Install WireGuard in Ubuntu 24.04

WireGuard is a safe and fast VPN protocol, now included in the Linux kernel.

WireGuard is a newer VPN protocol that many describe as both faster and more secure than OpenVPN and IPsec. With WireGuard, you can achieve speeds almost as high as without a VPN. Its security mainly stems from strong encryption, but it also benefits from the protocol consisting of only about 4,000 lines of code, making it easy to audit.

Installing WireGuard

Installing WireGuard is easy since it's included in the Linux kernel. We only need to install the user-land tools:

Command

sudo apt install wireguard-tools

Configuring the WireGuard server

Start by creating a private and a public key.

Multiple commands

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then, create a configuration file in /etc/wireguard/wg0.conf. Paste the value from the file privatekey into the PrivateKey directive in the configuration file.

/etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
ListenPort = 51820
PrivateKey = <ServerPrivateKey>

To allow IP forwarding, you must also add the following line to /etc/sysctl.conf:

Line in /etc/sysctl.conf

net.ipv4.ip_forward = 1

Now, run this command to activate the new setting:

Command

sudo sysctl -p /etc/sysctl.conf

Setting up the firewall

Allow SSH connections (port 22) and the port used by WireGuard (port 51820).

Multiple commands

sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw enable

To verify the new firewall settings:

Command

sudo ufw status verbose

Starting WireGuard

To start the service, run:

Command

sudo wg-quick up wg0

Make sure WireGuard starts automatically on every server boot.

Command

sudo systemctl enable wg-quick@wg0

Check the status of the WireGuard service.

Command

sudo wg show

This should output something similar:

Output

public key: AIHCkf/4at6EJmw6NxeEF0lcfcuyeiKK8hfphEISYgA=
private key: (hidden)
listening port: 51820

Adding clients

So far, you haven't added any clients, so no one can connect to the WireGuard server.

On a client computer, install WireGuard.

Command

sudo apt install wireguard-tools

Then, generate a key pair, still on the client computer.

Multiple commands

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Create a configuration file on the client in /etc/wireguard/wg0.conf. Note that PrivateKey is the client's private key. PublicKey is the server's public key, which was generated on the server. EndPoint is the IP address or hostname of the server.

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = <ClientPrivateKey>
Address = 10.0.0.2/24

[Peer]
PublicKey = <ServerPublicKey>
Endpoint = wireguard.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Adding the client to the server

On the server, add the highlighted lines to /etc/wireguard/wg0.conf, where PublicKey (in the Peer section) is the private key that was generated on the client.

/etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens1 -j MASQUERADE
ListenPort = 51820
PrivateKey = <ServerPrivateKey>

[Peer]
PublicKey = <ClientPublicKey>
AllowedIPs = 10.0.0.2/32

Bring down WireGuard and start it back up again for the changes to take effect.

Command

sudo wg-quick down wg0
sudo wg-quick up wg0

Connect the client

On the client, connect to the server.

Command

sudo wg-quick up wg0

Check the status.

Command

sudo wg show

This will output something similar to this:

Output

interface: wg0
  public key: v0IT2o3EAReIWXAu6M5B+5ACB6GQ7U3HltoGKpcMkGQ=
  private key: (hidden)
  listening port: 46871
  fwmark: 0xca6c

peer: AIHCkf/4at6EJmw6NxeEF0lcfcuyeiKK8hfphEISYgA=
  endpoint: 203.0.113.79:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 5 seconds ago
  transfer: 57.41 KiB received, 44.75 KiB sent
  persistent keepalive: every 25 seconds

You can also try to ping the tunnel's internal IP address of the server:

Command

ping 10.0.0.1

If the ping command worked, everything is set up, and the tunnel is active.

PreviousInstall Jitsi Meet in Ubuntu 24.04 NextInstall Active Directory and Remote Desktop Services using PowerShell

Last updated 7 months ago

Was this helpful?