Setup WireGuard on a Ubuntu VPS is simple and straightforward. At the end of the guide you’ll have a VPN server you can connect to with any client you want.

Server setup

• Follow the guide at Initial VPS setup
• Open Firewall port for WireGuard:

  $ ufw allow 51820/udp
  

Install WireGuard

$ add-apt-repository ppa:wireguard/wireguard
$ apt-get update
$ apt-get install wireguard

Generate keys

$ umask 077
$ wg genkey > privatekey
$ wg pubkey < privatekey > publickey

Enable IP forwarding

• Check if it is already enabled:

  $ sysctl net.ipv4.ip_forward
  

• If not, edit /etc/sysctl.conf and set

  net.ipv4.ip_forward=1
  

• Load updated configuration with:

  $ sysctl -p
  

• Check if it is configured correctly.

Configure the interface

• Edit /etc/wireguard/wg0.conf and set the following:

[Interface]
Address = 10.11.0.1/24
ListenPort = 51820
PrivateKey = COPY_THE_PRIVATE_KEY 

# note - substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receive traffic via NAT, this iptables rules are n$
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j M$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j$

[Peer]
# myDevice
PublicKey = DEVICE_PUBLIC_KEY
AllowedIPs = 10.11.0.2/32

NOTE: You can get the public and private key with cat publickey.

Options

Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.

ListenPort specifies which port WireGuard will use for incoming connections.

PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.

AllowedIPs Networks to which this client should have access.

Start and go

• Enable the interface on startup:

  $ systemctl enable wg-quick@wg0.service
  

• Start the interface:

  $ systemctl start wg-quick@wg0.service
  

• Check setup:

  $ wg show
  

Client config

The configuration of the “client” should be something like:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.11.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = SERVER_PUBBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER_IP:51820

AllowedIPs = 0.0.0.0/0 will allow and route all traffic on the client through the VPN tunnel.

Reference

• https://www.wireguard.com/quickstart/
• https://www.thomas-krenn.com/en/wiki/Ubuntu_18.04_as_WireGuard_VPN_client_configuration
• https://wiki.archlinux.org/index.php/WireGuard#Specific_use-case:_VPN_server
• https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/
• A well written article on WireGuard: https://grh.am/2018/wireguard-setup-guide-for-ios/