How to Set Up WireGuard VPN on Ubuntu

How to Set Up WireGuard VPN on Ubuntu (A Step-by-Step Guide)

This tutorial will show you how to set up your WireGuard VPN server on Ubuntu in easy-to-follow steps.

Table of Contents

WireGuard is an open-source, free, fast VPN server with state-of-the-art cryptography. It passes traffic over UDP with better performance than the typical two tunneling protocols, i.e., OpenVPN and IPsec.

WireGuard is a peer-to-peer VPN explicitly made for the Linux kernel. It runs inside the Linux kernel and allows you to create fast, modern, and secure VPN tunnel.

WireGuard works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model.

Step 1: Enable IP Forwarding on the Server

You need to enable IP forwarding for the VPN server to route packets between VPN clients and the Internet. Open the /etc/sysctl.conf file by using your preferred editor:

sudo vim /etc/sysctl.conf

Comment out (remove the # character before it) the following line:

Enable IP Forwarding

Save the file and apply the change:

sudo sysctl -p
Enable IP Forwarding

Step 2: Install WireGuard on Ubuntu

The next step in this tutorial is installing WireGuard on your Ubuntu machine and setting it up as a server. By default, the WireGuard package is available in the Ubuntu default repository.

sudo apt install wireguard
Installing WireGuard VPN on Ubuntu

Once the WireGuard package has been installed, you can proceed to the next step.

Step 3: Configure WireGuard VPN Server on Ubuntu

WireGuard works by exchanging public keys between each device in the WireGuard network. Now that you have WireGuard installed, the next step is to generate a private and public key pair for the server.

Step 3.1: Generate Public/Private Keypair

Run the following command to create a public/private key pair. The files will be saved under /etc/wireguard/ directory.

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Generating WireGuard Server Public/Private Keypair

The wg command is WireGuard’s build-in configuration utility for getting and setting WireGuard’s configurations. When you run the command, you will receive a single line of base64 encoded output, the public key (server_public.key) for your WireGuard server.

Remember, the private key (server_private.key) should never be shared with anyone and always be kept secure.

Step 3.2: Configure Tunnel Device

Next, you will need to create a network interface for WireGuard. Use a command-line text editor like vim to create a WireGuard configuration file. The network interface name will be wg0.

sudo vim /etc/wireguard/wg0.conf

Add the contents indicated below:

## Private IP address for the wg0 interface ##
Address =

## VPN server listening port ##
ListenPort = 51820

## VPN server private key ##
PrivateKey = mPIoWfKQWZP8lie2ISEZ6ul7vyESH9MqpFvxk1cxIWQ=

## Firewall rules ##
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE

Of course, you need to replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/server_private.key file.

You can display the content of the private key with the following command:

sudo cat /etc/wireguard/server_private.key
View WireGuard Server Private Key

Make sure to replace enp1s0 after -A POSTROUTING -o ... to match the name of your public network interface. You can find it easily with:

ip -o -4 route show to default | awk '{print $5}'
Public Network Interface Name

Save and close the wg0.conf file. Additionally, change the file permission mode to only the root user can read the files.

sudo chmod -R 600 /etc/wireguard/

Step 4: Enable and Start WireGuard VPN Service

Run the following command on the server to enable auto-start at system boot time and start WireGuard.

sudo systemctl enable [email protected]
sudo systemctl start [email protected]

Check its status with the following command. You should see active in the output:

sudo systemctl status [email protected]
Check WireGuard Service Status

To check the interface state and configuration, enter:

sudo wg show wg0
wg0 Interface State

Step 5: Install and Configure WireGuard Client

First, you must install the WireGuard package on the client machine. It is similar to setting up the WireGuard server.

sudo apt install wireguard
Installin WireGuard on Client on Ubuntu

Next, you’ll need to generate a public/private key pair on the peer using the exact steps you used on the server.

wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Generate a Public/Private Key Pair

Open a new /etc/wireguard/wg0.conf file on the WireGuard client machine using your preferred editor:

sudo vim /etc/wireguard/wg0.conf

Add the following lines to the file:

## VPN client private IP address ##
Address =

## VPN client private key ##
PrivateKey = 0COkq1GMM86CmlF5blPFDYhU84iTX8iJ7lWoC1gLfnk=

## VPN server public key ##
PublicKey = ZnD/WMx0kasJfGjFf0/uCtJoFbz0oNdq7EcieHXVaSc=

## VPN server public IP address and port ##
Endpoint =

## Route all the traffic through the VPN tunnel ##
AllowedIPs =

## Key connection alive ##
PersistentKeepalive = 15

Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/client_private.key file on the client machine.

sudo cat /etc/wireguard/client_private.key
View WireGuard Server Private Key

Replace the server’s public key, which can be found in the /etc/wireguard/server_public.key file on the server.

Replace the Endpoint value ( with your server’s public IP address and port.

Finally, save and close the file.

You need to configure the server-side VPN option to allow a connection between the client (Peer) computer and the server. So, go back to the server and edit the /etc/wireguard/wg0.conf file to add client information as follows:

sudo vim /etc/wireguard/wg0.conf
## Client public key ##
PublicKey = 6FLtyfBQie9+EB3QYF55CR1FASca7vVYPReynlEccAo=

## Client IP address ##
AllowedIPs =

Replace the PublicKey with the file’s content stored in the /etc/wireguard/client_public.key file on the client machine.

The final version of the server configuration file should look like this:

VPN Server wp0 Configuration File

Save the file and restart the VPN server to apply the changes:

sudo systemctl restart [email protected]

Step 6: Connecting the WireGuard Client to the Server

Run the following command on the client machine to connect the VPN client to the VPN server:

sudo systemctl start [email protected]

Now you should be connected to the WireGuard VPN server, and the traffic from your client machine should be routed through it.

That’s all! Both client and server must be connected securely using a peer-to-peer WireGuard VPN on Ubuntu.

To test the connection, return to the VPN client and ping from it ( to the VPN server ( to see if the tunnel works.

ping -c 3
Testing VPN Tunnel

Additionally, you can check the connection with:

sudo wg
Check Wireguard VPN Status on Ubuntu by Using wg Command

To stop the tunneling, bring down the service on the client machine:

sudo systemctl stop [email protected]


Congratulation! I hope this tutorial helped you install and configure the WireGuard VPN server and client on Ubuntu. This setup lets you to surf the web anonymously by keeping your traffic data private.

I strongly suggest that you read the WireGuard project documentation here.

If you found this post helpful or facing any problems, feel free to comment.

Leave a Reply

Your email address will not be published.