Setting Up a WireGuard VPN in Ubuntu

Posted by
May 22, 2024

WireGuard, a blazingly fast and modern VPN solution, is here to revolutionize your Ubuntu experience. Unlike its established counterparts like IPSec, WireGuard boasts a lean codebase and a cryptographically sound handshake process, resulting in unparalleled performance and efficiency.

What You Need

Assuming that you already have a robust foundation in place before embarking on the WireGuard configuration process, here's a breakdown of the essential elements:

Ubuntu 20.04 Server

We'll use the stability and security features of Ubuntu 20.04 LTS (Long-Term Support) for our WireGuard server. Ensure you have a dedicated Ubuntu server provisioned with a non-root user possessing sudo privileges.

Additionally, a functional firewall is paramount for network security; consider consulting our "Initial Server Setup with Ubuntu 20.04" tutorial if necessary. Throughout this guide, this server will be referred to as the WireGuard Server.

WireGuard Peer Device

You'll need a separate client machine, designated as the WireGuard Peer, to establish a secure connection with the WireGuard Server. This could be your local workstation, a remote server, or even a mobile device.

While we'll be focusing on local machine setup for this tutorial, the core principles remain applicable to other client configurations. Remember, if using a remote system, meticulously follow the optional sections later in the guide to avoid potential lockout situations.

IPv6 Support (Optional)

To leverage the benefits of IPv6 with WireGuard, your server needs to be configured for this specific traffic type.

The Guide

Here’s a step-by-step guide on setting up WG on your machine.

Step 1: Installation and Keypair Generation

We'll commence by ensuring our WireGuard Server possesses the latest package information. Execute the following command to refresh the package repository index:

sudo apt update

Next, use apt to install the WireGuard package:

sudo apt install wireguard

WireGuard hinges on the secure exchange of cryptographic keys. To establish this foundation, we'll generate a private and public keypair specifically for the server. The wg utility provides the necessary commands for this task.

Next, employ the wg genkey command to generate a robust private key. Pipe the output to the /etc/wireguard/private.key file using tee for persistence. Since this key is paramount for security, restrict access using chmod:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

The sudo chmod go= /etc/wireguard/private.key command meticulously removes all read permissions for users and groups other than the root user, safeguarding the private key.

The command should output a single line of base64-encoded data representing the private key. Remember to make a secure copy of this key for later inclusion in the WireGuard configuration file.

Now, derive the corresponding public key from the private key using wg pubkey. Store the output in the /etc/wireguard/public.key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

This command utilizes the pipe (|) operator to chain three sub-commands:

  • sudo cat /etc/wireguard/private.key: Reads the private key file and sends its contents to standard output
  • wg pubkey: Takes the standard input (private key content) and generates the public key
  • sudo tee /etc/wireguard/public.key: Receives the public key from the previous command and writes it to the specified file

A single line of base64-encoded data, representing the public key, will be displayed. Securely copy this key, as it will be distributed to authorized WireGuard peers for connection establishment.

We've successfully laid the cryptographic groundwork for secure WireGuard communication on our server. Now, let's proceed to the next step: WireGuard server configuration.

Step 2: WireGuard Server Configuration

Now that the keypair is in place, it's time to craft the WireGuard server configuration file. This file instructs the WireGuard daemon on how to manage the VPN tunnel and secure communications.

First, use a text editor (like nano or vim) to create a new file named wg0.conf in the /etc/wireguard directory. This file will house the server's configuration directives. The first section defines the WireGuard interface. Add the following line to specify the interface name:


PrivateKey = /etc/wireguard/private.key

  • [Interface]: This header signifies the beginning of the interface configuration block.
  • PrivateKey = /etc/wireguard/private.key: This directive points to the location of the server's private key, generated in step 1.

To restrict access to a specific IP address range for connected peers, utilize the AllowedIPs directive within the Peer section (explained later). However, for each client device that will connect to the VPN, you'll need to define a separate Peer block within the configuration file.

Each Peer block will specify the client public key and any additional configuration options.

Here's an example wg0.conf file structure incorporating a single peer:

PrivateKey = /etc/wireguard/private.key
PublicKey = CLIENT_PUBLIC_KEY  # Replace with actual client's public key
AllowedIPs =  # Restricts peer to a single IP address
# Add additional Peer blocks for other clients if needed

Remember to replace CLIENT_PUBLIC_KEY with your WireGuard client's actual public key. You'll obtain this key from the client device configuration process, which will be covered in a later step. Once you've meticulously crafted the configuration file, save it using your chosen text editor. We're now ready to load and activate the WireGuard configuration.

Step 3: Loading and Activating the WireGuard Configuration

With the wg0.conf file meticulously crafted, it's time to integrate it into the WireGuard service on the server. Here's how to proceed:

Instruct the WireGuard daemon to load the configuration file using the following command:

sudo wg-quick up wg0

Now, replace wg0 with the actual interface name specified in your wg0.conf file if it differs. If the configuration is valid and the system detects no errors, the WireGuard interface (wg0 by default) should become active. You can verify the interface status using the following command:

sudo ip addr show wg0
A successful output will display the interface details, including its IP address and status. By default, the WireGuard interface deactivates during system reboots.

To ensure automatic activation during system startup, create a systemd service file for WireGuard. We'll cover the steps for creating a systemd service file in a later optional section, focusing on manual activation for now.

Verifying WireGuard Connection

Once the interface is active, you can test the WireGuard connection from your client device (covered in a later step) by attempting to ping the server's internal IP address assigned by WireGuard.

This step establishes the WireGuard interface and prepares the server for communication. We'll explore client configuration and firewall considerations in the subsequent steps.

Step 4: Configuring the WireGuard Peer (Client)

Now that the server is primed and ready, let's shift our focus to configuring the WireGuard client device, also known as the WireGuard Peer, in this guide. The specific steps may vary slightly depending on your client's operating system, but the core principles remain consistent.

First, ensure WireGuard is installed on your client device. For installation instructions specific to your client's operating system, refer to the official WireGuard documentation. Similar to the server setup, generate a private and public keypair for the client device using the wg genkey command. Here's an example:

wg genkey | tee client.key

This command generates a keypair and stores the private key in a file named client.key. Make sure to keep this file confidential as it grants access to the VPN tunnel.

Recall the server's public key you generated earlier (located in /etc/wireguard/public.key on the server).

You'll need to provide this public key during client configuration. The method for configuring the WireGuard client will vary depending on your operating system. Here are some general possibilities:

  • GUI Applications: Some Linux distributions offer graphical user interface (GUI) tools for WireGuard configuration. These tools might provide user-friendly interfaces for entering configuration details.
  • Manual Configuration: For more granular control, you can create a configuration file similar to the server's wg0.conf file. This file would specify the client's private key, the server's public key, endpoint information (server's public IP or hostname), and any additional options.

Here's a basic example client configuration assuming manual setup:

PrivateKey = client.key
PublicKey = SERVER_PUBLIC_KEY  # Replace with actual server's public key
Endpoint = SERVER_IP:PORT  # Replace with server's public IP or hostname and port (if non-standard)
AllowedIPs =  # Restricts client to a single IP address (optional)

Remember to replace the placeholders with your actual server information.

Once you've configured the WireGuard client according to your chosen method, save the configuration file or apply the settings in the GUI application. We're now ready to connect the client to the WireGuard server.

Advanced Management with Netmaker

While this guide focuses on the core configuration of a WireGuard VPN, for those seeking a more streamlined and feature-rich management experience, Netmaker presents a compelling option. Netmaker is a software tool designed to simplify WireGuard network administration, particularly in complex setups with multiple devices.

Here's a glimpse into the benefits Netmaker offers:

  • Centralized Control Plane: Manage and configure your entire WireGuard mesh network from a single, intuitive interface.
  • Automated Key Management: Eliminate the manual burden of handling and distributing WireGuard keys. Netmaker automates key generation and deployment.
  • User Authentication: Implement role-based access control to restrict access and enhance security within your WireGuard network.
  • Simplified Network Management: Netmaker simplifies tasks like adding new peers, modifying configurations, and monitoring network health.

With Netmaker, you can leverage it to streamline your WireGuard network management and enhance the overall user experience, especially in larger or more intricate network configurations.

More posts


A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.