who accidentally ended up in application & user-experience design. ?? I'm a husband and proud dog-dad who co-founded 521 Dimensions & Server Side Up. I like to having meaningful conversations with people who love building things. Please reach out and say hello!

Like this? Subscribe

We're privacy advocates. We will never spam you and we only want to send you emails that you actually want to receive. One-click unsubscribes are instantly honored.