Install and Setup WireGuard VPN on Ubuntu Server
03 January, 2023 by

How to Install WireGuard VPN on Ubuntu Server

Installing and setting up WireGuard VPN on Ubuntu server is an efficient method for enhancing online security, protecting privacy, and maintaining anonymity on the internet.

The installation steps for WireGuard VPN on Ubuntu can be summarized as follows:

  1. Update Ubuntu Server Repository
  2. Install WireGuard Ubuntu
  3. Generate Key Pairs
  4. Configure WireGuard on the Server
  5. Enable IP Forwarding
  6. Firewall configuration
  7. Start WireGuard

Based on your knowledge of VPNs, you know that by hiding your real identity, a VPN meets privacy needs. WireGuard is a peer-to-peer VPN protocol with advanced encryption and is also utilized in reverse proxy operations.

Does Ubuntu support WireGuard?

Yes, Ubuntu Linux supports WireGuard. WireGuard was originally developed for the Linux kernel and is included in the default repositories of most Linux distributions, including Ubuntu.

Wireguard minimum requirements

  • Linux VPS with Ubuntu OS (version 20.04 or newer)
  • Access to the server through a non-root user and having Sudo privileges

Note: You can use two Ubuntu servers with different versions and patches, set up one as a WireGuard host and the other remote Ubuntu server as a client. If this method is incompatible with your conditions, you can use an Ubuntu server as a host to run WireGuard and your local device as a peer client machine.

What are the hardware requirements for WireGuard?

  •  1GHz or faster CPU with AES-NI support
  • At least 2GB of RAM
  • At least 1GB storage

How to setup Wireguard on Ubuntu 20.04

Configuring WireGuard VPN on a VPS is similar to setting it up on a local system. Connect to your Ubuntu server via SSH and install WireGuard VPN on the local system to dramatically enhance your VPS security.

Step 1: Update Ubuntu Server packages

$ sudo apt update             

Note: If you haven’t used Sudo before this tutorial, you may need to enter your Sudo user password.

Step 2: Install Wireguard on ubuntu

$ sudo apt install wireguard -y

You may have to wait a little while to download files, and Ubuntu install WireGuard VPN.

Step 3: Generate WireGuard Server Key Pairs

you need to generate public and private key pairs to run WireGuard VPN on the Ubuntu server and encrypt incoming and outgoing traffic to the server. To generate the private key, run the following command:

$ wg genkey | sudo tee /etc/wireguard/private.key

To create a public key that is derived from a private key, use the following command:

$ sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

The built-in wg genkey and wg pubkey commands are run to generate the keys, and then the WireGuard configuration file must include the private key.

In the output of the above commands, the base64 encoded line contains your private and public keys for the WireGuard server. It is recommended to make a copy of the Private and Public keys in a safe place so that you can access the server from peer devices through the public key.

Note: The /etc/wireguard/private.key file usually contains a copy of the output containing the private key so that you can refer to that file in the future and access the content of the output of the above commands.

Security Tip: Since the private key must be kept secure, to protect the private key from being read by any user on the server, you must change the default permissions of the Private key using the chmod command:

$ sudo chmod go= /etc/wireguard/private.key

By running the previous command, you protect the private key and allow only the root user to access the private key file.

Step 4: Configure IPv4 and IPv6 addresses

This step configures WireGuard and creates a server configuration file. Before running the commands, ensure you have access to the private key you created in the previous step.

Therefore, to configure the WireGuard server, run the following command using nano or any editor of your choice to create the wg0.conf file by referring to the /etc/wireguard directory:

$ sudo nano /etc/wireguard/wg0.conf

Then enter the following commands in the configuration file to set the IP range:

[Interface]

PrivateKey = servers_generated_private_key

Address = 172.16.0.0/12

ListenPort = 51820

SaveConfig = true

By entering the addresses on the command line, set the IP range. This step sets the range of private IPv4 and IPv6 addresses for use with the WireGuard server and peer devices (Client).

The SaveConfig = true line ensures that changes to the configuration file are saved when the WireGuard interface is shut down.

Save the /etc/wireguard/wg0.conf file after editing by pressing CTRL+X, then Y and Enter. (When using the nano editor)

Note: When using the WireGuard server with IPv4 peers, remember that the server uses different private IPv4 addresses for the tunnel interface and clients. The list of reserved blocks of IP addresses is as follows:

  • 10.0.0.0 to 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

In this tutorial, we chose the address 172.16.0.0/12 as a block of IP addresses and the first IP range in the definition of the reserved IP range; but you can use another block of reserved addresses or Choose another address within the range defined above.

Step 5: Port Forwarding configuration and /etc/sysctl.conf file

Enabling IP forwarding is a requirement to run a VPN so that you can connect to Wireguard VPN server without any problems in the future. For this purpose, we need to edit the contents of the /etc/sysctl.conf file.

First, open the /etc/sysctl.conf file by running the following command:

$ sudo nano /etc/sysctl.conf

Then add the following commands to the /etc/sysctl.conf file to enable Forwarding:

net.ipv4.ip_forward=1

If you are using IPv6, you must also enter the following command in the desired file:

net.ipv6.conf.all.forwarding=1

To read the input and output values and save the changes in the /etc/sysctl.conf file, enter the following commands in the terminal:

$ sudo sysctl -p
net.ipv4.ip.forward = 1

Enter the following command for the IPv6 address:

net.ipv6.conf.all.forwarding = 1

Step 6: WireGuard server firewall configuration

Configuring the WireGuard server firewall allows you to direct incoming and outgoing traffic in a safe environment by creating firewall rules. This step is optional, although firewall configuration has advantages.

1. Find the public network interface:

$ ip route list default

In the output of this command, you will find the public interface string after the word “dev“. The following examples can guide you in identifying the public interface more quickly:

default via XXX.XXX.XXX.XXX dev eth0 onlink

Or

default via XXX.XXX.XXX.XXX dev eth0 proto static

In these examples, eth0 after the word dev is the public network interface.

2. Edit the iptables rules:

To Edit the iptables rules,first open the configuration file with the nano editor:

$ sudo nano /etc/wireguard/wg0.conf

After accessing the content of the configuration file, just add the following commands to the end of the file after the SaveConfig = true line:

PostUp = ufw route allow in on wg0 out on eth0

PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

PreDown = ufw route delete allow in on wg0 out on eth0

PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The Post UP command starts the VPN virtual tunnel on the WireGuard server, and the PreDown rules disable it. Also, Stopping transfer rules and hiding the VPN interface is done by the PreDown rule.

Note: You can make changes in the rules and configuration. You can remove some rules and configure IPv4 and IPv6 rules according to your needs. For example, if you only use IPv6, you can change the configuration to include the ip6tables commands, and if you use IPv4, you can remove the ip6tables commands.

Note: ufw commands must include both IPv4 and IPv6 rules.

After editing the file according to your needs, save the file.

3. Open the UDP default port:

One important step in configuring the firewall on the WireGuard server is to allow traffic to and from the WireGuard UDP port.  If you have not edited the /etc/wireguard/wg0.conf configuration file of the server, port number 51820 is set by default, so you should open the UDP default port by running the following command:

$ sudo ufw allow 51820/udp

4. Open SSH port (If you have not opened it before):

$ sudo ufw allow OpenSSH

5. Save changes:

After setting the desired rules, disable and then enable UFW by running the following commands to restart UFW and apply the changes made:

$ sudo ufw disable

$ sudo ufw enable

6. Check and verify UFW rules:

To check the changes in UFW rules, run the following command:

$ sudo ufw status

By receiving the following output, you can ensure that the firewall settings are as you wish:

Status: active 
To Action From
 -- ------ ---- 
51820/udp ALLOW Anywhere
22/tcp ALLOW Anywhere 
51820/udp (v6) ALLOW Anywhere (v6) 
22/tcp (v6) ALLOW Anywhere (v6)

You have now configured the WireGuard server to handle VPN traffic on a secure platform. Firewall rule settings allow users to set up the WireGuard service to listen to peer connections.

Note: You must enable Masquerading in the firewall to allow WireGuard server traffic. Enabling Masquerading provides dynamic network address translation (NAT) for proper routing of client connections and plays the role of iptables.

Step 7: Start the WireGuard server in Ubuntu

To automatically start the WireGuard service every time you reboot, run the following command:

$ sudo systemctl enable wg-quick@wg0.service

You can Wireguard config ubuntu as a systemd service using the wg-quick  script to run, so in these conditions, you won’t have to use the error-prone manual method of running the wg command to use a VPN and create a tunnel.

Run the following command to start the WireGuard service:

$ sudo systemctl start wg-quick@wg0.service

Check WireGuard status to ensure that the WireGuard service is active:

$ sudo systemctl status wg-quick@wg0.service

Showing Active: active (exited) in the output indicates that the WireGuard service is active and running. As a result, by checking WireGuard’s status, you know if WireGuard is working.

Finally, you have successfully installed and run the client and server. You can now launch the WireGuard client on the other system and connect to the WireGuard VPS you configured as a VPN.

How do I know if WireGuard is running?

  • Connecting to WireGuard VPN from another device on a separate network and testing access from another device with the WireGuard server’s IP address.
  • Using the wg command to check the WireGuard interface status:
sudo wg
  • Using the systemctl and wg-quick to check WireGuard service status:
sudo systemctl status wg-quick@wg0
  • Using the  wg show command to check the latest handshake timestamp for each connected peer.
  • Using the ps command to check the WireGuard process:
ps aux | grep -i "[w]ireguard"
  • Ping other devices on the WireGuard VPN network and check their access.

As a result, using the methods you learned, you can test WireGuard and check the WireGuard connection.

How to turn on WireGuard Ubuntu?

To turn on WireGuard in Ubuntu, run:

sudo systemctl enable wg-quick@wg0           (Enable the WireGuard service )

Or

sudo wg-quick up wg0                          (Bring WireGuard interface up)

Or

sudo systemctl start wg-quick@wg0              (Start the WireGuard service)

How do I know if WireGuard is installed on Ubuntu?

There are several ways to check if WireGuard is installed on Ubuntu:

  • Running wg command (no output means successful installation)
  • Running sudo apt list --installed | grep wireguard (display WireGuard in output means wireGuard is installed.)
  • Running lsmod | grep wireguard (get WireGuard in output means WireGuard kernel modules are loaded )
  • Running wg --version (get version information means WireGuard is installed.)

Where is the WireGuard config file?

WireGuard config file is typically located in the /etc/wireguard directory on Ubuntu Linux. By default, the configuration file has a .conf extension and is named wg0.conf.

How do I import a WireGuard file?

  • Copy the WireGuard configuration file to your device.
  • Navigate to the WireGuard config directory ( For example, on Ubuntu):
cd /etc/wireguard/
  • Import WireGuard configuration file (wg0.conf):
wg-quick import wg0.conf

How to add WireGuard in Linux network manager?

  1. Install the WireGuard tools.
  2. Install the WireGuard NetworkManager Plugin.
  3. Create a configuration file for your WireGuard connection, replacing the values received from the WireGuard server manager (including the public key, server endpoint, server IP address, and other settings) in the content of the WireGuard configuration file.
  4. Open the NetworkManager settings via the NetworkManager applet in the system tray.
  5. Click on the network icon in the system tray.
  6. Click on “VPN Connections” > “Configure VPN” > “+” (plus) sign to add a WireGuard Connection from the VPN connection types menu.
  7. Tap on the Create button.
  8. Manually enter information such as name, public key, private key, server address provided by your WireGuard VPN provider, DNS servers, and allowed IP addresses in the respective fields, then click on the “Add” and “Apply” buttons.
  9. Save the WireGuard connection configuration.
  10. The newly created WireGuard connection is now added to the NetworkManager VPN Connections menu and is accessible.

What is WireGuard installer?

Bash scripts like Nyr’s WireGuard Install Script and Angristan’s WireGuard are the most popular and widely used WireGuard installers on Linux distributions.

WireGuard installers are designed to facilitate and automate the installation and configuration of WireGuard VPN.

Premium Benefits of WireGuard VPN

  • Reverse proxy operation
  • Having a user-friendly and simple interface
  • Advanced encryption through Poly1305, Curve25519, HKDF, Noise protocol framework, ChaCha20, BLAKE2 and SipHash24 protocols
  • Providing data security with AED-256 encryption support
  • Flexibility and ease in settings and use
  • Open source and the possibility of customization according to your needs
  • Compatible with most operating systems and devices
  • Modern, fast, and lightweight
  • Support for IPv4 and IPv6 connections
  • UDP protocol for traffic transfer

Does WireGuard need static IP?

No, WireGuard VPN does not need a static IP, and the WireGuard architecture is designed to work with dynamic IP addresses.

However, if you want to avoid VPN clients disconnecting and updating the WireGuard configuration file every time the IP address changes through DHCP, we recommend using a static IP to make the connection to WireGuard servers more stable and convenient.

Is WireGuard built into Linux?

Yes, WireGuard is integrated into the Linux kernel, and by default, most mainstream Linux distributions include the WireGuard kernel module.

Which Linux kernel has WireGuard?

WireGuard was added to the Linux kernel with version 5.6 and backported to older versions. As a result, it is now available in most Linux distributions.

Is there a WireGuard GUI for Linux?

Yes, there are different graphical user interfaces (GUIs) for managing WireGuard on Linux:

  • Devsfy/wiregui
  • NetworkManager
  • qomui
  • Tailscale
  • Wireguird
  • wgquick-gui
  • Wireguard-Ui
  • wg-quick-gtk

How do I increase my WireGuard VPN speed?

To increase WireGuard VPN speed, choosing the nearest server location, optimizing MTU by lowering WireGuard MTU length, keeping WireGuard up-to-date, upgrading internet service bandwidth, reducing CPU usage, enabling TCP Optimizer, upgrading hardware, and reducing VPN protocol overhead are effective measures.

How do I troubleshoot WireGuard VPN?

  1. Check system logs.
  2. Confirm the information in your WireGuard configuration files, ensuring that public and private keys are correct.
  3. Check that firewall settings allow traffic on the WireGuard port.
  4. Review the AllowedIPs list.
  5. Check the status of the WireGuard interface.
  6. Adjust MTU settings if encountering connection issues.
  7. Upgrade WireGuard.
  8. Disable software that conflicts with WireGuard.
  9. Confirm the correctness of routes in the routing table.

FAQ

WireGuard requires UDP transport protocol to send and receive encrypted packets and avoids the possible disadvantages of TCP-over-TCP. WireGuard fully supports IPv4 and IPv6 connections inside and outside the tunnel.

No, fortunately, WireGuard is open source and free and is safer and faster than its commercial counterparts, While many traditional VPNs reduce the internet speed when connecting. Although WireGuard is free, it offers excellent performance in protecting against intrusion attacks and maintaining privacy.

Conclusion

Now, by installing and configuring WireGuard server, you will protect your privacy, identity, and important data, and a new and exciting experience will be created from the efficient WireGuard VPN.

WireGuard VPN is worth a try with features like reverse proxy operation and super security, speed, and support for IPv4 and IPv6 connections. We assure you that you won’t regret using WireGuard VPN.

Leave a Reply

Your email address will not be published. Required fields are marked.

Flagg Publish in December 18, 2023 at 8:08 pm

Hi! There is a small error in you tutorial. Standard Wireguard Port is: 51820 as is correctly set in the config, but in "Step 6" you open Port 51280 in ufw (2 and 8 are switched). At first I didn't see it when i copied your commands, as it istn't easy to spot :) Please correct the error and delete my comment... Best regards, Flagg

Reply
    Liosa F Publish in December 20, 2023 at 6:54 am

    Thank you for your comment and attention; it has been corrected.

    Reply