WireGuard is a modern VPN that uses peer-to-peer kind of connectivity to establish the connection. It is a simple and lightweight VPN compared to other VPNs e.g Ipsec. This is both in terms of configuration and how the general connectivity happens.

WireGuard was initially built for linux kernel but has soon gained popularity among other operating systems including Windows and MacOS.

This guide will highlight how to setup WireGuard VPN server and how to connect to is using WireGuard client. We shall setup WireGuard server on Ubuntu 24.04 | 22.04 LTS.

Setup WireGuard Server on Ubuntu 24.04 | 22.04

• Update your system:

sudo apt update
sudo apt upgrade -y

• Install IPTABLES if your system doesn’t have it yet:

sudo apt-get install iptables -y

• Install Wireguard server:

sudo apt-get install wireguard -y

• Enable IP forwarding:

Uncomment the net.ipv4.ip_forward=1 line in the /etc/sysctl.conf file.

sudo vim /etc/sysctl.conf

• Apply changes:

sudo sysctl -p

Configure WireGuard Server

Wireguard uses the public key authentication method between the client and server. We therefore need to create a private and public key on the server. WireGuard has a command-line tool that can be used to create the private and public keys.

sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

The keys are created and stored in /etc/wireguard directory. The next step is to create a Wireguard network interface and configure the tunnel network subnet that will be used between the client and the server.

You will need to copy the private key and use it in the network interface setup.

cat /etc/wireguard/privatekey

Create the network configuration:

$ sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <SERVER-PRIVATE-KEY>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace <SERVER-PRIVATE-KEY> with the servers private key values. Then set proper permissions to the wireguard configuration files.

sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Next, start wireguard interface by running the command below:

sudo wg-quick up wg0

Sample output:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To check the status of the wireguard interface:

$ wg show wg0
interface: wg0
  public key: KUPIT1tQDHv4mtigYIjTGLGVg754h2V6THDE7vIApzM=
  private key: (hidden)
  listening port: 51820

Setup WireGuard Client

Install Wireguard packages on the client machine:

sudo apt install wireguard -y

After successful installation, setup the public and private keys for the client server.

sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

Next, create a configuration file in /etc/wireguard

sudo vim /etc/wireguard/wg0.conf

Add the following content, replacing <Client-private-Key> with the values of /etc/wireguard/privatekey of the client computer and <server-public-key> with the values of /etc/wireguard/publickey of the WireGuard Server. Also use the VPN server’s IP at the ‘Endpoint’ value.

[Interface]
PrivateKey = <Client-private-key>
Address = 10.10.10.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip-address>:51820
AllowedIPs = 0.0.0.0/0

Alloc client connection using the following command on the server. Replace the <client-public-keys> value with the real value of the client’s public key.

sudo wg set wg0 peer <client-public-key> allowed-ips 10.0.0.2

On the client computer, bring up the VPN interface:

sudo wg-quick up wg0

You will get an output similar to:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Your connection to the VPN server will hence be established. This means that traffic from the client computer will be routed through the VPN server. Cheers!

Other articles to check out:

• Configure Site-to-Site VPN using strongSwan on Ubuntu 24.04
• Set Up HA Kubernetes Cluster on Ubuntu 24.04 with Kubespray
• Build Open vSwitch from Source on Debian and Ubuntu