Setup WireGuard on a Ubuntu VPS is simple and straightforward. At the end of the guide you’ll have a VPN server you can connect to with any client you want.
- Follow the guide at Initial VPS setup
- Open Firewall port for WireGuard:
$ ufw allow 51820/udp
$ add-apt-repository ppa:wireguard/wireguard $ apt-get update $ apt-get install wireguard
$ umask 077 $ wg genkey > privatekey $ wg pubkey < privatekey > publickey
Enable IP forwarding
- Check if it is already enabled:
$ sysctl net.ipv4.ip_forward
- If not, edit
- Load updated configuration with:
$ sysctl -p
- Check if it is configured correctly.
Configure the interface
/etc/wireguard/wg0.confand set the following:
[Interface] Address = 10.11.0.1/24 ListenPort = 51820 PrivateKey = COPY_THE_PRIVATE_KEY # note - substitute eth0 in the following lines to match the Internet-facing interface # if the server is behind a router and receive traffic via NAT, this iptables rules are n$ PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j M$ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j$ [Peer] # myDevice PublicKey = DEVICE_PUBLIC_KEY AllowedIPs = 10.11.0.2/32
NOTE: You can get the public and private key with
Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.
ListenPort specifies which port WireGuard will use for incoming connections.
PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.
AllowedIPs Networks to which this client should have access.
Start and go
- Enable the interface on startup:
$ systemctl enable firstname.lastname@example.org
- Start the interface:
$ systemctl start email@example.com
- Check setup:
$ wg show
The configuration of the “client” should be something like:
[Interface] PrivateKey = CLIENT_PRIVATE_KEY Address = 10.11.0.2/24 DNS = 18.104.22.168 [Peer] PublicKey = SERVER_PUBBLIC_KEY AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0 will allow and route all traffic on the client through the VPN tunnel.
- A well written article on WireGuard: https://grh.am/2018/wireguard-setup-guide-for-ios/