07.06.2023

How to Set Up WireGuard VPN Server on Ubuntu 20.04

In this tutorial, we will look at the steps to set up and configure the WireGuard VPN server and client.

WireGuard installation

Install the WireGuard package on both server and client machines using this command:

sudo apt install wireguard

System configuration

First, you need to allow incoming UDP traffic on some port for the VPN connection.

sudo ufw allow 61951/udp

Allow kernel-level network packet redirection.

sudo nano /etc/sysctl.conf

Uncomment the following line.

net.ipv4.ip_forward=1

Apply the changes.

sudo sysctl -p

Private and public key pairs creation

Use this command to generate keys and make private one accessible only to the root user for security reasons.

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
sudo chmod 600 /etc/wireguard/server_private.key

Perform the same action on the client machine for the client_private.key and client_public.key.
To see the keys values, use the ‘cat’ command, for example:

sudo cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key

WireGuard server configuration

Create the WireGuard configuration file.

sudo nano /etc/wireguard/wg0.conf

Fill it in with the following lines:

# Server configuration
[Interface]
PrivateKey = oCH7Z0g+ieQ99KkkR1E5EO22Evs5q75F+ES4O4Oc93E= # The server_private.key value.
Address = 10.5.5.1/24 # Internal IP address of the VPN server.
ListenPort = 61951 # Previously, we opened this port to listen for incoming connections in the firewall.
# Change "enp0s5" to the name of your network interface in the following two settings. This commands configures iptables for WireGuard.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s5 -j MASQUERADE
# Configurations for the clients. You need to add a [Peer] section for each VPN client.
[Peer]
PublicKey = gsgfB29uYjpuFTCjC1+vHr9M7++MHJcG6Eg4rtuTu34= # client_public.key value.
AllowedIPs = 10.5.5.2/32 # Internal IP address of the VPN client.

Save and close this file. To start the WireGuard VPN server enter the command:

sudo systemctl start wg-quick@wg0

Configure the interface autorun after a system reboot.

sudo systemctl enable wg-quick@wg0

WireGuard client configuration

You also need to install “resolvconf” on the client.

sudo apt install resolvconf

Now, create the WireGuard configuration file on the client machine.

sudo nano /etc/wireguard/wg0.conf

Fill it in with the following lines:

# Client configuration
[Interface]
PrivateKey = eLI6PoQf3xhLHu+wlIIME5ullpxxp8U+sYMKHGcv2VI= # The client_private.key value.
Address = 10.5.5.2/24 # IP address of the client's wg0 interface.
DNS = 8.8.8.8
# Server connection configuration
[Peer]
PublicKey = tsGQ8spwOQhpJb4BbhZtunLZEJCcPxUBIaQUpniQ+z4= # The server_public.key value.
AllowedIPs = 0.0.0.0/0 # Traffic for these addresses will be routed through the VPN tunnel. In this example, all addresses are selected.
Endpoint = 82.213.236.27:61951 # Public IP address of our VPN server and port number (ListenPort in the server configuration).
PersistentKeepalive = 25

Save and close it.
Use this command to establish the VPN connection:

sudo wg-quick up wg0

To view connection information use this command:

wg

Output:

interface: wg0
public key: gsgfB29uYjpuFTCjC1+vHr9M7++MHJcG6Eg4rtuTu34=
private key: (hidden)
listening port: 58208
peer: tsGQ8spwOQhpJb4BbhZtunLZEJCcPxUBIaQUpniQ+z4=
endpoint: 82.213.236.27:61951
allowed ips: 0.0.0.0/0
...