Open Source Security

How to set up Wireguard on Ubuntu 22.04

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks, and was designed with the goals of ease of use, high speed performance, and low attack surface.

It is a lightweight Virtual Private Network (VPN) that supports IPv4 and IPv6 connections. A VPN allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.

Compared to other popular VPN solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and has a smaller footprint. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS.

Wireguard is a peer-to-peer VPN; it does not use the client-server model. Depending on its configuration, a peer can act as a traditional server or client. It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.

Related Posts:

Ensure your Server packages are up to date

Before proceeding, ensure that your os packages are updated. Use this command:

sudo apt update
sudo apt upgrade -y

Server Networking and Firewall Configuration

If you are using WireGuard to connect a peer to the WireGuard Server in order to access services on the server only, then you do not need to complete this section. If you would like to route your WireGuard Peer’s Internet traffic through the WireGuard Server then you will need to configure IP forwarding by following this section of the tutorial.

To enable IP Forwarding on the Server, open the file /etc/sysctl.conf with your text editor.

sudo vim /etc/sysctl.conf

Uncomment this line:

net.ipv4.ip_forward=1

If you are using IPv6 with WireGuard, add this line at the bottom of the file:

net.ipv6.conf.all.forwarding=1

Save the file and apply the change:

sudo sysctl -p

If you are using UFW to manage your firewall you need to open UDP traffic on port 51820:

sudo ufw allow 51820/udp

Install wireguard vpn

Wireguard is available in default ubuntu repositories. Install it using this command:

sudo apt install wireguard

This will install the WireGuard module and tools.

Configure WireGuard VPN Server

The wg and wg-quick command-line tools allow you to configure and manage the WireGuard interfaces.

Run the following command to create a public/private key pair. The files will be saved under /etc/wireguard/ directory.

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

The wg command is WireGuard’s build-in configuration utility for getting and setting WireGuard’s configurations. When you run the command, you will receive a single line of base64 encoded output, the public key (server_public.key) for your WireGuard server.

Remember, the private key (server_private.key) should never be shared with anyone and always be kept secure.

Configure Tunnel Device

We need to create a network interface for WireGuard. The network interface name will be wg0.

sudo vim /etc/wireguard/wg0.conf

Add this:

[Interface]
## Private IP address for the wg0 interface ##
Address = 10.70.0.1/24

## VPN server listening port ##
ListenPort = 51820

## VPN server private key ##
PrivateKey = eCzx1jVrf0I7KHXeNgFtUnVj+uDgDlsPZIBrG74S7Vg=

## Firewall rules ##
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/server_private.key file.

sudo cat /etc/wireguard/server_private.key

Make sure to replace eth1 after -A POSTROUTING -o ... to match the name of your public network interface. You can find it easily with:

ip -o -4 route show to default | awk '{print $5}'

Save and close the wg0.conf file. Additionally, change the file permission mode to only the root user can read the files.

sudo chmod -R 600 /etc/wireguard/

The interface can be named anything, however it is recommended to use something like wg0 or wgvpn0. The settings in the interface section have the following meaning:

  • Address – A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).

  • ListenPort – The listening port.
    PrivateKey – A private key generated by the wg genkey command. (To see the contents of the file type: sudo cat /etc/wireguard/privatekey)

  • SaveConfig – When set to true, the current state of the interface is saved to the configuration file when shutdown.

  • PostUp – Command or script that is executed before bringing the interface up. In this example, we’re using iptables to enable masquerading. This allows traffic to leave the server, giving the VPN clients access to the Internet.

Make sure to replace ens3 after -A POSTROUTING to match the name of your public network interface. You can easily find the interface with:

ip -o -4 route show to default | awk '{print $5}'
  • PostDown – command or script which is executed before bringing the interface down. The iptables rules will be removed once the interface is down.

The wg0.conf and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:

sudo chmod 600 /etc/wireguard/{server_private.key,wg0.conf}

Once done, bring the wg0 interface up using the attributes specified in the configuration file:

sudo wg-quick up wg0

Enable and Start WireGuard VPN Service

Run the following command on the server to enable auto-start at system boot time and start WireGuard.

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Check its status with the following command. You should see active in the output:

sudo systemctl status wg-quick@wg0.service

Output:

$ sudo systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2023-03-11 05:46:06 UTC; 42s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 17951 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 17951 (code=exited, status=0/SUCCESS)
        CPU: 107ms

Mar 11 05:46:05 sirenimports-test-inst0 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 11 05:46:05 sirenimports-test-inst0 wg-quick[17951]: [#] ip link add wg0 type wireguard
Mar 11 05:46:05 sirenimports-test-inst0 wg-quick[17951]: [#] wg setconf wg0 /dev/fd/63
Mar 11 05:46:05 sirenimports-test-inst0 wg-quick[17951]: [#] ip -4 address add 10.70.0.1/24 dev wg0
Mar 11 05:46:05 sirenimports-test-inst0 wg-quick[17951]: [#] ip link set mtu 1420 up dev wg0
Mar 11 05:46:05 sirenimports-test-inst0 wg-quick[17951]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Mar 11 05:46:06 sirenimports-test-inst0 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

To check the interface state and configuration, enter:

sudo wg show wg0

Output:

$ sudo wg show wg0
interface: wg0
  public key: KVqNHbuFmaXX+1jm7ECgk/n9YD4Kk+Fh8fGlOwTBZ0o=
  private key: (hidden)
  listening port: 51820

Set up client

Install the WireGuard package on the client machine

sudo apt install wireguard

you’ll need to generate a public/private key pair on the peer using the exact steps you used on the server.

wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

Open a new /etc/wireguard/wg0.conf file on the WireGuard client machine using your preferred editor:

sudo vim /etc/wireguard/wg0.conf

Add the following lines to the file:

[Interface]
## VPN client private IP address ##
Address = 10.70.0.2/24

## VPN client private key ##
PrivateKey = wP9y5xaw2mwqB2C4ujdVokn8zaxKr/elrNlcgw19snw=

[Peer]
## VPN server public key ##
PublicKey = Ar+Y1r9bCE9CwM9UgK/fSiFiP9jaNIHt5YGCkVbmZF8=

## VPN server public IP address and port ##
Endpoint = 10.2.11.9:51820

## Route all the traffic through the VPN tunnel ##
AllowedIPs = 0.0.0.0/0

## Key connection alive ##
PersistentKeepalive = 15

Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/client_private.key file on the client machine.

Replace the server’s public key, which can be found in the /etc/wireguard/server_public.key file on the server.

Replace the Endpoint value (10.2.11.9:51820) with your server’s public IP address and port.

Finally, save and close the file.

You need to configure the server-side VPN option to allow a connection between the client (Peer) computer and the server. So, go back to the server and edit the /etc/wireguard/wg0.conf file to add client information as follows:

sudo vim /etc/wireguard/wg0.conf
[Peer]
## Client public key ##
PublicKey = ybR/GfG7XBx3XUi3V1wV7IIxCpSaqELtOfIOuGlSij8=

## Client IP address ##
AllowedIPs = 10.70.0.2/24

Replace the PublicKey with the file’s content stored in the /etc/wireguard/client_public.key file on the client machine.

Save the file and restart the VPN server to apply the changes:

sudo systemctl restart wg-quick@wg0.service

Connecting the WireGuard Client to the Server

Run the following command on the client machine to connect the VPN client to the VPN server:

sudo systemctl start wg-quick@wg0

Ensure it started

sudo systemctl status wg-quick@wg0

Now you should be connected to the WireGuard VPN server, and the traffic from your client machine should be routed through it.

That’s all! Both client and server must be connected securely using a peer-to-peer WireGuard VPN on Ubuntu.

To test the connection, return to the VPN client and ping from it (10.70.0.2) to the VPN server (10.70.0.1) to see if the tunnel works.

$ ping -c 3 10.70.0.1
PING 10.70.0.1 (10.70.0.1) 56(84) bytes of data.
64 bytes from 10.70.0.1: icmp_seq=1 ttl=64 time=0.095 ms
64 bytes from 10.70.0.1: icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from 10.70.0.1: icmp_seq=3 ttl=64 time=0.068 ms

--- 10.70.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2052ms
rtt min/avg/max/mdev = 0.068/0.082/0.095/0.011 ms

Additionally, you can check the connection with:

sudo wg
$ sudo wg show wg0
interface: wg0
  public key: Ar+Y1r9bCE9CwM9UgK/fSiFiP9jaNIHt5YGCkVbmZF8=
  private key: (hidden)
  listening port: 51820

peer: ybR/GfG7XBx3XUi3V1wV7IIxCpSaqELtOfIOuGlSij8=
  allowed ips: 10.70.0.0/24

Or

ip a show wg0

Conclusion

In this guide we managed to set up wireguard as a VPN peer gateway.

Wireguard
Last updated on Oct 14, 2024 11:46 +0300
comments powered by Disqus
© 2020 - 2024 Citizix, Inc.
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy