How to Install and Configure Wireguard on Ubuntu
In seven steps, configure wireguard on ubuntu for your own private VPN.
I’ll guide you through installing and configuring WireGuard on Ubuntu. WireGuard is a modern VPN solution that is secure, fast, and easy to use. This tutorial will take you through each step to set up your own WireGuard VPN server.
Step 1: Install WireGuard
First, update your package list and install WireGuard:
sudo apt update
sudo apt install wireguard -y
Step 2: Generate Private and Public Keys
To create a private key, run the following command:
wg genkey | sudo tee /etc/wireguard/private.key
It's important to secure your private key file by setting appropriate permissions:
sudo chmod go= /etc/wireguard/private.key
This command ensures that only the file owner has read and write permissions, preventing others from accessing it.
Generate the public key from the private key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Step 3: Randomly Generate a Private IPv6 Subnet
Generate a random unique local IPv6 address for your WireGuard interface:
printf "fd$(openssl rand -hex 2 | sed 's/../:&/g; s/^://'):$(openssl rand -hex 2 | sed 's/../:&/g; s/^://')::/64\n"
Step 4: Randomly Generate a Private IPv4 Subnet
echo "10.$(awk -v min=0 -v max=255 'BEGIN{srand(); print int(min+rand()*(max-min+1))}').$(awk -v min=0 -v max=255 'BEGIN{srand(); print int(min+rand()*(max-min+1))}').0/24"
Step 5: Create the wg0.conf
Configuration File
Now, create the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.conf
Add the following content to the file, replacing PRIVATE_KEY
with the actual private key from /etc/wireguard/private.key
, PRIVATE_IPV4
with the IPv4 address you generated, and replace PRIVATE_IPV6
with the IPv6 address you generated:
[Interface]
PrivateKey = PRIVATE_KEY
Address = IPV4_ADDRESS/24
Address = IPV6_ADDRESS/64
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
If you have a different external interface name that is not eth0
, please change that part of the configuration file to match your machine.
• PostUp commands: Set up routing and NAT for traffic coming from the WireGuard interface (wg0) and going out through the main network interface (eth0).
• PreDown commands: Clean up the routing and NAT rules when the WireGuard interface is brought down.
Step 6: Enable and Start WireGuard
Finally, enable and start the WireGuard service:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Check the status to ensure everything is running correctly:
sudo systemctl status wg-quick@wg0
You should see a status indicating that the service is active and running.
Step 7: Adding a Peer
Use the following syntax to add the peer:
sudo wg set wg0 peer <PeerPublicKey> allowed-ips <PeerAllowedIPs>
Here is an example using IPv4 and IPv6 addresses.
sudo wg set wg0 peer xyz1234567890ABCDEFGHIJKLMNOP allowed-ips 10.69.18.6/32,fd9d:8733:e826::6/128
You're going to need to know how to generate a peer configuration to even get the peer's public key. Usually the configuration for the peer looks something like this:
[Interface]
PrivateKey = [LONG_PRIVATE_KEY]
Address = IPV6_ADDRESS/128, IPV4_ADDRESS/32
DNS = 2606:4700:4700::1112, 2606:4700:4700::1002, 1.1.1.2, 1.0.0.2
[Peer]
PublicKey = [SERVER_PUBLIC_KEY]
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = example.com:51820
Conclusion
Congratulations! You’ve successfully installed and configured WireGuard on your Ubuntu machine. With these steps, you now have a secure VPN server up and running. Feel free to share this guide with anyone who asks about setting up WireGuard.