WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. With a small source code footprint, it aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec. WireGuard is still under development, but even in its unoptimized state it is faster than the popular OpenVPN protocol.
The WireGuard configuration is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0 and wg1), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as ifconfig and ip.
This guide will configure a simple peer connection between Ubuntu server and client, as all the installation set up will be the same from all sides, server and the client, what will make difference is the configuration which we will go through in details.
Install WireGuard
- Update your package index by running the following command:
sudo apt-get update
- Install Wireguard
sudo apt install wireguard -y
Configure WireGuard Server
- One of the best things about WireGuard is that it’s security is based on SSH-like key pairs. So, the first thing to be done is to generate the necessary private and public key pair. Generate a private and public key pair for the WireGuard server:
$ mkdir ~/.wireguard
$ cd ~/.wireguard
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
This will save both the private and public keys to your home directory; they can be viewed with cat privatekey
and cat publickey
respectively. 2. Next, you need to copy the contents of newly-generated private key with the command:
cat privatekey
The above command will print out a string of characters. You’ll need to do this on both the server and the client (as you’ll need the server private key and the client public key). 3. Copy that string to your clipboard and then create a new WireGuard configuration file with the command:
sudo nano /etc/wireguard/wg0.conf
- In that file, paste the following:
[Interface]
Address = 10.0.0.1/24
ListenPort = 41194
PrivateKey = SERVER_PRIVATE_KEY
- Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.
- ListenPort specifies which port WireGuard will use for incoming connections.
NOTE: If you want to have many servers connected to one or more clients, you need to have different ListenPort, and allow it in your server ufw.
Now, save and close the file.
Set up UFW firewall rules to open required ports
$ sudo ufw allow 41194/udp
$ sudo ufw status
If the ufw
is inactive, you can enable it by the following command:
sudo ufw enable
Enable and start WireGuard Service
Turn the WireGuard service at boot time using the systemctl command, run:
sudo systemctl enable wg-quick@wg0
Start the service, execute:
sudo systemctl start wg-quick@wg0
Get the service status, run:
sudo systemctl status wg-quick@wg0
Note You can turn off the wg0 interface with
sudo systemctl stop wg-quick@wg0
Verify that interface named wg0 is up and running on Ubuntu server using the following command:
$ sudo wg
$ sudo ip a show wg0
Wireguard Client
The process for setting up a client is exactly same as setting up the server. When using Ubuntu as your client’s operating system, the only difference between the client and the server is the contents of the configuration file. If your client uses Ubuntu, follow the steps provided in the above sections and in this section.
- Generate a key pair for the client:
$ mkdir ~/.wireguard
$ cd ~/.wireguard
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
- Next, copy the contents of newly-generated private key with the command:
cat privatekey
- Copy that string to your clipboard and then create a new WireGuard configuration file with this command -we are using nano in this example, but feel free to use whatever text editor you prefer-:
sudo nano /etc/wireguard/wg0.conf
- In that file, paste the following:
[Interface]
Address = 10.0.0.2/32
PrivateKey = CLIENT_PRIVATE_KEY
Connect the Client and Server
First of all, you need to stop the interface on the server, by issuing the following command:
sudo systemctl stop wg-quick@wg0
- Edit the client’s wg0.conf file by adding the server’s public key, public IP address, and port:
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:41194
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 15
- Edit the server’s wg0.conf file by adding the client’s public key, and port:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/0
Enable and start VPN client/peer connection, run:
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl status wg-quick@wg0
Then, run sudo wg
and you will be able to see their connection!
The last two lines of the output from running the wg
command should be similar to:
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent
This indicates that you now have a private connection between the server and client. You can also ping the client from the server to verify that the connection works both ways.
Verification
That is all. By now, both Ubuntu servers and clients must be connected securely using a peer-to-peer VPN called WireGuard. Let us test the connection. Type the following ping command on your client machine/desktop system:
$ ping 10.0.0.1
$ sudo wg
Conclusion
Congratulation! You just learned about setting up a WireGuard VPN server on Ubuntu server and peer (client machine) . For more information, I strongly suggest that you read WireGuard project documentation here.