Wireguard is an open-source VPN protocol alternative to IPSec, IKEv2, and OpenVPN. Wiruguard is designed for Linux and Unix operating systems. It's running on Linux kernel space, which makes the wireguard faster and more reliable. wireguard is used to create secure tunnel connections between two computers or more.
Wireguard aims to replace VPN protocols such as IPSec, IKEv2, and OpenVPN. wireguard is lighter, faster, easy to set up, and more efficient. At the same time, Wiregurad did not sacrifice the security aspect of the VPN protocol. wireguard supports modern state-of-the-art cryptography like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.
Compared to other VPN protocols such as OpenVPN, IPSec, and IKEv2, wireguard is a new VPN protocol. Wireguard is released in 2015 by Jason A. Donenfeld as an alternative VPN protocol. It's merged to the Linux kernel v5.6 by Linus Torvalds in 2020, and in the same year, also ported to FreeBSD 13.
This guide'll walk you through installing wireguard on a Ubuntu 22.04 server. We'll show you how to set up a Linux client machine to connect to the wireguard server.
For this example, the Linux client machine that will be used is an Ubuntu server 22.04. If you've another Debian-based machine, you can also go with it.
Before you begin with the wireguard installation, you must fulfill the following requirements:
If these requirements are ready, you're good to install a wireguard VPN Server.
Wireguard is running in the kernel space on your Linux system. To set up wireguard VPN, you must install and enable the wireguard kernel module. On the latest Ubuntu 22.04 server, the default kernel is v
The first step is to enable the wireguard kernel module and install wireguard-tools on your Ubuntu server.
Run the below modprobe command to enable the 'wireguard' kernel module. Then, verify the 'wireguard' kernel module.
sudo modprobe wireguard lsmod | grep wireguard
If enabled, you should receive an output similar to this.
To make it permanent, you can add the 'wireguard' to the '/etc/modules' file via the below command.
sudo echo 'wireguard' >> /etc/modules
Next, run the below apt command to update your Ubuntu package index.
sudo apt update
After updating the package index, install the wireguard-tools via the apt command below.
sudo apt install wireguard-tools
The installation should automatically be started.
With the wireguard kernel module enabled and the wireguard-tools installed, you're now ready to start configuring wireguard, and the first stage is by generating key pair for the wireguard server and client.
In this step, you'll generate key pair for the wireguard server and client. And this can be done via the 'wg' command utility that is provided by the wireguard-tools package.
Below are two utilities that are provided by wireguard-tools:
Now, let's start generating key pairs for the wireguard server and client.
To generate the server private key, run the below 'wg genkey' command. Then, change the permission of the wireguard private key to 0400. In this example, the wireguard server private key to '/etc/wireguard/server.key' and the permission '0400' will disable access for the group and others.
wg genkey | sudo tee /etc/wireguard/server.key sudo chmod 0400 /etc/wireguard/server.key
Next, run the below 'wg pubkey' command to generate the wireguard server public key. In this example, the wireguard server public key will be available at '/etc/wireguard/server.pub'. Also, the wireguard public key is derived from the private key 'server.key'.
sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub
Now verify the key pair for the wireguard server via the following cat command.
cat /etc/wireguard/server.key cat /etc/wireguard/server.pub
You may have a different key for both public and private keys, but the output is similar to this:
The way to generate client key pair is the same as the wireguard server key pair.
To begin, create a new directory '/etc/wireguard/clients' using the below command. This directory will be used to store client key pair public and private keys.
mkdir -p /etc/wireguard/clients
Next, run the below 'wg genkey' command to generate the client private key to '/etc/wireguard/clients/client1.key'. Then, run the 'wg pubkey' command to generate the client public key '/etc/wireguard/clients/client1.pub', which is derived from the client's private key.
wg genkey | tee /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub
Now verify the client's public and private keys via the cat command below.
cat /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.pub
Your generated public and private keys may be different from this, the keypair is like base64 encode.
With both the wireguard server and client key pair generated, you'll next start configuring the wireguard server.
In this step, you'll create a new config file for the wireguard server, set up the wireguard interface, and set up peer connection for client connections. This includes the configuration of the wireguard VPN subnet, the IP address from the wireguard server, and the IP address for the peer client.
Create a new wireguard server config file '/etc/wireguard/wg0.conf' using the below nano editor.
sudo nano /etc/wireguard/wg0.conf
Add the following lines to the file. With this, you will set up an IP address for the wireguard server to '10.8.0.1' and open the UDP port 51820 that will be used for client connections. Also, you'll enable the SaveConfig parameter to ensure any changes are saved to the wireguard configuration file. Also, be sure to change the 'PrivateKey' parameter with the server private 'server.key'.
[Interface] # wireguard Server private key - server.key PrivateKey = sGpPeFlQQ5a4reM12HZIV3oqD3t+h7S5qxniZ5EElEQ= # wireguard interface will be run at 10.8.0.1 Address = 10.8.0.1/24 # Clients will connect to UDP port 51820 ListenPort = 51820 # Ensure any changes will be saved to the wireguard config file SaveConfig = true
Next, add the following lines to define the client peer connection. Be sure to change the 'PublicKey' parameter with the client public key 'client1.pub'. With the 'AllowedIPs' parameter, you can specify which wireguard client that allowed to access this peer. In this example, only clients with IP '10.8.0.5' will be allowed to access this peer connection. Additionally, you can also allow the range of internal network subnets such as '172.16.100.0/24' to access the wireguard peer.
[Peer] # wireguard client public key - client1.pub PublicKey = nsxkCFGsLYTTZagXRx9Kkdh6wz1NOjbjWmZ9h9NBiR8= # clients' VPN IP addresses you allow to connect # possible to specify subnet ⇒ [172.16.100.0/24] AllowedIPs = 10.8.0.5/24
Save and exit the file when finished.
Now that you've created the wireguard server configuration and defined wireguard interface settings and peer connection for the client with the public key 'client1.pub'. Next, you'll set up port forwarding and set up UFW firewall.
After configuring the wireguard server, you'll now enable port forwarding on your Ubuntu system via the '/etc/sysctl.conf' file.
Open the file '/etc/sysctl.conf' using the below nano editor command.
sudo nano /etc/sysctl.conf
Add the following lines to the end of the line.
# Port Forwarding for IPv4 net.ipv4.ip_forward=1 # Port forwarding for IPv6 net.ipv6.conf.all.forwarding=1
Save the file and exit the editor when finished.
Now run the below sysctl command to apply the changes.
sudo sysctl -p
Output:
The port forwarding on your Ubuntu server is enabled, and you're ready to set up the UFW firewall that will be used to route traffics from clients to a specific network interface on your wireguard server.
In this step, you'll set up the ufw firewall that will be used for the wireguard server to route client connections to the proper network interface that will be used for accessing the internet. This also will allow wireguard clients to access the internet via the specific interface on the wireguard server.
To start, run the below ip command to check which network interface that is used for connecting to the internet.
ip route list default
You may have an output similar to this, but with a different interface name and IP address - In this example, the interface eth0 is the default interface for accessing the internet. And this 'eth0 will next be used to route wireguard clients' connections to the internet and outside network.
Next, open the wireguard server config file '/etc/wireguard/wg0.conf' using the following nano editor command.
sudo nano /etc/wireguard/wg0.conf
Add the following lines to the '[Interface]' section.
[Interface] ... .... PostUp = ufw route allow in on wg0 out on eth0 PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on eth0 PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Save and exit the file when finished.
After adding configurations to the wireguard server config file '/etc/wireguard/wg0.conf', you will now set up and enable the ufw firewall.
On the Ubuntu system, the default firewall is UFW, which is installed by default. Now you will start and enable the UFW firewall before configuring the wireguard server.
Run the below ufw command to add the OpenSSH service to ufw.
sudo ufw allow OpenSSH
After OpenSSH is added, run the below command to start and enable the ufw firewall. When prompted, input y to confirm and press ENTER to proceed.
sudo ufw enable
When ufw is enabled, you should receive an output such as 'Firewall is active and enabled on system startup'.
Next, you must open the wireguard server port 51820 which will be used for wireguard client connections. Run the below ufw command to open UDP port 51820 on your Ubuntu system, then reload ufw to apply the changes.
sudo ufw allow 51820/udp sudo ufw reload
Now verify the list of enabled rules on the ufw firewall using the below command.
sudo ufw status
You should receive an output like this - The current status of the ufw firewall is 'active' with the OpenSSH service enabled and the wireguard port '51820/udp' added to the ufw firewall.
At this point, you've now enabled port forwarding via /etc/sysctl.conf file and configured the ufw firewall on the wireguard server. You're now ready to start the wireguard server.
In this step, you'll start and enable the wireguard server. You'll also verify the wireguard server and verify the wg0 interface that will be created by the wireguard service.
Run the below systemctl command utility to start and enable the wireguard service. The service 'wg-quick@wg0.service' will create and enable the wireguard interface 'wg0' on your wireguard server.
sudo systemctl start wg-quick@wg0.service sudo systemctl enable wg-quick@wg0.service
Now verify the wireguard service via the below command.
sudo systemctl status wg-quick@wg0.service
You will receive an output similar to the following screenshot - The wireguard service 'wg-quick@wg0.service' is running and it's enabled. This also means that the 'wg0' interface is created and running.
Run the below command to verify the 'wg0' interface on your wireguard server.
ip a show wg0
You should receive an output like this - The wireguard interface wg0 gets an IP address '10.8.0.1', as described on the wireguard config file '/etc/wireguard/wg0.conf'.
Additionally, you can also start and stop the wireguard via the 'wg-quick' command as below. The 'wg-quick up' command will start the wireguard server, and the 'wg-quick down' will stop the wireguard server.
sudo wg-quick up /etc/wireguard/wg0.conf sudo wg-quick down /etc/wireguard/wg0.conf
With the wireguard server running, you'll next set up the client machine and connect it to the wireguard server.
In this step, you'll set up a wireguard on a Linux client machine, then connect the client machine to the wireguard server. This example uses a Ubuntu machine with the hostname 'client1' as a client machine, but you can also use any Linux distribution.
Run the below apt command to update and refresh your client package index. Then, install wireguard-tools and resolvconf packages via the below command.
sudo apt update sudo apt install wireguard-tools resolvconf
Input y when prompted for confirmation and press ENTER to proceed.
After wireguard-tools are installed, create a new wireguard client config file '/etc/wireguard/wg-client1.conf' using the following nano editor command.
sudo nano /etc/wireguard/wg-client1.conf
Add the following lines to the file.
[Interface] # Define the IP address for the client - must be matched with wg0 on the wireguard Server Address = 10.8.0.5/24 # specific DNS Server DNS = 1.1.1.1 # Private key for the client - client1.key PrivateKey = EIM/iCAIeKRQvdL43Mezx1g1HG8ObnEXYaQPrzFlpks= [Peer] # Public key of the wireguard server - server.pub PublicKey =cs5YcuScSFYtoPUsTDvJtxERjR3V3kmksSlnnHhdlzY= # Allow all traffic to be routed via wireguard VPN AllowedIPs = 0.0.0.0/0 # Public IP address of the wireguard Server Endpoint = SERVER-IP:51820 # Sending Keepalive every 25 sec PersistentKeepalive = 25
Save the file and exit the editor when finished.
In the '[Interface]' section, you must define the following:
In the '[Peer]' section, you must add the following:
With the wireguard client config file created, you're ready to start wireguard on your client machine.
Run the below 'wg-quick up' command to start wireguard on the client machine.
wg-quick up wg-client1
You should receive an output like this - The new Wireguard interface 'wg-client1' will be created and the client machine should be connected to the Wireguard server.
Run the below ip command to verify the wireguard interface 'wg-client1'.
ip a show wg-client1
You should receive an output like this - The wg-client1 interface is up with an IP address '10.8.0.5', which is part of the subnet of Wireguard server '10.8.0.0/24'.
Additionally, you can also verify the wireguard connection status via the 'wg show' command.
Run the below 'wg show' command on the client machine and you should receive an output like this.
wg show
You should see the output like this - The 'endpoint' section should be the IP address of the wireguard server, and the peer should be the server wireguard server public key 'server.pub'.
Now move to the Wireguard server and run the 'wg show' command.
wg show
You should receive an output similar to this - On the endpoint section, you'll see the client's public IP address and on the peer section you'll see the client public key 'client1.pub'.
After connecting to the wireguard server, you'll now verify the connection between the client machine to the wireguard server via the wireguard IP address. You'll also verify the internet connection on the client machine to ensure that the client machine can reach the internet.
Run the below ping command to the client machine.
ping -c5 10.8.0.1 ping -c5 1.1.1.1 ping -c5 duckduckgo.com
Below is the output you should receive:
The client machine can connect to the Wireguard server that has an IP address '10.8.0.1'.
The client machine can access the internet. All traffic is routed via the Wireguard server's public IP address.
The client machine can access any domain name on the internet - ensure that the domain name is resolved.
Now, you've configured the Wirguard VPN on the client machine. You've also verified the connection between the client machine to the Wireguard server.
In this tutorial, you have installed and configured Wireguard VPN on a Ubuntu 22.04 server. You also have configured a Debian machine and successfully connected to the Wireguard VPN Server.
In detail, you've installed the Wireguard VPN package, generated key pair public and private key for both server and client, configured the UFW firewall to route VPN traffic to the specific network interface, and enabled the port forwarding via the /etc/sysctl.conf file.
With this in mind, you can now add more clients to your Wireguard VPN Server by generating another keypair for the client, defining the peer connection on the Wireguard server, and then creating a new Wireguard config file that the client machine will use. To learn more about Wireguard, visit the official Wireguard documentation.
Magento is a free and open-source e-commerce platform written in PHP. It is simple, easy…
ISPConfig is an open-source control panel that allows users to manage multiple servers from a…
As a Linux administrator, you may find it necessary to troubleshoot or test your Simple…
Ubuntu 24.04, like many modern Linux distributions, relies on the NetworkManager for managing network connections.…
Restic is a modern, open-source backup program designed for efficiency, security, and simplicity. It enables…
phpMyAdmin is a popular free tool written in PHP intended to administer MySQL and MariaDB…