Setup WireGuard on a Ubuntu VPS is simple and straightforward. At the end of the guide you’ll have a VPN server you can connect to with any client you want.

Server setup

  • Follow the guide at Initial VPS setup
  • Open Firewall port for WireGuard:
    $ ufw allow 51820/udp

Install WireGuard

$ add-apt-repository ppa:wireguard/wireguard
$ apt-get update
$ apt-get install wireguard

Generate keys

$ umask 077
$ wg genkey > privatekey
$ wg pubkey < privatekey > publickey

Enable IP forwarding

  • Check if it is already enabled:
    $ sysctl net.ipv4.ip_forward
  • If not, edit /etc/sysctl.conf and set
  • Load updated configuration with:
    $ sysctl -p
  • Check if it is configured correctly.

Configure the interface

  • Edit /etc/wireguard/wg0.conf and set the following:
Address =
ListenPort = 51820

# note - substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receive traffic via NAT, this iptables rules are n$
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j M$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j$

# myDevice
AllowedIPs =

NOTE: You can get the public and private key with cat publickey.


Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.

ListenPort specifies which port WireGuard will use for incoming connections.

PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.

AllowedIPs Networks to which this client should have access.

Start and go

  • Enable the interface on startup:
    $ systemctl enable wg-quick@wg0.service
  • Start the interface:
    $ systemctl start wg-quick@wg0.service
  • Check setup:
    $ wg show

Client config

The configuration of the “client” should be something like:

Address =

AllowedIPs =, ::/0
Endpoint = SERVER_IP:51820

AllowedIPs = will allow and route all traffic on the client through the VPN tunnel.