WireGuard is a new and promising VPN protocol that lately was integrated into the official Linux kernel from 5.4 onwards. It is very simple and more performant than other VPN protocols like OpenVPN or IPSec. I recently wrote an article that compares WireGuard to OpenVPN and IPSec, check it out here. Although WireGuard may not be an enterprise-ready solution yet, it may become more important in the future. If you haven’t already, it’s time to get started with WireGuard Installation and configuration now!
In this guide, I’ll walk you step by step through the installation and configuration. Therefore, as a demonstration, we create a basic VPN connection between two peers. I’m using Ubuntu 20.04 LTS for this example because it already includes kernel support for WireGuard. But you can just install WireGuard on most modern operating systems or Linux distributions. In this case, you can refer to the official installation guides.
1. WireGuard installation on server & client (Ubuntu 20.04 LTS)
To install WireGuard on Ubuntu 20.04 LTS we need to execute the following commands on the Server and Client.
sudo apt install wireguard
If you want to know how to install WireGuard on different distributions or operating systems, check out the official WireGuard documentation.
2. Create a private and public key on Server & Client
Before we can establish a secure tunnel with WireGuard we need to create a private and public key on both, Server and Client first. WireGuard comes with a simple tool that can easily generate these keys. Execute this on the Server and Client.
wg genkey | tee privatekey | wg pubkey > publickey
*-ADVERTISEMENT: You can also use a service like LastPass to store any keypairs like private/public keys in a secure and easy way. It also offers you two-factor authentication.
3. Configure the Server
Now you can configure the server, just add a new file called “/etc/wireguard/wg0.conf“. Insert the following configuration lines and replace the <server-private-key> placeholder with the previously generated private key.
You need to insert a private IP address for the <server-ip-address> that doesn’t interfere with another subnet. Next, replace the <public-interface> with your interface the server should listen on for incoming connections.
[Interface] PrivateKey=<server-private-key> Address=<server-ip-address>/<subnet> SaveConfig=true PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <public-interface> -j MASQUERADE; PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <public-interface> -j MASQUERADE; ListenPort = 51820
4. Configure the Client
Now, we need to configure the client. Create a new file called “/etc/wireguard/wg0.conf”. Insert the following configuration lines and replace the <client-private-key> placeholder with the previously generated private key.
You need to insert a private IP address for the <client-ip-address> in the same subnet like the server’s IP address. Next, replace the <server-public-key> with the generated servers public key. And also replace <server-public-ip-address> with the IP address where the server listens for incoming connections.
[Interface] PrivateKey = <client-private-key> Address = <client-ip-address>/<subnet> SaveConfig = true [Peer] PublicKey = <server-public-key> Endpoint = <server-public-ip-address>:51820 AllowedIPs = 0.0.0.0/0
Once you have created the configuration file, you need to enable the wg0 interface with the following command.
wg-quick up wg0
You can check the status of the connection with this command.
5. Add Client to the Server
Next, you need to add the client to the server configuration file. Otherwise, the tunnel will not be established. Replace the <client-public-key> with the clients generated public key and the <client-ip-address> with the client’s IP address on the wg0 interface.
wg set wg0 peer <client-public-key> allowed-ips <client-ip-address>/32
Now you can enable the wg0 interface on the server.
wg-quick up wg0
Next, you can check if the connection is established with the following command.
6. Troubleshooting / Documentation
If you have successfully finished the WireGuard installation and configuration, you may ask yourself how to troubleshoot issues. Here you find the official documentation links and a short troubleshooting cheat sheet I created.