How to Use WireGuard on Ubuntu

Introduction

WireGuard is a very simple, fast, and modern VPN solution that uses state-of-the-art cryptography. According to various benchmark tests, WireGuard is currently the fastest VPN solution compared to IPSec and OpenVPN. In this guide, you will learn how to establish a WireGuard connection between two servers.

Requirements

  • Ubuntu or Debian
  • Kernel 4.1 or newer

Video Tutorial

Install and Clone

Installing WireGuard itself is very simple and can be completed in just 4 steps. First, we need to install the kernel headers as well as the build essentials and various other required packages:

apt-get install libmnl-dev linux-headers-$(uname -r) build-essential make git

After completing this step, we can continue by pulling WireGuard from the Git repository:

git clone https://git.zx2c4.com/WireGuard

Build

At this point, we have installed all required packages and cloned WireGuard into WireGuard/. We can continue with the WireGuard build process and install it:

cd WireGuard/src/makemake install

If the make install process completes without errors, we can proceed to run the exact same steps on the other server. Once done, move on to the next section of this guide
– the configuration process.

Configuration

Creating a tunnel with WireGuard is very simple and can be done with just a few commands. We start by creating the VPN interface:

ip link add dev wg0 type wireguard

Next, we generate a private key, which is used to encrypt the data between both parties:

umask 077wg genkey > private

At this point, we have completed all the requirements for creating the tunnel itself:

wg set wg0 listen-port 51920 private-key ~/private peer <PEER_PUBLIC_KEY> allowed-ips 192.168.2.0/24 endpoint <OTHER_SERVER_IP>:51920

Note:You must run this command on both servers and adjust the following parameters: PEER_PUBLIC_KEY and OTHER_SERVER_IP.

In order to read the public key on both servers, we must run the following command to convert the private key into a public key and then read it:

wg pubkey < private > publiccat public

Finally, we can assign IP addresses to our interface (.1 for the first server, .2 for the second server):

ip link set up dev wg0ip addr add 192.168.2.1/24 dev wg0

Testing

Try pinging the other server from the first server using the following command:

ping 192.168.2.2

If you see a response from the server, it means your installation is correct and the VPN link is working. If you do not receive any response or encounter an error, review the commands you executed on both servers and make sure you adjusted the parameters accordingly.

Set up a VPN server

Wireguard comes with a tool, wg-quick, for quickly creating and destroying a VPN
server. Note that the configuration file used here is not a configuration file that can be validly used by wg setconf, and you will probably need to change eth0 to the interface you actually use.

Server

/etc/wireguard/wg0server.conf
[Interface]
Address = 10.0.0.1/24  # This is the virtual IP address, with the subnet mask we will use for the VPN
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = [SERVER PRIVATE KEY]

[Peer]
PublicKey = [CLIENT PUBLIC KEY]
AllowedIPs = 10.0.0.2/32  # This means the client has only one IP.

To make the iptables rules take effect, enable IPv4 forwarding:

# sysctl net.ipv4.ip_forward=1

To keep this change permanently, add net.ipv4.ip_forward = 1 to /etc/sysctl.d/99-sysctl.conf.

Use wg-quick up wg0server to enable the
interface, and wg-quick down wg0server to disable it.

Client (forward all traffic)

/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24  # The client IP from wg0server.conf with the same subnet mask
PrivateKey = [CLIENT PRIVATE KEY]
DNS = 10.0.0.1

[Peer]
PublicKey = [SERVER PUBLICKEY]
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = [SERVER ENDPOINT]:51820
PersistentKeepalive = 25

Use wg-quick up wg0 to enable the interface,
and wg-quick down wg0 to disable it.

Use systemctl enable
[email protected]
to start it automatically.

If you use NetworkManager, it may be necessary to enable
NetworkManager-wait-online.service systemctl enable NetworkManager-wait-online.service

Or if you use systemd-networkd, enable
systemd-networkd-wait-online.service systemctl enable
systemd-networkd-wait-online.service

Wait until all devices are ready before attempting the wireguard connection

Conclusion

WireGuard is a very easy-to-use secure VPN solution. It is suitable for many network topologies, including (but not limited to): connections between servers, backbone networking, personal VPN networks, and roaming VPN networks. For additional documentation, please visit the official website. Happy hacking!

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top