# Add a new device to the Data VPN

## Create a new key pair

You can create private keys on a bash terminal with `wg genkey`
To get the related pubkey, you can run `wg pubkey <pasted-private-key-here>` 

## Add entry in the jumphost config file

In the jumphost server, modify `/etc/wireguard/wg0.conf` and add a new entry for the peer following this structure:

```bash
[Peer]
# Probably leave a comment to inform who this is for
PublicKey = <copy-paste-public-key-here>
AllowedIPs = 192.168.70.XXX/32 # Replace XXX with the an available value
```

Make sure to not generate IP collisions: each `Peer` entry should have a unique `AllowedIPs` value that no other entry is using.

Finally, restart the server so that changes take effect with: `sudo systemctl restart wg-quick@wg0.service`

You can verify that Wireguard is running properly again with: `sudo systemctl status wg-quick@wg0.service`

## Provide user with their private configuration and keys

Next, provide the user with this block of configuration so they can create an entry in their local Wireguard client:

```bash
[Interface]
PrivateKey = <copy-paste-private-key-here>
Address = 192.168.70.1/32
DNS = 192.168.69.1

[Peer]
PublicKey = bKr79c5XbzudWeUjiwXcxsy1mrrEnrO4xSrNAUZv2GE= # Jumphost public key goes here. This is a valid value as I'm writing this guide, but it might change in the future!
AllowedIPs = 192.168.69.1/32, 10.69.0.0/24, 52.146.133.0/24
Endpoint = 172.166.88.95:52420
```

Besides this config snippet, also provide the public and private keys to the user and instruct them to keep them stored in their password manager.