Replacing OpenVPN with Wireguard via systemd-networkd

I use a VPN for an extra layer of privacy, whether that be between me and my ISP, or while using a public Wi-Fi network. Up until this point I’ve used OpenVPN. WireGuard is the new kid on the block destined to replace OpenVPN; in this blog post I’ll show how I replaced OpenVPN on my main PC. The standard way I’ve seen people do this is via wg-quick, from the wireguard-tools package. systemd-networkd has native support for WireGuard, meaning that all one needs is the WireGuard kernel module (which itself is part of the kernel as of Linux 5.6!).

Navigate to /etc/systemd/network/. This is where you’ll create the configuration files. I used systemd-networkd to manage my Internet connection already, so I already have one file in this directory.

First create a file called wg0.netdev. This is what mine looks like:

[NetDev]
Name=wg0
Kind=wireguard
Description=Wireguard VPN

[WireGuard]
PrivateKey=REDACTED
FirewallMark=51820

[WireGuardPeer]
PublicKey=REDACTED
AllowedIPs=0.0.0.0/0,::/0
Endpoint=REDACTED

The PrivateKey, PublicKey, and Endpoint have all been redacted, but anyway this is where you’ll want to fill in your details here.

With that file created, create a wg0.network file. Again, this is what mine looks like:

[Match]
Name=wg0

[Network]
Address=REDACTED

[Network]
Address=REDACTED

[Link]
MTUBytes=1420

[Route]
Source=::/0
Table=51820

[Route]
Source=0.0.0.0/0
Table=51820

[RoutingPolicyRule]
InvertRule=yes
FirewallMark=51820
Table=51820

[RoutingPolicyRule]
SuppressPrefixLength=0

And again, just fill in your details here. Now, if you do sudo systemctl start systemd-networkd, you should find that you get a working VPN connection in no time at all :).