WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks, and was designed with the goals of ease of use, high speed performance, and low attack surface.
It is a lightweight Virtual Private Network (VPN) that supports IPv4 and IPv6 connections. A VPN allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.
Compared to other popular VPN solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and has a smaller footprint. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS.
Wireguard is a peer-to-peer VPN; it does not use the client-server model. Depending on its configuration, a peer can act as a traditional server or client. It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.
Related Posts:
- How to install and configure Pritunl in Rocky Linux/ Alma Linux 9
- How to install and configure Pritunl in Rocky Linux/ Alma Linux 8
- How to install and configure MongoDB 6 on Rocky Linux/Alma Linux 9
Ensure your Server packages are up to date
Before proceeding, ensure that your os packages are updated. Use this command:
|
|
Optionally set the server hostname
|
|
Server Networking and Firewall Configuration
If you are using WireGuard to connect a peer to the WireGuard Server in order to access services on the server only, then you do not need to complete this section. If you would like to route your WireGuard Peer’s Internet traffic through the WireGuard Server then you will need to configure IP forwarding by following this section of the tutorial.
To enable IP Forwarding on the Server, open the file /etc/sysctl.conf
with your text editor.
|
|
Uncomment this line:
|
|
If you are using IPv6 with WireGuard, add this line at the bottom of the file:
|
|
Save the file and apply the change:
|
|
Make sure the server is routing traffic from the WireGuard interface to the internet. You may need to configure Network Address Translation (NAT) on the server.
To do this, you can use iptables (replace ens5
with your server’s main network interface):
|
|
To make the iptables rules persistent, you can install iptables-persistent
:
|
|
Then you can save the iptables rules using:
|
|
Install wireguard vpn
Wireguard is available in default ubuntu repositories. Install it using this command:
|
|
This will install the WireGuard module and tools.
Configure WireGuard VPN Server
The wg
and wg-quick
command-line tools allow you to configure and manage the WireGuard interfaces.
Run the following command to create a public/private key pair. The files will be saved under /etc/wireguard/
directory.
|
|
The wg
command is WireGuard’s build-in configuration utility for getting and setting WireGuard’s configurations. When you run the command, you will receive a single line of base64 encoded output, the public key (server_public.key
) for your WireGuard server.
Remember, the private key (server_private.key
) should never be shared with anyone and always be kept secure.
Configure Tunnel Device
We need to create a network interface for WireGuard. The network interface name will be wg0
.
|
|
Add this:
|
|
Replace the PrivateKey
with the content of the one you generated, stored in the /etc/wireguard/server_private.key
file.
|
|
Make sure to replace ens5
after -A POSTROUTING -o ...
to match the name of your public network interface. You can find it easily with:
|
|
Save and close the wg0.conf
file. Additionally, change the file permission mode to only the root user can read the files.
|
|
The interface can be named anything, however it is recommended to use something like wg0
or wgvpn0
. The settings in the interface section have the following meaning:
Address
- A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).ListenPort
- The listening port. PrivateKey - A private key generated by the wg genkey command. (To see the contents of the file type: sudo cat /etc/wireguard/privatekey)SaveConfig
- When set to true, the current state of the interface is saved to the configuration file when shutdown.PostUp
- Command or script that is executed before bringing the interface up. In this example, we’re using iptables to enable masquerading. This allows traffic to leave the server, giving the VPN clients access to the Internet.
Make sure to replace ens5
after -A POSTROUTING
to match the name of your public network interface. You can easily find the interface with:
|
|
PostDown
- command or script which is executed before bringing the interface down. The iptables rules will be removed once the interface is down.
The wg0.conf
and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:
|
|
Enable and Start WireGuard VPN Service
Run the following command on the server to enable auto-start at system boot time and start WireGuard.
|
|
Check its status with the following command. You should see active in the output:
|
|
Output:
|
|
To check the interface state and configuration, enter:
|
|
Output:
|
|
Set up client
Install the WireGuard package on the client machine
|
|
You’ll need to generate a public/private key pair on the peer using the exact steps you used on the server.
|
|
Open a new /etc/wireguard/wg0.conf
file on the WireGuard client machine using your preferred editor:
|
|
Add the following lines to the file:
|
|
Replace the PrivateKey with the content of the one you generated, stored in the /etc/wireguard/client_private.key
file on the client machine.
Replace the server’s public key, which can be found in the /etc/wireguard/server_public.key
file on the server.
Replace the Endpoint value (10.2.11.9:51820
) with your server’s public IP address and port.
Finally, save and close the file.
You need to configure the server-side VPN option to allow a connection between the client (Peer) computer and the server. So, go back to the server and edit the /etc/wireguard/wg0.conf
file to add client information as follows:
|
|
|
|
Replace the PublicKey with the file’s content stored in the /etc/wireguard/client_public.key
file on the client machine.
Save the file and restart the VPN server to apply the changes:
|
|
Connecting the WireGuard Client to the Server
Run the following command on the client machine to connect the VPN client to the VPN server:
|
|
Ensure it started
|
|
Now you should be connected to the WireGuard VPN server, and the traffic from your client machine should be routed through it.
That’s all! Both client and server must be connected securely using a peer-to-peer WireGuard VPN on Ubuntu.
To test the connection, return to the VPN client and ping from it (10.70.0.2
) to the VPN server (10.70.0.1
) to see if the tunnel works.
|
|
Additionally, you can check the connection with:
|
|
Or show command
|
|
Or
|
|
Conclusion
In this guide we managed to set up wireguard as a VPN peer gateway.