WireGuard installation and configuration – on Linux

WireGuard is a new and promising VPN protocol that lately was integrated into the official Linux kernel from 5.4 onwards. It is very simple and more performant than other VPN protocols like OpenVPN or IPSec. I recently wrote an article that compares WireGuard to OpenVPN and IPSec, check it out here. Although WireGuard may not be an enterprise-ready solution yet, it may become more important in the future. If you haven’t already, it’s time to get started with WireGuard Installation and configuration now!

In this guide, I’ll walk you step by step through the installation and configuration. Therefore, as a demonstration, we create a basic VPN connection between two peers. I’m using Ubuntu 20.04 LTS for this example because it already includes kernel support for WireGuard. But you can just install WireGuard on most modern operating systems or Linux distributions. In this case, you can refer to the official installation guides.


1. WireGuard installation on server & client (Ubuntu 20.04 LTS)

To install WireGuard on Ubuntu 20.04 LTS we need to execute the following commands on the Server and Client.

sudo apt install wireguard

If you want to know how to install WireGuard on different distributions or operating systems, check out the official WireGuard documentation.


2. Create a private and public key on Server & Client

Before we can establish a secure tunnel with WireGuard we need to create a private and public key on both, Server and Client first. WireGuard comes with a simple tool that can easily generate these keys. Execute this on the Server and Client.

wg genkey | tee privatekey | wg pubkey > publickey
  • Be aware, you MUST NOT SHARE the private key with anyone! Make sure to store it in a secure way on both devices.

*-ADVERTISEMENT: You can also use a service like LastPass to store any keypairs like private/public keys in a secure and easy way. It also offers you two-factor authentication.


3. Configure the Server

Now you can configure the server, just add a new file called “/etc/wireguard/wg0.conf“. Insert the following configuration lines and replace the <server-private-key> placeholder with the previously generated private key.

You need to insert a private IP address for the <server-ip-address> that doesn’t interfere with another subnet. Next, replace the <public-interface> with your interface the server should listen on for incoming connections.

[Interface]
PrivateKey=<server-private-key>
Address=<server-ip-address>/<subnet>
SaveConfig=true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <public-interface> -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <public-interface> -j MASQUERADE;
ListenPort = 51820

4. Configure the Client

Now, we need to configure the client. Create a new file called “/etc/wireguard/wg0.conf”. Insert the following configuration lines and replace the <client-private-key> placeholder with the previously generated private key.

You need to insert a private IP address for the <client-ip-address> in the same subnet like the server’s IP address. Next, replace the <server-public-key> with the generated servers public key. And also replace <server-public-ip-address> with the IP address where the server listens for incoming connections.

  • Note that if you set the AllowedIPs to 0.0.0.0/0 the client will route ALL traffic through the VPN tunnel. That means, even if the client will access the public internet, this will break out on the server-side. If you don’t want route all traffic through the tunnel, you need to replace this with the target IP addresses or networks.
[Interface]
PrivateKey = <client-private-key>
Address = <client-ip-address>/<subnet>
SaveConfig = true

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-public-ip-address>:51820
AllowedIPs = 0.0.0.0/0

Once you have created the configuration file, you need to enable the wg0 interface with the following command.

wg-quick up wg0

You can check the status of the connection with this command.

wg

5. Add Client to the Server

Next, you need to add the client to the server configuration file. Otherwise, the tunnel will not be established. Replace the <client-public-key> with the clients generated public key and the <client-ip-address> with the client’s IP address on the wg0 interface.

wg set wg0 peer <client-public-key> allowed-ips <client-ip-address>/32

Now you can enable the wg0 interface on the server.

wg-quick up wg0

Next, you can check if the connection is established with the following command.

wg

6. Troubleshooting / Documentation

If you have successfully finished the WireGuard installation and configuration, you may ask yourself how to troubleshoot issues. Here you find the official documentation links and a short troubleshooting cheat sheet I created.

2 thoughts on “WireGuard installation and configuration – on Linux”

  1. Hi there ! Thank for your tutorial, it help me a lot 🙂

    I’ve encountered a problem following yours instructions, I could reach my server from my client but never passed throught it…

    Finally I’ve found that this was the PostUp, and naturally the PostDown, that were missing a route.
    Here is what worked for me in conf file:
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o -j MASQUERADE

    Thank you again !

    Reply

Leave a Comment

I accept the Privacy Policy