Introduction
WireGuard is a secure open-source VPN (Virtual Private Network) for servers and other network devices to communicate securely. It implements complex modern cryptography for securing communications between the servers and clients. In addition, it can use either peer-to-peer or a client-server implementation. As a result, it is lightweight, fast, secure, and more straightforward than its competitors. This article will explain how to install and set up WireGuard VPN on Ubuntu 20.04 server.
Prerequisites
- Deploy two fully updated Rcs Ubuntu 20.04 Server.
- Create a non-root user with sudo access.
- Install WireGuard on both servers. One will be the server machine, and the other is client machine.
1. Install WireGuard
Update system packages.
$ sudo apt update
Install WireGuard on both servers. Install WireGuard.
$ sudo apt install wireguard wireguard-tools
2. Generate Public and Private Key Pair
Create a public/private key pair for the VPN server, and save it in the /etc/wireguard/
directory. This command should be run on the server machine.
$ wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Create a public/private key pair for the VPN client, and save it in the /etc/wireguard/
directory. This command should be run on the client machine.
$ wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Find the value of a key. For example server_private.key
:
$ sudo cat /etc/wireguard/server_private.key
3. Configure the Server Machine
Enable IP forwarding on the server to route packets between VPN clients and the Internet.
Edit sysctl.conf
file.
$ sudo nano /etc/sysctl.conf
Add the following code at the end of the file. Save and close the file.
net.ipv4.ip_forward = 1
Apply the changes to take effect.
$ sudo sysctl -p
Allow incoming UDP traffic for the VPN connection.
$ sudo ufw allow 51820/udp
Find the name of your server’s main network interface. Save it for later use.
$ ip -c a
Create a WireGuard configuration file on the server machine.
$ sudo nano /etc/wireguard/wg0.conf
Copy and paste the code below to the configuration file. Modify the PrivateKey
and PublicKey
values with your values and change eth0
to the name of the network interface you found in the first step. Save and close the file.
# Server configuration
[Interface]
Address = 172.26.3.155/16 # Internal IP address of the VPN server.
ListenPort = 51820
SaveConfig = true
PrivateKey = uE6i2Hdas/mJDN1BaMckKjqDl1E8YNe/MKNyNPIAB1o= # The server_private.key value.
# IP Forwarding. Modify network interface name "eth0"
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Client configuration
[Peer]
PublicKey = PMOp3o6JAOnKd6Vjd/220ft1KijsNUVVluXHhWrUpkQ= # The client_public.key value.
AllowedIPs = 172.26.5.67/32
Start WireGuard service on the server machine.
$ sudo systemctl start wg-quick@wg0
Enable WireGuard to run at system boot.
$ sudo systemctl enable wg-quick@wg0
Check the status of WireGuard service.
$ sudo systemctl status wg-quick@wg0
4. Configure the Client Machine
Install resolvconf
on the client machine.
$ sudo apt install resolvconf
Create a WireGuard configuration file on the client machine.
$ sudo nano /etc/wireguard/wg-client.conf
Copy and paste the code below to the configuration file. Modify the PrivateKey
, PublicKey
and Endpoint
values with your own values. Save and close the file.
# Client configuration
[Interface]
Address = 172.26.5.67/16 # private IP address of the VPN client.
DNS = 1.1.1.1
PrivateKey = mCyPWpLw5OjepZTjnrTdjYuaRPpIFspbxU6orz5Np3g= # The client_private.key value.
# Server configuration
[Peer]
PublicKey = Q96urAY8bv6orRwaRWvMpg2GqraYSKr6fZgucmwZFgk= # The server_public.key value.
AllowedIPs = 0.0.0.0/0
Endpoint = 18.116.19.235:51820 # Public IP address of our VPN server and port number (ListenPort in the server configuration).
PersistentKeepalive = 25
Start WireGuard service on the client machine.
$ sudo systemctl start wg-quick@wg-client
Enable WireGuard to run at system boot.
$ sudo systemctl enable wg-quick@wg-client
Check the status of WireGuard service.
$ sudo systemctl status wg-quick@wg-client
5. Test the VPN Connection
Establish the VPN connection from the client machine.
$ sudo wg-quick up wg0
View the connection details.
$ sudo wg
More Information
To learn more about WireGuard VPN, see to the official documentation.