Setup WireGuard on a Ubuntu VPS is simple and straightforward. At the end of the guide you’ll have a VPN server you can connect to with any client you want.
Server setup
- Follow the guide at Initial VPS setup
- Open Firewall port for WireGuard:
$ ufw allow 51820/udp
Install WireGuard
$ add-apt-repository ppa:wireguard/wireguard
$ apt-get update
$ apt-get install wireguard
Generate keys
$ umask 077
$ wg genkey > privatekey
$ wg pubkey < privatekey > publickey
Enable IP forwarding
- Check if it is already enabled:
$ sysctl net.ipv4.ip_forward
- If not, edit
/etc/sysctl.conf
and setnet.ipv4.ip_forward=1
- Load updated configuration with:
$ sysctl -p
- Check if it is configured correctly.
Configure the interface
- Edit
/etc/wireguard/wg0.conf
and set the following:
[Interface]
Address = 10.11.0.1/24
ListenPort = 51820
PrivateKey = COPY_THE_PRIVATE_KEY
# note - substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receive traffic via NAT, this iptables rules are n$
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j M$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j$
[Peer]
# myDevice
PublicKey = DEVICE_PUBLIC_KEY
AllowedIPs = 10.11.0.2/32
NOTE: You can get the public and private key with cat publickey
.
Options
Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.
ListenPort specifies which port WireGuard will use for incoming connections.
PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.
AllowedIPs Networks to which this client should have access.
Start and go
- Enable the interface on startup:
$ systemctl enable wg-quick@wg0.service
- Start the interface:
$ systemctl start wg-quick@wg0.service
- Check setup:
$ wg show
Client config
The configuration of the “client” should be something like:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.11.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = SERVER_PUBBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0 will allow and route all traffic on the client through the VPN tunnel.
Reference
- https://www.wireguard.com/quickstart/
- https://www.thomas-krenn.com/en/wiki/Ubuntu_18.04_as_WireGuard_VPN_client_configuration
- https://wiki.archlinux.org/index.php/WireGuard#Specific_use-case:_VPN_server
- https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/
- A well written article on WireGuard: https://grh.am/2018/wireguard-setup-guide-for-ios/