🔒
WireGuard Complete Guide
Ubuntu Server Setup & Configuration
1
🔄 Update System
Always start by updating your system packages to ensure you have the latest security patches and dependencies:
sudo apt update && sudo apt upgrade -y
💡 Tip: The -y flag automatically confirms the upgrade prompt. Remove it if you want to review packages before upgrading.
2
📦 Install WireGuard
Install WireGuard and required tools:
sudo apt install wireguard wireguard-tools -y
For Ubuntu 18.04 and earlier, you may need to add the PPA first:
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install wireguard wireguard-tools -y
3
🔑 Generate Keys
Generate private and public key pairs:
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
⚠️ Security Note: Keep your private key secure! The chmod 600 command ensures only root can read the private key.
4
⚙️ Configure WireGuard
Create and edit the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.conf
Add the following configuration (example for server):
[Interface]
# Server configuration
PrivateKey = <your_server_private_key>
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
# Enable IP forwarding (for server/gateway setups)
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Client 1
PublicKey = <client_1_public_key>
AllowedIPs = 10.8.0.2/32
# Optional: PresharedKey for additional security
# PresharedKey = <preshared_key>
[Peer]
# Client 2
PublicKey = <client_2_public_key>
AllowedIPs = 10.8.0.3/32
📝 Configuration Notes:
- Address: The VPN IP address for this interface
- ListenPort: UDP port WireGuard listens on (default: 51820)
- SaveConfig: Automatically save runtime configuration
- AllowedIPs: IP ranges that can be routed through this peer
5
🌐 Enable IP Forwarding (Server Only)
For server/gateway setups, permanently enable IP forwarding:
sudo nano /etc/sysctl.conf
Uncomment or add this line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
6
🎮 Manage WireGuard
Start WireGuard:
sudo wg-quick up wg0
Stop WireGuard:
sudo wg-quick down wg0
Enable on Boot:
sudo systemctl enable wg-quick@wg0
Disable Autostart:
sudo systemctl disable wg-quick@wg0
Check Status:
sudo systemctl status wg-quick@wg0
sudo wg show
Restart After Config Changes:
sudo wg-quick down wg0 && sudo wg-quick up wg0
7
🔥 Configure Firewall
If using UFW (Ubuntu's default firewall), allow WireGuard port:
sudo ufw allow 51820/udp
Allow forwarding (if acting as server):
sudo nano /etc/ufw/before.rules
Add these lines at the beginning (after the header comments):
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
Also edit UFW's sysctl settings:
sudo nano /etc/ufw/sysctl.conf
Ensure this line is uncommented:
net/ipv4/ip_forward=1
Reload UFW:
sudo ufw reload
Troubleshooting
Check Logs:
sudo journalctl -xe | grep wireguard
Verify Interface:
ip a show wg0
Test Connectivity:
ping 10.8.0.1
Check Active Connections:
sudo wg show wg0 latest-handshakes
✅ Quick Command Reference
🚀 Start/Stop
wg-quick up wg0wg-quick down wg0
💾 Auto-start
systemctl enable wg-quick@wg0systemctl disable wg-quick@wg0
📊 Monitor
wg showsystemctl status wg-quick@wg0
⚙️ Configure
nano /etc/wireguard/wg0.confwg-quick down wg0 && wg-quick up wg0
🎉 Setup Complete! Your WireGuard VPN is now configured. Remember to:
- Keep your private keys secure
- Regularly update your system
- Monitor connection logs for unusual activity
- Document your peer configurations
