How to set up Wireguard on Ubuntu 22.04

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks, and was designed with the goals of ease of use, high speed performance, and low attack surface.

It is a lightweight Virtual Private Network (VPN) that supports IPv4 and IPv6 connections. A VPN allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.

Compared to other popular VPN solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and has a smaller footprint. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS.

Wireguard is a peer-to-peer VPN; it does not use the client-server model. Depending on its configuration, a peer can act as a traditional server or client. It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.

Ensure your Server packages are up to date

Before proceeding, ensure that your os packages are updated. Use this command:

1
sudo apt update && sudo apt upgrade -y

Optionally set the server hostname

1
sudo hostnamectl set-hostname vpn.citizix.com

Server Networking and Firewall Configuration

If you are using WireGuard to connect a peer to the WireGuard Server in order to access services on the server only, then you do not need to complete this section. If you would like to route your WireGuard Peer’s Internet traffic through the WireGuard Server then you will need to configure IP forwarding by following this section of the tutorial.

To enable IP Forwarding on the Server, open the file /etc/sysctl.conf with your text editor.

1
sudo vim /etc/sysctl.conf

Uncomment this line:

1
net.ipv4.ip_forward=1

If you are using IPv6 with WireGuard, add this line at the bottom of the file:

1
net.ipv6.conf.all.forwarding=1

Save the file and apply the change:

1
sudo sysctl -p

Make sure the server is routing traffic from the WireGuard interface to the internet. You may need to configure Network Address Translation (NAT) on the server.

To do this, you can use iptables (replace ens5 with your server’s main network interface):

1
2
3
sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
sudo iptables -A FORWARD -i wg0 -o ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i ens5 -o wg0 -j ACCEPT

To make the iptables rules persistent, you can install iptables-persistent:

1
sudo apt install iptables-persistent

Then you can save the iptables rules using:

1
sudo iptables-save > /etc/iptables/rules.v4

Install wireguard vpn

Wireguard is available in default ubuntu repositories. Install it using this command:

1
sudo apt install wireguard

This will install the WireGuard module and tools.

Configure WireGuard VPN Server

The wg and wg-quick command-line tools allow you to configure and manage the WireGuard interfaces.

Run the following command to create a public/private key pair. The files will be saved under /etc/wireguard/ directory.

1
2
3
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
sudo wg genkey | sudo tee server_private.key | sudo wg pubkey > server_public.key

The wg command is WireGuard’s build-in configuration utility for getting and setting WireGuard’s configurations. When you run the command, you will receive a single line of base64 encoded output, the public key (server_public.key) for your WireGuard server.

Remember, the private key (server_private.key) should never be shared with anyone and always be kept secure.

Configure Tunnel Device

We need to create a network interface for WireGuard. The network interface name will be wg0.

1
sudo vim /etc/wireguard/wg0.conf

Add this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[Interface]
## Private IP address for the wg0 interface ##
Address = 10.70.0.1/24

## VPN server listening port ##
ListenPort = 51820

## VPN server private key ##
PrivateKey = 2NV6mHFXeN2R25eq9LJag3PiwuxvMrrHBDtZcEiedGU=

## Firewall rules ##
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE

Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/server_private.key file.

1
sudo cat /etc/wireguard/server_private.key

Make sure to replace ens5 after -A POSTROUTING -o ... to match the name of your public network interface. You can find it easily with:

1
ip -o -4 route show to default | awk '{print $5}'

Save and close the wg0.conf file. Additionally, change the file permission mode to only the root user can read the files.

1
sudo chmod -R 600 /etc/wireguard/

The interface can be named anything, however it is recommended to use something like wg0 or wgvpn0. The settings in the interface section have the following meaning:

Address - A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).
ListenPort - The listening port. PrivateKey - A private key generated by the wg genkey command. (To see the contents of the file type: sudo cat /etc/wireguard/privatekey)
SaveConfig - When set to true, the current state of the interface is saved to the configuration file when shutdown.
PostUp - Command or script that is executed before bringing the interface up. In this example, we’re using iptables to enable masquerading. This allows traffic to leave the server, giving the VPN clients access to the Internet.

Make sure to replace ens5 after -A POSTROUTING to match the name of your public network interface. You can easily find the interface with:

1
ip -o -4 route show to default | awk '{print $5}'

PostDown - command or script which is executed before bringing the interface down. The iptables rules will be removed once the interface is down.

The wg0.conf and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:

1
sudo chmod 600 /etc/wireguard/{server_private.key,wg0.conf}

Enable and Start WireGuard VPN Service

Run the following command on the server to enable auto-start at system boot time and start WireGuard.

1
2
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Check its status with the following command. You should see active in the output:

1
sudo systemctl status wg-quick@wg0.service

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ sudo systemctl status wg-quick@wg0

● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; preset: enabled)
     Active: active (exited) since Sat 2025-01-18 06:02:04 UTC; 6s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 1362 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 1362 (code=exited, status=0/SUCCESS)
        CPU: 30ms

Jan 18 06:02:04 vpn.citizix.com systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
Jan 18 06:02:04 vpn.citizix.com wg-quick[1362]: [#] ip link add wg0 type wireguard
Jan 18 06:02:04 vpn.citizix.com wg-quick[1362]: [#] wg setconf wg0 /dev/fd/63
Jan 18 06:02:04 vpn.citizix.com wg-quick[1362]: [#] ip -4 address add 10.70.0.1/24 dev wg0
Jan 18 06:02:04 vpn.citizix.com wg-quick[1362]: [#] ip link set mtu 8921 up dev wg0
Jan 18 06:02:04 vpn.citizix.com wg-quick[1362]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enX0 -j MASQUERADE
Jan 18 06:02:04 vpn.citizix.com systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.

To check the interface state and configuration, enter:

1
sudo wg show wg0

Output:

1
2
3
4
5
6
$ sudo wg show wg0

interface: wg0
  public key: dIYEmtcPkbd4WSJSkyxOMSTgJFIuk64sH9/EF3h9bj4=
  private key: (hidden)
  listening port: 51820

Set up client

Install the WireGuard package on the client machine

1
sudo apt install wireguard

You’ll need to generate a public/private key pair on the peer using the exact steps you used on the server.

1
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

Open a new /etc/wireguard/wg0.conf file on the WireGuard client machine using your preferred editor:

1
sudo vim /etc/wireguard/wg0.conf

Add the following lines to the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
[Interface]
## VPN client private IP address ##
Address = 10.70.0.2/24

## VPN client private key ##
PrivateKey = wP9y5xaw2mwqB2C4ujdVokn8zaxKr/elrNlcgw19snw=

[Peer]
## VPN server public key ##
PublicKey = Ar+Y1r9bCE9CwM9UgK/fSiFiP9jaNIHt5YGCkVbmZF8=

## VPN server public IP address and port ##
Endpoint = 10.2.11.9:51820

## Route all the traffic through the VPN tunnel ##
AllowedIPs = 0.0.0.0/0

## Key connection alive ##
PersistentKeepalive = 15

Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/client_private.key file on the client machine.

Replace the server’s public key, which can be found in the /etc/wireguard/server_public.key file on the server.

Replace the Endpoint value (10.2.11.9:51820) with your server’s public IP address and port.

Finally, save and close the file.

You need to configure the server-side VPN option to allow a connection between the client (Peer) computer and the server. So, go back to the server and edit the /etc/wireguard/wg0.conf file to add client information as follows:

1
sudo vim /etc/wireguard/wg0.conf

1
2
3
4
5
6
[Peer]
## Client public key ##
PublicKey = ybR/GfG7XBx3XUi3V1wV7IIxCpSaqELtOfIOuGlSij8=

## Client IP address ##
AllowedIPs = 10.70.0.2/24

Replace the PublicKey with the file’s content stored in the /etc/wireguard/client_public.key file on the client machine.

Save the file and restart the VPN server to apply the changes:

1
sudo systemctl restart wg-quick@wg0.service

Connecting the WireGuard Client to the Server

Run the following command on the client machine to connect the VPN client to the VPN server:

1
sudo systemctl start wg-quick@wg0

Ensure it started

1
sudo systemctl status wg-quick@wg0

Now you should be connected to the WireGuard VPN server, and the traffic from your client machine should be routed through it.

That’s all! Both client and server must be connected securely using a peer-to-peer WireGuard VPN on Ubuntu.

To test the connection, return to the VPN client and ping from it (10.70.0.2) to the VPN server (10.70.0.1) to see if the tunnel works.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ ping -c 3 10.70.0.1

PING 10.70.0.1 (10.70.0.1) 56(84) bytes of data.
64 bytes from 10.70.0.1: icmp_seq=1 ttl=64 time=0.095 ms
64 bytes from 10.70.0.1: icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from 10.70.0.1: icmp_seq=3 ttl=64 time=0.068 ms

--- 10.70.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2052ms
rtt min/avg/max/mdev = 0.068/0.082/0.095/0.011 ms

Additionally, you can check the connection with:

1
sudo wg

Or show command

1
2
3
4
5
6
7
8
9
$ sudo wg show wg0

interface: wg0
  public key: Ar+Y1r9bCE9CwM9UgK/fSiFiP9jaNIHt5YGCkVbmZF8=
  private key: (hidden)
  listening port: 51820

peer: ybR/GfG7XBx3XUi3V1wV7IIxCpSaqELtOfIOuGlSij8=
  allowed ips: 10.70.0.0/24

1
ip a show wg0

Conclusion

In this guide we managed to set up wireguard as a VPN peer gateway.