Wireguard is an open-source VPN protocol alternative to IPSec, IKEv2, and OpenVPN. Wiruguard is designed for Linux and Unix operating systems. It’s running on Linux kernel space, which makes the wireguard faster and more reliable. wireguard is used to create secure tunnel connections between two computers or more.
Wireguard aims to replace VPN protocols such as IPSec, IKEv2, and OpenVPN. wireguard is lighter, faster, easy to set up, and more efficient. At the same time, Wiregurad did not sacrifice the security aspect of the VPN protocol. wireguard supports modern state-of-the-art cryptography like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.
Compared to other VPN protocols such as OpenVPN, IPSec, and IKEv2, wireguard is a new VPN protocol. Wireguard is released in 2015 by Jason A. Donenfeld as an alternative VPN protocol. It’s merged to the Linux kernel v5.6 by Linus Torvalds in 2020, and in the same year, also ported to FreeBSD 13.
This guide’ll walk you through installing wireguard on a Ubuntu 22.04 server. We’ll show you how to set up a Linux client machine to connect to the wireguard server.
For this example, the Linux client machine that will be used is an Ubuntu server 22.04. If you’ve another Debian-based machine, you can also go with it.
Prerequisites
Before you begin with the wireguard installation, you must fulfill the following requirements:
- A Ubuntu 22.04 server – This example uses an Ubuntu machine with the hostname ‘wireguard-server‘.
- A non-root user with sudo root privileges.
If these requirements are ready, you’re good to install a wireguard VPN Server.
Installing Wireguard Server
Wireguard is running in the kernel space on your Linux system. To set up wireguard VPN, you must install and enable the wireguard kernel module. On the latest Ubuntu 22.04 server, the default kernel is v
The first step is to enable the wireguard kernel module and install wireguard-tools on your Ubuntu server.
Run the below modprobe command to enable the ‘wireguard‘ kernel module. Then, verify the ‘wireguard‘ kernel module.
sudo modprobe wireguard lsmod | grep wireguard
If enabled, you should receive an output similar to this.
To make it permanent, you can add the ‘wireguard’ to the ‘/etc/modules‘ file via the below command.
sudo echo 'wireguard' >> /etc/modules
Next, run the below apt command to update your Ubuntu package index.
sudo apt update
After updating the package index, install the wireguard-tools via the apt command below.
sudo apt install wireguard-tools
The installation should automatically be started.
With the wireguard kernel module enabled and the wireguard-tools installed, you’re now ready to start configuring wireguard, and the first stage is by generating key pair for the wireguard server and client.
Generating Server and Client Key Pair
In this step, you’ll generate key pair for the wireguard server and client. And this can be done via the ‘wg‘ command utility that is provided by the wireguard-tools package.
Below are two utilities that are provided by wireguard-tools:
- wg – a command line utility that can be used to set up the wireguard tunnel interface. With this utility, you can generate key pairs, verify the current wireguard status and interface, and also set up a wireguard tunnel interface.
- wg-quick – a simple command line that can be used for managing the wireguard interface. You can start, stop, and restart any wireguard interfaces via the wg-quick command.
Now, let’s start generating key pairs for the wireguard server and client.
Generating Key Pair for Wireguard Server
To generate the server private key, run the below ‘wg genkey‘ command. Then, change the permission of the wireguard private key to 0400. In this example, the wireguard server private key to ‘/etc/wireguard/server.key‘ and the permission ‘0400‘ will disable access for the group and others.
wg genkey | sudo tee /etc/wireguard/server.key sudo chmod 0400 /etc/wireguard/server.key
Next, run the below ‘wg pubkey‘ command to generate the wireguard server public key. In this example, the wireguard server public key will be available at ‘/etc/wireguard/server.pub‘. Also, the wireguard public key is derived from the private key ‘server.key‘.
sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub
Now verify the key pair for the wireguard server via the following cat command.
cat /etc/wireguard/server.key cat /etc/wireguard/server.pub
You may have a different key for both public and private keys, but the output is similar to this:
Generating Client Key Pair
The way to generate client key pair is the same as the wireguard server key pair.
To begin, create a new directory ‘/etc/wireguard/clients‘ using the below command. This directory will be used to store client key pair public and private keys.
mkdir -p /etc/wireguard/clients
Next, run the below ‘wg genkey‘ command to generate the client private key to ‘/etc/wireguard/clients/client1.key’. Then, run the ‘wg pubkey‘ command to generate the client public key ‘/etc/wireguard/clients/client1.pub‘, which is derived from the client’s private key.
wg genkey | tee /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub
Now verify the client’s public and private keys via the cat command below.
cat /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.pub
Your generated public and private keys may be different from this, the keypair is like base64 encode.
With both the wireguard server and client key pair generated, you’ll next start configuring the wireguard server.
Configuring Wireguard Server
In this step, you’ll create a new config file for the wireguard server, set up the wireguard interface, and set up peer connection for client connections. This includes the configuration of the wireguard VPN subnet, the IP address from the wireguard server, and the IP address for the peer client.
Create a new wireguard server config file ‘/etc/wireguard/wg0.conf’ using the below nano editor.
sudo nano /etc/wireguard/wg0.conf
Add the following lines to the file. With this, you will set up an IP address for the wireguard server to ‘10.8.0.1‘ and open the UDP port 51820 that will be used for client connections. Also, you’ll enable the SaveConfig parameter to ensure any changes are saved to the wireguard configuration file. Also, be sure to change the ‘PrivateKey‘ parameter with the server private ‘server.key‘.
[Interface] # wireguard Server private key - server.key PrivateKey = sGpPeFlQQ5a4reM12HZIV3oqD3t+h7S5qxniZ5EElEQ= # wireguard interface will be run at 10.8.0.1 Address = 10.8.0.1/24 # Clients will connect to UDP port 51820 ListenPort = 51820 # Ensure any changes will be saved to the wireguard config file SaveConfig = true
Next, add the following lines to define the client peer connection. Be sure to change the ‘PublicKey‘ parameter with the client public key ‘client1.pub‘. With the ‘AllowedIPs‘ parameter, you can specify which wireguard client that allowed to access this peer. In this example, only clients with IP ‘10.8.0.5′ will be allowed to access this peer connection. Additionally, you can also allow the range of internal network subnets such as ‘172.16.100.0/24’ to access the wireguard peer.
[Peer] # wireguard client public key - client1.pub PublicKey = nsxkCFGsLYTTZagXRx9Kkdh6wz1NOjbjWmZ9h9NBiR8= # clients' VPN IP addresses you allow to connect # possible to specify subnet ⇒ [172.16.100.0/24] AllowedIPs = 10.8.0.5/24
Save and exit the file when finished.
Now that you’ve created the wireguard server configuration and defined wireguard interface settings and peer connection for the client with the public key ‘client1.pub’. Next, you’ll set up port forwarding and set up UFW firewall.
Setting up Port Forwarding
After configuring the wireguard server, you’ll now enable port forwarding on your Ubuntu system via the ‘/etc/sysctl.conf’ file.
Open the file ‘/etc/sysctl.conf‘ using the below nano editor command.
sudo nano /etc/sysctl.conf
Add the following lines to the end of the line.
# Port Forwarding for IPv4 net.ipv4.ip_forward=1 # Port forwarding for IPv6 net.ipv6.conf.all.forwarding=1
Save the file and exit the editor when finished.
Now run the below sysctl command to apply the changes.
sudo sysctl -p
Output:
The port forwarding on your Ubuntu server is enabled, and you’re ready to set up the UFW firewall that will be used to route traffics from clients to a specific network interface on your wireguard server.
Setting up UFW Firewall
In this step, you’ll set up the ufw firewall that will be used for the wireguard server to route client connections to the proper network interface that will be used for accessing the internet. This also will allow wireguard clients to access the internet via the specific interface on the wireguard server.
To start, run the below ip command to check which network interface that is used for connecting to the internet.
ip route list default
You may have an output similar to this, but with a different interface name and IP address – In this example, the interface eth0 is the default interface for accessing the internet. And this ‘eth0 will next be used to route wireguard clients’ connections to the internet and outside network.
Next, open the wireguard server config file ‘/etc/wireguard/wg0.conf‘ using the following nano editor command.
sudo nano /etc/wireguard/wg0.conf
Add the following lines to the ‘[Interface]‘ section.
[Interface] ... .... PostUp = ufw route allow in on wg0 out on eth0 PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on eth0 PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Save and exit the file when finished.
- The ‘PostUp‘ parameter will be executed whenever the Wirguard server starts the VPN tunnel.
- The ‘PreDown‘ parameter will be executed whenever the wireguard server stops the VPN tunnel.
- The command ‘ufw route allow in on wg0 out on eth0‘ allows forwarding traffic coming in the wg0 interface to the internet interface eth0.
- The command ‘iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE‘ will enable masquerading and rewrites IPv4 traffic from the wg0 interface to make it appear like the direct connection from the wireguard server.
- The command ‘ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE‘ will enable masquerading and rewrites IPv46traffics from the wg0 interface to make it appear like the direct connection from the wireguard server.
After adding configurations to the wireguard server config file ‘/etc/wireguard/wg0.conf’, you will now set up and enable the ufw firewall.
On the Ubuntu system, the default firewall is UFW, which is installed by default. Now you will start and enable the UFW firewall before configuring the wireguard server.
Run the below ufw command to add the OpenSSH service to ufw.
sudo ufw allow OpenSSH
After OpenSSH is added, run the below command to start and enable the ufw firewall. When prompted, input y to confirm and press ENTER to proceed.
sudo ufw enable
When ufw is enabled, you should receive an output such as ‘Firewall is active and enabled on system startup‘.
Next, you must open the wireguard server port 51820 which will be used for wireguard client connections. Run the below ufw command to open UDP port 51820 on your Ubuntu system, then reload ufw to apply the changes.
sudo ufw allow 51820/udp sudo ufw reload
Now verify the list of enabled rules on the ufw firewall using the below command.
sudo ufw status
You should receive an output like this – The current status of the ufw firewall is ‘active‘ with the OpenSSH service enabled and the wireguard port ‘51820/udp‘ added to the ufw firewall.
At this point, you’ve now enabled port forwarding via /etc/sysctl.conf file and configured the ufw firewall on the wireguard server. You’re now ready to start the wireguard server.
Starting Wireguard Server
In this step, you’ll start and enable the wireguard server. You’ll also verify the wireguard server and verify the wg0 interface that will be created by the wireguard service.
Run the below systemctl command utility to start and enable the wireguard service. The service ‘[email protected]‘ will create and enable the wireguard interface ‘wg0‘ on your wireguard server.
sudo systemctl start [email protected] sudo systemctl enable [email protected]
Now verify the wireguard service via the below command.
sudo systemctl status [email protected]
You will receive an output similar to the following screenshot – The wireguard service ‘[email protected]‘ is running and it’s enabled. This also means that the ‘wg0‘ interface is created and running.
Run the below command to verify the ‘wg0‘ interface on your wireguard server.
ip a show wg0
You should receive an output like this – The wireguard interface wg0 gets an IP address ‘10.8.0.1‘, as described on the wireguard config file ‘/etc/wireguard/wg0.conf‘.
Additionally, you can also start and stop the wireguard via the ‘wg-quick‘ command as below. The ‘wg-quick up‘ command will start the wireguard server, and the ‘wg-quick down‘ will stop the wireguard server.
sudo wg-quick up /etc/wireguard/wg0.conf sudo wg-quick down /etc/wireguard/wg0.conf
With the wireguard server running, you’ll next set up the client machine and connect it to the wireguard server.
Connecting Client to Wireguard Server
In this step, you’ll set up a wireguard on a Linux client machine, then connect the client machine to the wireguard server. This example uses a Ubuntu machine with the hostname ‘client1‘ as a client machine, but you can also use any Linux distribution.
Run the below apt command to update and refresh your client package index. Then, install wireguard-tools and resolvconf packages via the below command.
sudo apt update sudo apt install wireguard-tools resolvconf
Input y when prompted for confirmation and press ENTER to proceed.
After wireguard-tools are installed, create a new wireguard client config file ‘/etc/wireguard/wg-client1.conf‘ using the following nano editor command.
sudo nano /etc/wireguard/wg-client1.conf
Add the following lines to the file.
[Interface] # Define the IP address for the client - must be matched with wg0 on the wireguard Server Address = 10.8.0.5/24 # specific DNS Server DNS = 1.1.1.1 # Private key for the client - client1.key PrivateKey = EIM/iCAIeKRQvdL43Mezx1g1HG8ObnEXYaQPrzFlpks= [Peer] # Public key of the wireguard server - server.pub PublicKey =cs5YcuScSFYtoPUsTDvJtxERjR3V3kmksSlnnHhdlzY= # Allow all traffic to be routed via wireguard VPN AllowedIPs = 0.0.0.0/0 # Public IP address of the wireguard Server Endpoint = SERVER-IP:51820 # Sending Keepalive every 25 sec PersistentKeepalive = 25
Save the file and exit the editor when finished.
In the ‘[Interface]‘ section, you must define the following:
- The IP address of the client must be matched with the subnet of the Wireguard server. In this example, the Wireguard client will get the IP address ‘10.8.0.5‘.
- Specify the DNS server.
- Change the ‘PrivateKey’ parameter with the client private key that you’ve generated ‘client1.key‘.
In the ‘[Peer]‘ section, you must add the following:
- Wireguard server public key ‘server.pub‘ to the PublicKey parameter.
- Specify ‘AllowedIPs‘ to restrict access on the VPN peer, you can specify subnets of networks or you can just put 0.0.0.0/0 to tunnel all traffic over VPN.
- Specify the Endpoint parameter with the public IP address of the Wireguard server or you can also use a domain name.
With the wireguard client config file created, you’re ready to start wireguard on your client machine.
Run the below ‘wg-quick up‘ command to start wireguard on the client machine.
wg-quick up wg-client1
You should receive an output like this – The new Wireguard interface ‘wg-client1‘ will be created and the client machine should be connected to the Wireguard server.
Run the below ip command to verify the wireguard interface ‘wg-client1‘.
ip a show wg-client1
You should receive an output like this – The wg-client1 interface is up with an IP address ‘10.8.0.5‘, which is part of the subnet of Wireguard server ‘10.8.0.0/24‘.
Additionally, you can also verify the wireguard connection status via the ‘wg show’ command.
Run the below ‘wg show‘ command on the client machine and you should receive an output like this.
wg show
You should see the output like this – The ‘endpoint‘ section should be the IP address of the wireguard server, and the peer should be the server wireguard server public key ‘server.pub‘.
Now move to the Wireguard server and run the ‘wg show‘ command.
wg show
You should receive an output similar to this – On the endpoint section, you’ll see the client’s public IP address and on the peer section you’ll see the client public key ‘client1.pub‘.
After connecting to the wireguard server, you’ll now verify the connection between the client machine to the wireguard server via the wireguard IP address. You’ll also verify the internet connection on the client machine to ensure that the client machine can reach the internet.
Run the below ping command to the client machine.
ping -c5 10.8.0.1 ping -c5 1.1.1.1 ping -c5 duckduckgo.com
Below is the output you should receive:
The client machine can connect to the Wireguard server that has an IP address ‘10.8.0.1‘.
The client machine can access the internet. All traffic is routed via the Wireguard server’s public IP address.
The client machine can access any domain name on the internet – ensure that the domain name is resolved.
Now, you’ve configured the Wirguard VPN on the client machine. You’ve also verified the connection between the client machine to the Wireguard server.
Conclusion
In this tutorial, you have installed and configured Wireguard VPN on a Ubuntu 22.04 server. You also have configured a Debian machine and successfully connected to the Wireguard VPN Server.
In detail, you’ve installed the Wireguard VPN package, generated key pair public and private key for both server and client, configured the UFW firewall to route VPN traffic to the specific network interface, and enabled the port forwarding via the /etc/sysctl.conf file.
With this in mind, you can now add more clients to your Wireguard VPN Server by generating another keypair for the client, defining the peer connection on the Wireguard server, and then creating a new Wireguard config file that the client machine will use. To learn more about Wireguard, visit the official Wireguard documentation.