Setup Wireguard VPN Server on Ubuntu

Feb 4, 2021 · 3 min read  ·
Share on:

This tutorial is going to show you how to set up your own WireGuard VPN server on Ubuntu.
WireGuard is made specifically for the Linux kernel. It runs inside the Linux kernel and allows you to create fast, modern, and secure VPN tunnel.
TL;DR

Prerequisites

This tutorial assumes that the VPN server and VPN client are both going to be running on Ubuntu 20.04 operating system.

Setting Up the WireGuard Server

Install Wireguard from the default Ubuntu repository:

1sudo apt update
2sudo apt install wireguard

You should got the two cli wg and wg-quick now.
Generate a key pair for your server:

1wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
2cat /etc/wireguard/privatekey
3cat /etc/wireguard/publickey

Keep the server key pair in your clipboard or somewhere temporary place.
Now, edit the wireguard server configuration file.
Check the name of your public network interface first:

1ip -o -4 route show to default | awk '{print $5}'

Then create wireguard configuration file:

1sudo vim /etc/wireguard/wg0.conf

Add this content:

1[Interface]
2Address = 10.0.0.1/24
3SaveConfig = true
4ListenPort = 51820
5PrivateKey = SERVER_PRIVATE_KEY
6PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
7PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

  • Address - A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).

  • SaveConfig - When set to true, the current state of the interface is saved to the configuration file when shutdown.

  • PostUp - Command or script that is executed before bringing the interface up. In above configuration, we’re using iptables to enable masquerading. This allows traffic to leave the server, giving the VPN clients access to the Internet.

  • eth0 - Name of your public network interface

Secure the configuration file and private key file like so:

1sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Launch the vpn network interface you just configured:

1sudo wg-quick up wg0
2sudo systemctl enable [email protected]
3# `wg0` is just name of the config file you've created above.

Configure Server Networking and Firewall

IP forwarding must be enabled for NAT to work. Do the following:

1sudo vim /etc/sysctl.conf

Uncomment or add this line:

1net.ipv4.ip_forward=1

Apply the change:

1sudo sysctl -p

Optionally, if ufw is active on your server, do this:

1sudo ufw allow 51820/udp

Client Setup

Installation is all the same, and so the key pair generation is:

1wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Create Wireguard client configuration:

1sudo vim /etc/wireguard/wg0.conf

1[Interface]
2PrivateKey = CLIENT_PRIVATE_KEY
3Address = 10.0.0.2/24
4
5
6[Peer]
7PublicKey = SERVER_PUBLIC_KEY
8Endpoint = SERVER_IP_ADDRESS:51820
9AllowedIPs = 0.0.0.0/0

  • Address - A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Your client machine will have this private ip.

  • PrivateKey - To see the contents of the file on the client machine run: sudo cat /etc/wireguard/privatekey

  • AllowedIPs - A comma-separated list of v4 or v6 IP addresses from which incoming traffic for the peer is allowed and to which outgoing traffic for this peer is directed. We’re using 0.0.0.0/0 because we are routing the traffic and want the server peer to send packets with any source IP.

Add the Client Peer to the Server Peer

On the server, use this command:

1sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2

You should be able to launch your client now:

1sudo wg-quick up wg0
2sudo wg show wg0

If you want to remove a peer from your server, this will work:

1sudo wg set wg0 peer CLIENT_PUBLIC_KEY remove

That's it.
Happy networking! 😎

comments powered by Disqus