This tutorial will show you how to set up your WireGuard VPN server on Ubuntu in easy-to-follow steps.
Table of Contents
- Step 1: Enable IP Forwarding on the Server
- Step 2: Install WireGuard on Ubuntu
- Step 3: Configure WireGuard VPN Server on Ubuntu
- Step 4: Enable and Start WireGuard VPN Service
- Step 5: Install and Configure WireGuard Client
- Step 6: Connecting the WireGuard Client to the Server
- Conclusion
WireGuard is an open-source, free, and fast VPN server that utilizes state-of-the-art cryptography. It passes traffic over UDP with better performance than the typical two tunneling protocols, i.e., OpenVPN and IPsec.
WireGuard is a peer-to-peer VPN explicitly made for the Linux kernel. It runs inside the Linux kernel and allows you to create fast, modern, and secure VPN tunnel.
WireGuard works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model.
Step 1: Enable IP Forwarding on the Server
For the VPN server to route packets between VPN clients and the Internet, you need to enable IP forwarding. Open the /etc/sysctl.conf
file by using your preferred editor:
sudo vim /etc/sysctl.conf
Comment out (remove the #
character before it) the following line:
Save the file and apply the change:
sudo sysctl -p
Step 2: Install WireGuard on Ubuntu
The next step in this tutorial is to install WireGuard on your Ubuntu machine and set it up to act as a server. By default, the WireGuard package is available in the Ubuntu default repository.
sudo apt install wireguard
Once the WireGuard package has been installed, you can proceed to the next step.
Step 3: Configure WireGuard VPN Server on Ubuntu
WireGuard works by exchanging public keys between each device in the WireGuard network. Now that you have WireGuard installed, the next step is to generate a private and public key pair for the server.
Step 3.1: Generate Public/Private Keypair
Run the following command to create a public/private key pair. The files will be saved under /etc/wireguard/
directory.
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
The wg
command is WireGuard’s build-in configuration utility for getting and setting WireGuard’s configurations. When you run the command, you will receive a single line of base64 encoded output, the public key (server_public.key
) for your WireGuard server.
Remember, the private key (server_private.key
) should never be shared with anyone and should always be kept secure.
Step 3.2: Configure Tunnel Device
Next, you will need to create a network interface for WireGuard. Use a command-line text editor like vim to create a WireGuard configuration file. The network interface name will be wg0
.
sudo vim /etc/wireguard/wg0.conf
Add the contents indicated below:
[Interface]
## Private IP address for the wg0 interface ##
Address = 10.0.0.1/24
## VPN server listening port ##
ListenPort = 51820
## VPN server private key ##
PrivateKey = mPIoWfKQWZP8lie2ISEZ6ul7vyESH9MqpFvxk1cxIWQ=
## Firewall rules ##
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
Of course, you need to replace the PrivateKey
with the content of the one you generated, stored in the /etc/wireguard/server_private.key
file.
You can display the content of the private key with the following command:
sudo cat /etc/wireguard/server_private.key
Make sure to replace enp1s0
after -A POSTROUTING -o ...
to match the name of your public network interface. You can find it easily with:
ip -o -4 route show to default | awk '{print $5}'
Save and close the wg0.conf
file. Additionally, change the file permission mode to only the root user can read the files.
sudo chmod -R 600 /etc/wireguard/
Step 4: Enable and Start WireGuard VPN Service
Run the following command on the server to enable auto-start at system boot time and start WireGuard.
sudo systemctl enable [email protected]
sudo systemctl start [email protected]
Check its status with the following command. You should see active
in the output:
sudo systemctl status [email protected]
To check the interface state and configuration, enter:
sudo wg show wg0
Step 5: Install and Configure WireGuard Client
First, you will need to install the WireGuard package on the client machine. It is similar to setting up the WireGuard server.
sudo apt install wireguard
Next, you’ll need to generate a public/private key pair on the peer using the exact steps you used on the server.
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Open a new /etc/wireguard/wg0.conf
file on the WireGuard client machine using your preferred editor:
sudo vim /etc/wireguard/wg0.conf
Add the following lines to the file:
[Interface]
## VPN client private IP address ##
Address = 10.0.0.2/24
## VPN client private key ##
PrivateKey = 0COkq1GMM86CmlF5blPFDYhU84iTX8iJ7lWoC1gLfnk=
[Peer]
## VPN server public key ##
PublicKey = ZnD/WMx0kasJfGjFf0/uCtJoFbz0oNdq7EcieHXVaSc=
## VPN server public IP address and port ##
Endpoint = 192.168.122.101:51820
## Route all the traffic through the VPN tunnel ##
AllowedIPs = 0.0.0.0/0
## Key connection alive ##
PersistentKeepalive = 15
Replace the PrivateKey
with the content of the one you generated, stored in the /etc/wireguard/client_private.key
file on the client machine.
sudo cat /etc/wireguard/client_private.key
Replace the server’s public key, which can be found in the /etc/wireguard/server_public.key
file on the server.
Replace the Endpoint
value (192.168.122.101:51820
) with your server’s real public IP address and port.
Finally, save and close the file.
You need to configure the server-side VPN option to allow a connection between the client (Peer) computer and the server. So, go back to the server and edit the /etc/wireguard/wg0.conf
file to add client information as follows:
sudo vim /etc/wireguard/wg0.conf
[Peer]
## Client public key ##
PublicKey = 6FLtyfBQie9+EB3QYF55CR1FASca7vVYPReynlEccAo=
## Client IP address ##
AllowedIPs = 10.0.0.2/24
Replace the PublicKey
with the file’s content stored in the /etc/wireguard/client_public.key
file on the client machine.
The final version of the server configuration file should look like this:
Save the file and restart the VPN server to apply the changes:
sudo systemctl restart [email protected]
Step 6: Connecting the WireGuard Client to the Server
Run the following command on the client machine to connect the VPN client to the VPN server:
sudo systemctl start [email protected]
Now you should be connected to the WireGuard VPN server, and the traffic from your client machine should be routed through it.
That’s all! Both client and server must be connected securely using a peer-to-peer WireGuard VPN on Ubuntu.
To test the connection, return to the VPN client and ping from it (10.0.0.2
) to the VPN server (10.0.0.1
) to see if the tunnel works.
ping -c 3 10.0.0.1
Additionally, you can check the connection with:
sudo wg
To stop the tunneling, just bring down the service on the client machine:
sudo systemctl stop [email protected]
Conclusion
Congratulation! I hope this tutorial helped you install and configure the WireGuard VPN server and client on Ubuntu. This setup allows you to surf the web anonymously by keeping your traffic data private.
I strongly suggest that you read WireGuard project documentation here.
If you found this post useful, or if you are facing any problems, feel free to leave a comment.