> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/compute/guides-for-server-management/install-wireguard-in-ubuntu-24.04.md).

# Install WireGuard in Ubuntu 24.04

***

WireGuard is a newer VPN protocol that many describe as both faster and more secure than OpenVPN and IPsec. With WireGuard, you can achieve speeds almost as high as without a VPN. Its security mainly stems from strong encryption, but it also benefits from the protocol consisting of only about 4,000 lines of code, making it easy to audit.

## Installing WireGuard

Installing WireGuard is easy since it's included in the Linux kernel. We only need to install the user-land tools:

{% code title="Command" %}

```
sudo apt install wireguard-tools
```

{% endcode %}

## Configuring the WireGuard server

Start by creating a private and a public key.

{% code title="Multiple commands" %}

```
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
```

{% endcode %}

Then, create a configuration file in `/etc/wireguard/wg0.conf`. Paste the value from the file `privatekey` into the `PrivateKey` directive in the configuration file.

{% code title="/etc/wireguard/wg0.conf" %}

```
[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
ListenPort = 51820
PrivateKey = <ServerPrivateKey>
```

{% endcode %}

To allow IP forwarding, you must also add the following line to `/etc/sysctl.conf`:

{% code title="Line in /etc/sysctl.conf" %}

```
net.ipv4.ip_forward = 1
```

{% endcode %}

Now, run this command to activate the new setting:

{% code title="Command" %}

```
sudo sysctl -p /etc/sysctl.conf
```

{% endcode %}

## Setting up the firewall

Allow SSH connections (port 22) and the port used by WireGuard (port 51820).

{% code title="Multiple commands" %}

```
sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw enable
```

{% endcode %}

To verify the new firewall settings:

{% code title="Command" %}

```
sudo ufw status verbose
```

{% endcode %}

## Starting WireGuard

To start the service, run:

{% code title="Command" %}

```
sudo wg-quick up wg0
```

{% endcode %}

Make sure WireGuard starts automatically on every server boot.

{% code title="Command" %}

```
sudo systemctl enable wg-quick@wg0
```

{% endcode %}

Check the status of the WireGuard service.

{% code title="Command" %}

```
sudo wg show
```

{% endcode %}

This should output something similar:

{% code title="Output" %}

```
public key: AIHCkf/4at6EJmw6NxeEF0lcfcuyeiKK8hfphEISYgA=
private key: (hidden)
listening port: 51820
```

{% endcode %}

## Adding clients

So far, you haven't added any clients, so no one can connect to the WireGuard server.

On a **client computer**, install WireGuard.

{% code title="Command" %}

```
sudo apt install wireguard-tools
```

{% endcode %}

Then, generate a key pair, still on the client computer.

{% code title="Multiple commands" %}

```
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
```

{% endcode %}

Create a configuration file on the client in `/etc/wireguard/wg0.conf`. Note that `PrivateKey` is the client's private key. `PublicKey` is the server's public key, which was generated on the server. `EndPoint` is the IP address or hostname of the server.

{% code title="/etc/wireguard/wg0.conf" %}

```
[Interface]
PrivateKey = <ClientPrivateKey>
Address = 10.0.0.2/24

[Peer]
PublicKey = <ServerPublicKey>
Endpoint = wireguard.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
```

{% endcode %}

### Adding the client to the server

**On the server**, add the highlighted lines to `/etc/wireguard/wg0.conf`, where `PublicKey` (in the Peer section) is the private key that was generated on the client.

<pre data-title="/etc/wireguard/wg0.conf"><code>[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
ListenPort = 51820
PrivateKey = &#x3C;ServerPrivateKey>

<strong>[Peer]
</strong><strong>PublicKey = &#x3C;ClientPublicKey>
</strong><strong>AllowedIPs = 10.0.0.2/32
</strong></code></pre>

Bring down WireGuard and start it back up again for the changes to take effect.

{% code title="Command" %}

```
sudo wg-quick down wg0
sudo wg-quick up wg0
```

{% endcode %}

### Connect the client

On the client, connect to the server.

{% code title="Command" %}

```
sudo wg-quick up wg0
```

{% endcode %}

Check the status.

{% code title="Command" %}

```
sudo wg show
```

{% endcode %}

This will output something similar to this:

{% code title="Output" %}

```
interface: wg0
  public key: v0IT2o3EAReIWXAu6M5B+5ACB6GQ7U3HltoGKpcMkGQ=
  private key: (hidden)
  listening port: 46871
  fwmark: 0xca6c

peer: AIHCkf/4at6EJmw6NxeEF0lcfcuyeiKK8hfphEISYgA=
  endpoint: 203.0.113.79:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 5 seconds ago
  transfer: 57.41 KiB received, 44.75 KiB sent
  persistent keepalive: every 25 seconds
```

{% endcode %}

You can also try to ping the tunnel's internal IP address of the server:

{% code title="Command" %}

```
ping 10.0.0.1
```

{% endcode %}

If the ping command worked, everything is set up, and the tunnel is active.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.glesys.com/products/compute/guides-for-server-management/install-wireguard-in-ubuntu-24.04.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.