How to Install and Setup WireGuard VPN on Ubuntu Server

Linux Topic

January 3, 2023 by Liosa F

Install and Setup WireGuard VPN on Ubuntu Server

Many users, for logical reasons, are looking for a way to be anonymous and increase security in the Internet world. VPS is an efficient technology to hide users’ original IP address by providing a new IP address, but it may not be enough for some users, that’s why other useful methods are integrated with VPS to enhance online security and protect privacy. One of the common methods in this field is to set up a VPN server, that is, they turn the VPS into a VPN server by setting up a VPN on the VPS.

Based on your knowledge about VPN protocols, you know that VPN will meet your privacy needs and hide your real identity and local IP address. WireGuard is a peer-to-peer VPN protocol with advanced encryption, which is also used in reverse proxy operations. It also excels in features compared to other popular VPN protocols such as OpenVPN and Cisco.

In this article, we will introduce you to WireGuard and its features, and we will teach you how to install and set up WireGuard VPN on an Ubuntu server. Stay with us until the end of the article.

Introducing WireGuard VPN

WireGuard is a modern, secure and fast Virtual Private Network technology with advanced encryption, released in 2015 by Jason A. Donenfeld under the second version of the GNU General Public License. WireGuard is introduced as a communication protocol and VPN client with a minimal approach to user interface and prioritizing the end user.

Although this VPN protocol is not very old, it has become popular among users with its high flexibility and compatibility with most operating systems and its numerous advanced features. This software runs as a module in the Linux kernel, which aims to improve the performance compared to competitors such as Open VPN, etc. in the tunneling protocol. Other advantages that have increased the popularity of WireGuard compared to other competitors are the use of certificates for authentication, the use of IPSec Transport Layer Security (TLS), and the creation of encrypted tunnels between your systems.

The support of TLS versions provides the possibility of benefiting from different cryptographic sets and algorithms. Also, the easy and fast configuration and performance of the WireGuard protocol are one of its other features.

The support of TLS versions provides the possibility of benefiting from different cryptographic sets and algorithms. Also, the ease of configuration and fast and efficient performance of the WireGuard protocol are among its other features.

WireGuard VPN is an open-source, functional, peer-to-peer protocol that uses a Virtual Private Network approach to establish point-to-point communication in a routing (network).

Install and Setup WireGuard VPN on Ubuntu Server

The function of WireGuard is such that it creates a secure private network interface in the peer device as a tunnel and implements authentication based on the SSH pattern, by transferring and exchanging public keys between peer devices. Therefore, it uses public and private keys to encrypt and create an encrypted tunnel between systems.

Also, the transmission of VPN traffic in WireGuard is UDP. In addition, one of the privileged features of the WireGuard protocol is the support for IPv4 and IPv6 connections. Users who need a fixed IP of their work or home network, but are active outside their home and office environment or are constantly traveling, can access their office or home network by setting up the WireGuard VPN service on a VPS.

This amazing feature of the WireGuard service makes it the most useful platform for VPN connection to your work or home network. Therefore, WireGuard can bring a complete and advanced package of VPN for expert and beginner users with its development.

In this tutorial, because how to set up WireGuard is our main goal, we will limit ourselves to introducing WireGuard, but you can read the relevant article to learn more about WireGuard. In the following first, we will introduce you to some of the key features of WireGuard, and then we will get to the main topic of the article.

Premium Benefits of WireGuard VPN

The popularity and superiority of the WireGuard VPN protocol are not without reason, it is due to its extraordinary advantages and features; In the following, you will better understand the reason for its reliability and popularity. Advantages of WireGuard VPN include:

  • Reverse proxy operation
  • Having a user-friendly and simple interface
  • Advanced encryption through Poly1305, Curve25519, HKDF, Noise protocol framework, ChaCha20, BLAKE2 and SipHash24 protocols
  • Providing data security with AED-256 encryption support
  • Flexibility and ease in settings and use
  • Open source and the possibility of customization according to your needs
  • Compatible with most operating systems and devices
  • Modern, fast and lightweight
  • Support for IPv4 and IPv6 connections
  • UDP protocol for traffic transfer

Setting up WireGuard VPN on Ubuntu Server

Configuring WireGuard VPN on a VPS is similar to setting it up on a local system. securely connect to your Ubuntu server via SSH, and then simply install WireGuard VPN on the local system and use this special tool on your VPS to dramatically enhance your VPS security and online activity. Before we go to the steps of setting up WireGuard VPN on an Ubuntu Linux server, you must meet the minimum requirements to execute the instructions in this tutorial.

prerequisites

  • Linux VPS with Ubuntu OS (version 20.04)
  • Access to the server through a non-root user and having Sudo privileges

Note: In this tutorial, one method is to use two Ubuntu servers with different versions and matching patches, configure one Ubuntu server as a host to run WireGuard and the other remote Ubuntu server as a client. If this method is not compatible with your conditions, you can choose the second method, which requires you to use an Ubuntu server as a host to run WireGuard and your local device as a peer client machine.

Steps to install WireGuard VPN

Step 1: Update the list of Ubuntu Server packages (Ubuntu Server Repository)

The first step to install WireGuard VPN is to update the repository and Linux system packages. If you haven’t used Sudo before this tutorial, you may need to enter your Sudo user password and then enter the following command to update Ubuntu system packages:

$ sudo apt update             

Step 2: Installing WireGuard VPN

After updating the Ubuntu system repository, it’s time to download and install the WireGuard VPN file. Running the following command installs WireGuard VPN on the Ubuntu server:

$ sudo apt install wireguard -y

You may have to wait a little while to complete the process of downloading the files and installing WireGuard VPN.

Step 3: generating a private and public keypair for the WireGuard server

After installing the WireGuard VPN file, you need to generate public and private key pairs to run WireGuard VPN on the Ubuntu server and encrypt incoming and outgoing traffic to the server. The built-inwg genkeyandwg pubkeycommands are run to generate the keys, and then the WireGuard configuration file must include the private key. So, to generate the private key, run the following command:

$ wg genkey | sudo tee /etc/wireguard/private.key

Note: You can run thechmodcommand to create a private key, but to prevent any user from reading the file on the server, you must change the default permissions of the key you created with the chmod command. The chmod command to create a private key is as follows:

$ sudo chmod go= /etc/wireguard/private.key

thechmodcommand on the file for protecting the private key only allows access to the file to the root user. In the above command output, the base64 encoded command line contains the private key, which you must carefully write down in a safe place. The /etc/wireguard/private.key file usually contains a copy of this output containing the private key so that you can refer to that file in the future and access the content of the output of the above command.

To create a public key that is derived from a private key, use the following command:

$ sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

In the output of the above command, the base64 encoded line contains your public key for the WireGuard server. It is better to make a copy of the public key in a safe place so that you can access the server from peer devices through the public key.

Step 4: Configure IPv4 and IPv6 addresses

Up to this point, we have installed WireGuard VPN on the Ubuntu server and created key pairs to encrypt server traffic. In this step, we apply the necessary WireGuard settings and create a configuration file for the server. This step is done to set the range of private IPv4 and IPv6 addresses for use with the WireGuard server and peer devices (Client). For this purpose, you can define the IP range by placing the addresses in the command line. Before running the commands, make sure you have access to the private key you created in the previous step.

Therefore, to configure the WireGuard server, run the following command using nano or any editor of your choice to create the wg0.conf file by referring to the /etc/wireguard directory:

$ sudo nano /etc/wireguard/wg0.conf

Then enter the following commands in the configuration file to set the IP range:

[Interface]

PrivateKey = servers_generated_private_key

Address = 172.16.0.0/12

ListenPort = 51820

SaveConfig = true

The SaveConfig = true line is to ensure that changes to the configuration file are saved when the WireGuard interface is shut down.

Save the /etc/wireguard/wg0.conf file after editing by pressing CTRL+X, then Y and Enter. (When using the nano editor)

When using the WireGuard server with IPv4 peers, remember that the server uses different private IPv4 addresses for the tunnel interface and clients. The list of reserved blocks of IP addresses is as follows:

  • 10.0.0.0 to 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

In this tutorial, we chose the address 172.16.0.0/12 as a block of IP addresses and the first IP range in the definition of the reserved IP range; but you can use another block of reserved addresses or Choose another address within the range defined above.

Step 5: Port Forwarding configuration and /etc/sysctl.conf file

Enabling packet forwarding is a requirement to run a VPN so that you can connect to the WireGuard server without any problems in the future. For this purpose, we need to edit the contents of the /etc/sysctl.conf file.

First, open the /etc/sysctl.conf file by running the following command:

$ sudo nano /etc/sysctl.conf

Then add the following commands to the /etc/sysctl.conf file to enable Forwarding:

net.ipv4.ip_forward=1

If you are using IPv6, you must also enter the following command in the desired file:

net.ipv6.conf.all.forwarding=1

To read the input and output values and save the changes in the /etc/sysctl.conf file, enter the following commands in the terminal:

$ sudo sysctl -p
net.ipv4.ip.forward = 1

Enter the following command for the IPv6 address:

net.ipv6.conf.all.forwarding = 1

Step 6: WireGuard server firewall configuration

This section is for configuring the firewall of the WireGuard server so that you can direct the incoming and outgoing traffic of the WireGuard server in a safe environment by setting the firewall rules. This section is optional, but there are benefits to configuring a firewall.

You must enable Masquerading in the firewall to allow WireGuard server traffic. Enabling Masquerading provides dynamic network address translation (NAT) for proper routing of client connections and plays the role of iptables.

To configure the server firewall, you must first find the public network interface of the WireGuard server by running theip routesubcommand:

$ ip route list default

In the output of this command, you will find the public interface string after the word “dev“. The following examples can guide you in identifying the public interface more quickly:

default via XXX.XXX.XXX.XXX dev eth0 onlink

Or

default via XXX.XXX.XXX.XXX dev eth0 proto static

In these examples, eth0 after the word dev is the public network interface.

The next step is to edit the iptables rules. You will do this by opening the configuration file with the nano editor:

$ sudo nano /etc/wireguard/wg0.conf

After accessing the content of the configuration file, just add the following commands to the end of the file after the SaveConfig = true line:

PostUp = ufw route allow in on wg0 out on eth0

PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

PreDown = ufw route delete allow in on wg0 out on eth0

PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

ThePost UPcommand is executed to start the VPN virtual tunnel on the WireGuard server, and thePreDownrules are used to stop the VPN virtual tunnel on the server. Also, The PreDown rule is executed to stop the transfer rules and hide the VPN interface.

According to your use of IPv4 and IPv6, you can make changes in the rules and configuration, and you can delete some rules. For example, if you only use IPv6, you can change the configuration to include the ip6tables commands, and if you use IPv4, you can remove the ip6tables commands.

ufw commands must include both IPv4 and IPv6 rules. After editing the file according to your needs, save the file.

The next step in configuring the firewall on the WireGuard server is to allow traffic to and from the WireGuard UDP port. If you have not edited the /etc/wireguard/wg0.conf configuration file of the server, port number 51820 is set by default, so you should open the default port by running the following command:

$ sudo ufw allow 51280/udp

If you have not opened the SSH port, you can do so by running the following command:

$ sudo ufw allow OpenSSH

After setting the desired rules, disable and then enable UFW by running the following commands to restart UFW and apply the changes made:

$ sudo ufw disable

$ sudo ufw enable

To check the changes in UFW rules, run the following command:

$ sudo ufw status

By receiving the following output, you can ensure that the firewall settings are as you wish:

Status: active

To                         Action      From

--                         ------      ----

51280/udp                  ALLOW       Anywhere

22/tcp                     ALLOW       Anywhere

51280/udp (v6)             ALLOW       Anywhere (v6)

22/tcp (v6)                ALLOW       Anywhere (v6)

You have now configured the WireGuard server to handle VPN traffic on a secure platform. Firewall rule settings allow users to set up the WireGuard service to listen to peer connections.

Step 7: Start the WireGuard server

Now that the WireGuard client is installed and the necessary configurations are done, it’s time to start the WireGuard server and connect to it. You can use any server to connect, follow the instructions in this section to create WireGuard VPS as a VPN.

You can configure WireGuard as a systemd service using the wg-quick script to run, so in these conditions, you won’t have to use the error-prone manual method of running thewgcommand to use a VPN and create a tunnel. To automatically start the WireGuard service every time you reboot, run the following command:

$ sudo systemctl enable wg-quick@wg0.service

Run the following command to start the WireGuard service:

$ sudo systemctl start wg-quick@wg0.service

To ensure that the WireGuard service is active, enter the following command:

$ sudo systemctl status wg-quick@wg0.service

Showing Active: active (exited) in the output indicates that the WireGuard service is active and running.

Finally, you have successfully installed and run the client and server. You can now launch the WireGuard client on the other system and connect to the WireGuard VPS you configured as a VPN.

FAQ

WireGuard requires UDP transport protocol to send and receive encrypted packets and avoids the possible disadvantages of TCP-over-TCP. WireGuard fully supports IPv4 and IPv6 connections inside and outside the tunnel.

No, fortunately, WireGuard is open source and free and is safer and faster than its commercial counterparts, While many traditional VPNs reduce the internet speed when connecting. Although WireGuard is free, it offers excellent performance in protecting against intrusion attacks and maintaining privacy.

Conclusion

In this tutorial, you have successfully installed and launched the WireGuard VPN service on the Ubuntu server, managed the incoming and outgoing traffic to the server by setting rules in the firewall, and enabled packet forwarding on the server for efficient configuration of the WireGuard service. Even in this tutorial you learned how to create private and public encryption key pairs.

Now, by installing WireGuard on an Ubuntu server, you will protect your privacy, identity, and important data, and a new and exciting experience will be created from the efficient WireGuard VPN. WireGuard VPN is worth a try with features like reverse proxy operation and super security, speed, and support for IPv4 and IPv6 connections. We assure you that you won’t regret using WireGuard VPN.

In any part of this article, if you encounter a problem or need more guidance, you can ask us your questions in the comments section so that we can solve your problem as soon as possible.

We hope that reading this article will be useful for you.

Helpful

​ ​ ​ ​

About the Author Liosa F

Love, life, peace and technology are all for the wise man

Leave a Reply

Your email address will not be published. Required fields are marked *