WireGuard is rapidly becoming one of the most promising VPN protocols around, but has some unique requirements that might make it difficult for new Linux users to set up. To help allay these issues, we’re going to walk you through setting up WireGuard on Ubuntu 18.04 LTS using our easy-to-follow guide below!
The “how to set up wireguard vpn server” is a tutorial for how to set up your own VPN server using the WireGuard protocol. It’s possible to run this on Linux, but it’s also possible to run it on other operating systems as well.
If you use many computers at work or at home, you’ll want to be able to connect to your internal network from each of them. The good news is that WireGuard VPN is capable of resolving this issue.
In this article, you’ll learn how to use WireGuard VPN to create a full-fledged VPN connection between your machines, allowing you safe access.
Are you willing to get your hands dirty? It’s time to get right in!
Prerequisites
This will be a hands-on presentation in this course. If you want to follow along, make sure you have the following items on hand:
- A Linux-based operating system — This lesson utilizes Ubuntu 20.04 LTS, however the samples will run on any Debian distribution.
Related: [Step-by-Step] How to Install Ubuntu 20.04
- A local computer – This demo uses a Window 10 64-bit client to connect to the WireGuard VPN server. <aside> 💡 If you are using a remote server, be sure you have permission to connect to that server from your local machine. </aside>
- A non-root user with [sudo](<https://scriptcrunch.com/add-sudo-user-permissions-linux/>) privileges.
WireGuard Installation
WireGuard is not installed by default on the Ubuntu Linux distribution. So you’ll use the APT package manager to install WireGuard first.
You may alternatively download and build WireGuard from source, but for this experiment, a simple setup will do.
To update the system’s package database, use the following command.
Keeping the system’s package database up to date
To install the wireguard package, do the following command. The wireguard package offers a simple kernel module for secure private networking and protocol support.
To create private point-to-point or site-to-site connections, the WireGuard protocol uses public keys provided in an authentication method similar to SSH, which are paired with symmetric encryption keys.
wireguard -y sudo apt install
WireGuard Installation Package
WireGuard is a kernel module that runs after installation. Because WireGuard requires direct access to your network ports to create a VPN connection, it operates in kernel space.
Creating a Pair of Keys
Now that you’ve installed WireGuard, use the wg genkey command to produce a key pair (a public key and a private key). Your WireGuard “identity” is your public key. This public key will be required for everyone who wants to connect to your VPN. The private key, on the other hand, is used to create a secure connection.
Maintain the secrecy of the private key. Your private key may be used to connect to your VPN by anybody who has access to it.
1. To make your keypair readable, use the umask command. The umask command defines the permissions provided to newly created files by specifying the file mode creation mask.
You’ll set umasks to 077 to make all newly created files viewable to everyone but editable only by their owner. This step assures that your WireGuard keys are not modifiable by the outside world.
2. Next, use the command below to produce a key pair (wg genkey).
The command saves the private key to the /etc/wireguard/privatekey file and the public key to the /etc/wireguard/publickey file (wg pubkey | sudo tee).
wg pubkey | sudo tee /etc/wireguard/publickey | wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
You’ll see a value on your console after executing the command, which is your public key, as seen below. The result below verifies that you’ve successfully created your public key.
This public key should be copied and saved someplace else since it will be used by your peers to connect to your WireGuard VPN. Your WireGuard VPN acts as a peer-to-peer tunnel.
Creating a Pair of Keys
3. Finally, execute the cat command to ensure that your private key was successfully produced.
/etc/wireguard/privatekey /etc/wireguard/privatekey /etc/wireguard/privatekey
Take note of your private key, as shown in the output below, since you’ll need it to configure your WireGuard VPN server.
Authentication of your private key
WireGuard VPN Server Configuration
Now that you have generated a key pair for a secure server connection, the next step to take is WireGuard VPN Server Configuration.
1. Using your preferred text editor, create a new file titled wg0.conf and fill it with the data shown below. Make careful to change eth0 with your network interface after running POSTROUTING -o.
It’s up to you how you name your configuration files, but to make them simpler to remember, use names like wg0, wg1 (wg stands for WireGuard), tun0, tun1 (tun stands for tunneling), and so on.
2. Fill in the following information in the wg0.conf file. Make sure that eth0 is replaced with your network interface after the POSTROUTING -o, then save and quit the editor.
The wg0.conf file includes all of your WireGuard interface’s network and security settings. Your WireGuard interface and your peers will be unable to create a secure connection without it.
# Defines your WireGuard interface name [Interface] # Sets the server’s Public IP Address. This network is routed to your server’s # eth0 interface. This is an IP range of private IPv4 that you will use # for your peers to connect to the broader internet using your VPN server. # Your peer can use any private IPs from 10.8.0.1 to 10.8.0.255. Address = 10.0.0.1/24 # Set the value to “true” to save your server’s config file automatically # after a connection is established or when you shut down your VPN server. SaveConfig = true # Sets the port that your VPN server listens on. This port should be open on your router # so that your peers can access this port to connect to your VPN ListenPort = 51820 # Replace <SERVER_PRIVATE_KEY> with your private key generated earlier. PrivateKey = <SERVER_PRIVATE_KEY> # Sets WireGuard to automatically accept new connections, which allows your peers # to access your server with their own public IP address. Your VPN server forwards # your peers’ connection through your private network to make it seem # like they are coming directly from the peers. PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Reverses the PostUp values when there’s a disconnection # to make the network settings return to original state PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
How to Use IPTables Rules to Secure a Linux Firewall
3. To enable the wg0 interface, run the command below.
The wg0 interface is turned on.
4. Finally, execute the command below to verify the status of your wg0 interface.
The wg0 interface is visible, and it is waiting for connections on port 51820.
Checking the condition of the interface
Networking and Firewall Configuration on the Server
You must additionally setup your local networking and firewall in addition to your WireGuard server. You’ll have greater control over who may connect to your server this way.
You’ll forward port UDP 51820 to allow your peers to connect to your VPN server, but you won’t be able to keep it open all of the time. As a result, you’ll use the NAT feature on your router to transport traffic on port 51820 via your VPN server.
1. Use your preferred editor to open the etc/sysctl.conf file.
2. Locate and delete the “#” symbol from the #net.ipv4.ip forward=1 line to enable IPv4 IP forwarding and save the modifications.
IP Forwarding Enabled
3. To apply and make the changes permanent, perform the following sysctl command (-p).
Making irreversible modifications
Incoming traffic from your WireGuard peers’ clients will now be sent to the public internet by your WireGuard server. After forwarding the data, WireGuard sends it back to peers through the eth0 VPN ethernet link.
However, any traffic headed for your local WireGuard server that originates from the internet will be blocked by the default Linux networking firewall. You’ll need to add a few additional rules if you’re using UFW as your firewall.
4. To accept udp connections on port 51820, run the command below.
On port 51820, UDP connections are allowed.
5. Check the status of your firewall using the command below. command sudo ufw status
The following is how your UFW firewall should now look:
Checking the condition of your firewall
WireGuard Client Configuration
Because your WireGuard VPN server is up and running, you’ll need to setup a client to test the connection with it. Your client may be Windows, MAC OS, Linux, or BSD, however for this sample, we’re using Windows 10 64-bit.
A WireGuard client is a device that uses its own public key to connect to the VPN server (ID). The WireGuard server verifies the client’s identity and encrypts all communication between them.
The following actions must be completed on all WireGuard client devices.
1. Go to the WireGuard official download website and download the WireGuard client software for your operating system. The client for Windows is used in this demonstration.
Wireguard Client for Windows is available for download.
2. Open the WireGuard client application, click Add Tunnel (bottom-left) —> Add empty tunnel to create an empty tunnel. You will get a popup window to configure the VPN network connection (step three).
Creating a new empty tunnel
Set up your VPN network connection by doing the following:
- As indicated below, enter the name of your VPN network connection. However, for this demonstration, the name is ubuntu.
- Leave the default generated PrivateKey, add a new line below, and type in Address = <client-IP>. Replace <client-IP> with your WireGuard client static IP.
- Add a new [Peer] block, and below, add a new PublicKey = <SERVER_PUBLIC_KEY> line. Replace <SERVER_PUBLIC_KEY> with your VPN server public key you saved in the “Creating a Pair of Keys” section (step two).
- Add a new Endpoint = <SERVER_PUBLIC_IP>:51820, where 51820 is the port your WireGuard server is listening to. Replace <SERVER_PUBLIC_IP> with the public IP of your VPN server.
- Create a new line called AllowedIPs – 0.0.0.0/0. The WireGuard client may access all IPv4 and IPv6 addresses on the network using this line.
- To preserve the VPN network connection setup, click Save.
Changing the network setup of the VPN
Return to your VPN server terminal and enter the command below to add the client’s public key and IP address to the VPN server.
Make certain you change the following:
- <CLIENT_PUBLIC_KEY> – with your client public key.
- 10.0.0.2 – with your client device’s IP address so that your VPN server can communicate with your client device.sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.0.0.2
The VPN Tunnel is being tested to see whether it works.
You should now have a functional WireGuard server and client on your hands. It’s now time to test their connection and verify whether the VPN tunnel is operational.
1. Launch the WireGuard client program and choose the Ubuntu connection (VPN tunnel) you just made.
2. To activate the VPN tunnel, click the Activate button.
Getting the VPN Tunnel to Work
3. After Getting the VPN Tunnel to Work, you’ll see the Status change to Active, as shown below. That’s it! You now have a successful connection to your VPN server.
Taking a look at the Active VPN connection
Conclusion
You’ve learnt how to set up a WireGuard VPN server in this article. By constructing a VPN tunnel, you’ve also created a client to verify whether the connection between the WireGuard VPN server and the client is functional.
At this point, you may set up several WireGuard servers and clients to create an encrypted private network with no centralized authority.
What plans do you have to capitalize on your newfound knowledge? Try setting up a WireGuard VPN to learn more about Ansible.
The “wireguard server ubuntu” is a tutorial that shows how to set up WireGuard VPN on Linux. It is a very simple process and should only take about 20 minutes to complete.
Frequently Asked Questions
How do I add a VPN to WireGuard?
A: To add a VPN to WireGuard, one must first create an interface with the following commands set to yes on each line.
interface tun0
ipv6 no
up route-encapsulation ipsec esp
down route-preference 172.16.1.1/32 via fe80::3a04:8e01:de40/64 dev tun0
How do I setup a WireGuard client?
A: First, you need to generate a keypair which consists of two components. The secret is the public and private keys that are used for encryption. Please do not share your private or secret key with anyone but yourself!
Is WireGuard better than OpenVPN?
Related Tags
- setup wireguard client ubuntu
- wireguard config file
- wireguard config file download
- wireguard ubuntu gui
- wireguard gui