Install Wireguard VPN Server & Client On Ubuntu 18.04
WireGuard is a free alternative to OpenVPN with great encryption, speed, and simplicity. The lightweight, secure, and cross-platform VPN relies on advanced cryptography technologies in addition to supporting Windows, Linux, MacOS, BSD, Android, and iOS operating systems.
WireGuard installation is quite easy, and you only need to follow a few steps. Once installed, you can establish a connection by first exchanging the matching keys between the server and the client. This means that only a client machine with a public key corresponding to the server’s key will connect. Unlike the client-server models, the WireGuard is a peer to peer VPN. The operation depends on the configuration, and this determines if the peer will operate like the traditional server or client.
How to install WireGuard server on Ubuntu 18.04
Prerequisites
- Ubuntu 18.04 running on a Linux Cloud Server
- An account with
sudo
privileges - If you prefer to use root,
sudo
commands will still work. Alternatively, simply leave out thesudo
prefix when you copy and paste all commands.
Step 1. Add repo and install WireGuard
We will start by adding the WireGuard repository to the list of sources using the apt
command.
sudo add-apt-repository ppa:wireguard/wireguard
This will also update the package cache automatically.
Once the update is complete, we can now proceed to install the WireGuard.
sudo apt install wireguard
To start using the WireGuard, you need to activate the kernel module by rebooting your server and running the modprobe
command.
sudo modprobe wireguard
Verify that the kernel module is loaded.
lsmod | grep wireguard
If successfully loaded the command display the output below.
Our next step is to configure the server.
Step 2: Configure WireGuard server – generate key pair
In this section, we will start by generating the public and private keys which we will then add to the VPN interface configuration file.
You will generate the keys and place them in the WireGuard directory as follows.
If you are logged in as a sudo
user and not as root
, use this command below to get the right permissions to access the WireGuard directory
sudo chmod go+rx /etc/wireguard
Go to the WireGuard directory
cd /etc/wireguard
Run the following to generate the VPN server keys;
umask 077
sudo wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key
The command will generate two keys, create a file for each, and save the two in the WireGuard directory (server_public.key for public key and server_private.key for the private). It also displays the public key as shown above.
Now that we have the keys, let us create and configure our WireGuard configuration file on the server.
Use the cat command to display the key. For example, to see the private key, run
sudo cat server_private.key
Step 3. Configure the WireGuard server interface on Ubuntu 18.04
We will now create the configuration file for the interface wg0
which will be routing the VPN traffic. In this step, you will specify the IP subnet for the VPN network. For this article, we will use 10.10.0.1/24. When choosing the subnet, ensure that it is different from the office or home network to avoid conflicts.
First, find the name of your server’s public NIC using the command
sudo ip a
You will get an output similar to below. Look for the NIC that contains your public IP. In this case below, it is ens3
Now, we will use nano editor. To automatically create the configuration file, open it as a blank file in the editor by running
sudo nano /etc/wireguard/wg0.conf
Add the configuration text below to the new file and insert the server_private.key (PrivateKey) you generated earlier in the PrivateKey field your server private key here as shown below.
Note: replace all instances of ens3 with your own public NIC you found above.
[Interface] PrivateKey = your server private key here Address = 10.10.0.1/24 Address = fd86:ea04:1111::1/64 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE SaveConfig = true
It should look as such with your real values added.
Press ctrl+O to Save and ctrl+X to Exit.
Configure firewall rules
sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw enable
Verify settings
sudo ufw status verbose
For NAT to work, we will enable forwarding for both IP4 and IP6 in the file /etc/sysctl.conf file as below.
Use a text editor to open the file configuration file and enable the following commands.
net.ipv4.ip_forward=1
and
net.ipv6.conf.all.forwarding=1
By default, the lines are disabled; to enable them, launch the editor as below, navigate to each line, and remove the # sign at the beginning of the command.
sudo nano /etc/sysctl.conf
Save and exit.
We are now ready to bring up the wg0 interface. To do this, use the wg-quick command as follows
sudo wg-quick up wg0
Output
You can now use the wg command to see active interfaces and connected peers.
sudo wg
Since we have not configured the client, the output should be as shown below.
This shows that we have successfully configured our server interface.
WireGuard VPN client configuration on Ubuntu 18.04
For most operating systems, the installation process for the WireGuard is the same for both the server and client. The only difference is the configuration file. In this article, we will learn how to configure a client in Ubuntu, Windows, CentOS 7 and Debian.
We will start by installing the WireGuard, after which we will generate the key pair for the client and finally do the configuration.
Step 4. How to configure WireGuard client on Ubuntu 18.04
Install the WireGuard the same way as above (Step 1.) – shown below.
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard
Restart client computer and confirm that it is working
sudo modprobe wireguard
lsmod | grep wireguard
If successful, it will give the output below.
Step 5. Generate key pair for Ubuntu client
This follows the same process as that of the server.
sudo chmod go+rx /etc/wireguard
cd /etc/wireguard
Run the following to generate the VPN client keys;
umask 077
sudo wg genkey | sudo tee client_private.key | wg pubkey | sudo tee client_public.key
Now that we have the key, we will go to the next step and configure the client.
Step 6. Configure WireGuard VPN client interface on Ubuntu 18.04
The process is similar to that of the server apart from the information in the configuration files.
In this step, we will create the configuration file /etc/wireguard/wg0.conf on the client device.
You will need to replace the text fields with your own PrivateKey, PublicKey, and Endpoint values.
You can obtain your client PrivateKey by running the cat command from the client’s WireGuard directory.
sudo cat client_private.key
PublicKey is the public key on the VPN server. Obtain it by using the cat command on the server.
sudo cat server_public.key
Now, open a new blank configuration file with the command below
sudo nano /etc/wireguard/wg0.conf
Insert the text below and replace the PrivateKey, PublicKey, and Endpoint fields with your real values.
[Interface] Address = 10.10.0.2/32 Address = fd86:ea04:1111::2/128 SaveConfig = true PrivateKey = your client private key here DNS = 1.1.1.1 [Peer] PublicKey = your server public key here Endpoint = your server public ip:51820 AllowedIPs = 0.0.0.0/0, ::/0
Below is our configuration file in the editor.
Save the file and exit.
Set the right permissions for your configuration file wg0.conf hence make it secure.
sudo chmod 600 /etc/wireguard/wg0.conf
Step 7. Add the peer (client) to the VPN server
We will now add the client public key to the server using the following syntax.
sudo wg set wg0 peer client public key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To do this, go to the server and run the command below with your own client public key inserted. It will look like this.
sudo wg set wg0 peer E6AoavHk75/IwG7RVFegOkV4JIdje0U8kJnbkySqsiI= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To confirm the addition, run the following command on the server.
sudo wg
This shows that we have successfully added the peer.
Check connections
We will now start the interface on the client using the wg-quick command.
sudo wg-quick up wg0
If you get an error about missing resolvconf, install it using the command below, and then try to start the interface again.
sudo apt install resolvconf
This will give the following output;
You can check the status of the interface using the wg command
sudo wg
Similarly, you can go to the server and check its status.
sudo wg
To see if the client can ping the server run;
ping 10.10.0.1
This shows that we have successfully added the peer to the server and established a connection. Note that you can turn the interfaces on and off by
sudo wg-quick up wg0
to enable and
sudo wg-quick down wg0
to disable.
To enable the WireGuard on system boot, run the command below on both the server and the client.
sudo systemctl enable wg-quick@wg0
How to set up WireGuard client in Windows
Step 1. Install WireGuard
Download the WireGuard installer for Windows and install it on your Windows computer. Once complete, it will give you the following output.
Step 2. Add empty tunnel
Give it a name.
Add the configuration text below with your own values in PublicKey and Endpoint fields.
[Interface] PrivateKey = your client private key will already be here Address = 10.10.0.2/32 Address = fd86:ea04:1111::2/128 DNS = 1.1.1.1 [Peer] PublicKey = your server public key here Endpoint = your server public ip:51820 AllowedIPs = 0.0.0.0/0, ::/0
PublicKey is the public key on the VPN Ubuntu server. Obtain it by running the cat command on the server.
sudo cat /etc/wireguard/server_public.key
Then return to the client window and insert the value in the PublicKey field.
Click Save
Step 3. Add the client peer to the server
Now, you need to add the client public key and IP address to the server.
Run the command below, replace client public key below with your client public key generated in the tunnel window above.
sudo wg set wg0 peer client public key allowed-ips 10.10.0.2
Step 4. Return to the client machine
Click Activate on the windows machine.
If successful, the client becomes Active and you will start seeing received and sent traffic.
How to configure WireGuard VPN client on CentOS 7
Step 1. Install the WireGuard using the commands below.
sudo yum update
sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
sudo yum install yum-plugin-elrepo
sudo yum install kmod-wireguard wireguard-tool
Step 2. Generate keys for the client
Create the WireGuard directory.
sudo mkdir -p /etc/wireguard/
If running as a sudo user you may not have access to the WireGuard directory
Use the command to grant access to the logged-in user.
sudo chmod go+rx /etc/wireguard/
To generate key pair, run
sudo wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
This will generate the keys and save them in the WireGuard directory. You can use the cat command to view the keys.
Step 3. Configure client interface on CentOS 7
In this step, we will create the configuration file /etc/wireguard/wg0.conf on the client device.
You will need to replace the text fields with your own PrivateKey, PublicKey, and Endpoint values.
You can obtain your client PrivateKey by running the cat command from the client’s WireGuard directory.
sudo cat client_private.key
PublicKey is the public key on the VPN server. Obtain it by using the cat command on the server.
sudo cat server_public.key
Now, open a new blank configuration file with the command below
sudo nano /etc/wireguard/wg0.conf
Insert the text below and replace the PrivateKey, PublicKey, and Endpoint fields with your real values.
[Interface] Address = 10.10.0.2/32 Address = fd86:ea04:1111::2/128 SaveConfig = true PrivateKey = your client private key here DNS = 1.1.1.1 [Peer] PublicKey = your server public key here Endpoint = your server public ip:51820 AllowedIPs = 0.0.0.0/0, ::/0
Below is our configuration file in the editor.
Save the file and exit.
Set the right permissions for your configuration file wg0.conf hence make it secure.
sudo chmod 600 /etc/wireguard/wg0.conf
Step 4. Add the peer to the VPN server
We will now add the client public key to the server using the following syntax.
sudo wg set wg0 peer client public key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To do this, go to the server and run the command below with your own client public key inserted. It will look like this.
sudo wg set wg0 peer pYEKlKZY3qqliTyl3I0HqNSPV/XD7zYQVELFIB+mYA4= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To confirm the addition, run the following command on the server.
sudo wg
This shows that we have successfully added the peer.
Check connections
We will now start the interface on the client using the wg-quick command.
sudo wg-quick up wg0
This will give the following output;
When both server and client interfaces are up, you can check the status using the wg command.
On the server
sudo wg
On the client
sudo wg
This shows that we have successfully added the peer to the server and established a connection. Note that you can turn the interfaces on and off by
sudo wg-quick up wg0
to enable and
sudo wg-quick down wg0
to disable.
To enable the WireGuard on system boot, run the command below on both the server and the client.
sudo systemctl enable wg-quick@wg0
How to Install WireGuard client on Debian 9
Make sure you have sudo privileges and that it is installed with the following commands
su
apt-get install sudo -y
If you prefer to use root, sudo commands will still work. Alternatively, simply leave out the sudo prefix when you copy and paste all commands.
Step 1. Install WireGuard
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable apt update apt install wireguard-dkms wireguard-tools
If successful, you will see the following output.
Enable the WireGuard kernel module and check the status
sudo modprobe wireguard && lsmod | grep wireguard
Step 2. Generate keys for the client on Debian 9
We will now generate a private and public key which we will add to the configuration files.
sudo wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key
Step 3. Configure WireGuard VPN client interface on Debian 9
The process is similar to that of the server apart from the information in the configuration files. We will call our interface wg0 and use the configuration file to define the private network, our client public key, and the server’s public key and IP address.
You will need to add your real values to the PrivateKey, PublicKey, and Endpoint fields in the text below.
The client’s PrivateKey can be obtained by running the cat command from the client’s WireGuard directory.
sudo cat client_private.key
PublicKey is the key on the VPN server. Go to the server and obtain the key by running the cat command;
sudo cat server_public.key
Once you have all the details, you can now create the client configuration file.
sudo nano /etc/wireguard/wg0.conf
The command will open a blank file; insert the text below with your correct values.
[Interface] Address = 10.10.0.2/32 Address = fd86:ea04:1111::2/128 SaveConfig = true PrivateKey = your client private key here DNS = 1.1.1.1 [Peer] PublicKey = your server public key here Endpoint = your server public ip:51820 AllowedIPs = 0.0.0.0/0, ::/0
Below is our configuration file in the editor.
Save the file and exit.
Set the right permissions for your configuration file wg0.conf, hence making it secure.
sudo chmod 600 /etc/wireguard/wg0.conf
Step 4. Add the peer (client) to the VPN server on Debian 9
We will now add the client public key to the server using the following syntax.
sudo wg set wg0 peer client public key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To do this, go to the server and run the command below with your own client public key inserted. It will look like this.
sudo wg set wg0 peer E6AoavHk75/IwG7RVFegOkV4JIdje0U8kJnbkySqsiI= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128
To confirm the addition, run the following command on the server.
sudo wg
This shows that we have successfully added the peer.
Check connections
We will now start the interface on the client using the wg-quick command.
sudo wg-quick up wg0
If you get an error about missing resolvconf, install it using the command below, and then try to start the interface again.
sudo apt install resolvconf
This will give the following output;
You can check the status of the interface using the wg command
sudo wg
Similarly, you can go to the server and check its status.
sudo wg
To see if the client can ping the server run;
ping 10.10.0.1
This shows that we have successfully added the peer to the server and established a connection. Note, that you can turn the interfaces on and off by running:
sudo wg-quick up wg0
to enable, and
sudo wg-quick down wg0
to disable.
To enable the WireGuard on system boot, run the command below on both the server and the client.
sudo systemctl enable wg-quick@wg0