Compilation from Source Code

Compiling the Kernel Module from Source

You will need gcc ≥4.7 and your kernel headers in the right location for compilation.

Step 1: Install the toolchain

Ubuntu and Debian

$ sudo apt-get install libelf-dev linux-headers-$(uname -r) build-essential pkg-config

Fedora

$ sudo dnf install elfutils-libelf-devel kernel-devel pkg-config @development-tools

Red Hat Enterprise Linux / CentOS

$ sudo yum install elfutils-libelf-devel kernel-devel pkgconfig "@Development Tools"

Arch

# pacman -S linux-headers base-devel pkg-config

OpenSUSE

$ sudo zypper install kernel-default-devel pkg-config

Alpine

# apk add build-base linux-hardened-dev  # or linux-vanilla-dev on a vanilla kernel

Step 2: Grab the code

$ git clone https://git.zx2c4.com/wireguard-linux-compat
$ git clone https://git.zx2c4.com/wireguard-tools

Step 3: Compile and install the module

$ make -C wireguard-linux-compat/src -j$(nproc)
$ sudo make -C wireguard-linux-compat/src install

(You may instead run make debug if you'd like to have additional information on what's happening in your dmesg(1).)

Step 4: Compile and install the `wg(8)` tool

$ make -C wireguard-tools/src -j$(nproc)
$ sudo make -C wireguard-tools/src install

*** Move on to the quick start walkthrough. ***

Kernel Requirements

WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages.

CONFIG_NET for basic networking support
CONFIG_INET for basic IP support
CONFIG_NET_UDP_TUNNEL for sending and receiving UDP packets
CONFIG_CRYPTO_ALGAPI for crypto_xor

Some, but not all, of these options directly correspond to menuconfig entries. The ones that do not correspond directly correspond to options that imply them. For enabling the above options, select these items in menuconfig:

[*] Networking support (NET) -->
    Networking options -->
        [*] TCP/IP networking (INET)
        [*]   IP: Foo (IP protocols) over UDP (NET_FOU)
[*] Cryptographic API (CRYPTO) -->
    [*] Cryptographic algorithm manager (CRYPTO_MANAGER)

When building as an out of tree module, it is probable that one needs CONFIG_UNUSED_SYMBOLS set as well.

Building Directly In Tree

Rather than building as an external module, if you would like to build WireGuard as a module or as built-in, directly from within the kernel tree, you may use the create-patch.sh script which creates a patch for adding WireGuard directly to the tree or the jury-rig.sh script which links the WireGuard source directory into the kernel tree:

$ cd /usr/src/linux
$ ~/wireguard-linux-compat/kernel-tree-scripts/create-patch.sh | patch -p1

    or

$ ~/wireguard-linux-compat/kernel-tree-scripts/jury-rig.sh /usr/src/linux

Then you will be able to configure these options directly:

CONFIG_WIREGUARD controls whether WireGuard is built as a module, as built-in, or not at all
CONFIG_WIREGUARD_DEBUG turns on verbose debug messages

These are selectable easily via menuconfig, if CONFIG_NET and CONFIG_INET are also selected:

[*] Networking support -->
    Networking options -->
        [*] TCP/IP networking
        [*]   IP: WireGuard secure network tunnel
        [ ]     Debugging checks and verbose messages