Install WireGuard VPN Server on Ubuntu 24.04 - kifarunix.com (2024)

Follow through this tutorial to learn how to install WireGuard VPN server on Ubuntu 24.04. According wireguard.com, WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Install WireGuard VPN Server on Ubuntu 24.04

Run system update

Before you can proceed, ensure that the system package cache is up-to-date;

sudo apt update

Install WireGuard VPN Server on Ubuntu 24.04

To install WireGuard and the required modules, run the command below;

sudo apt install wireguard-tools

Sample output;

Reading package lists... DoneBuilding dependency tree... DoneReading state information... DoneThe following NEW packages will be installed: wireguard-tools0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.Need to get 88.8 kB of archives.After this operation, 326 kB of additional disk space will be used.Get:1 http://de.archive.ubuntu.com/ubuntu noble/main amd64 wireguard-tools amd64 1.0.20210914-1ubuntu3 [88.8 kB]Fetched 88.8 kB in 0s (1,051 kB/s) Selecting previously unselected package wireguard-tools.(Reading database ... 156325 files and directories currently installed.)Preparing to unpack .../wireguard-tools_1.0.20210914-1ubuntu3_amd64.deb ...Unpacking wireguard-tools (1.0.20210914-1ubuntu3) ...Setting up wireguard-tools (1.0.20210914-1ubuntu3) ...wg-quick.target is a disabled or a static unit, not starting it.Processing triggers for man-db (2.12.0-3) ...

The command installs two WireGuard VPN utilities:

• wg: the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces.
• wg-quick: Use to set up a WireGuard interface. Refer to man wg-quick.

Install IPtables

Iptables will be required to set the firewall rules.

sudo apt install iptables

Configuring WireGuard VPN Server on Ubuntu 24.04

Once the installation is done, you can now proceed to configure WireGuard VPN server on Ubuntu 24.04.

WireGuard creates an empty configuration directory, /etc/wireguard.

Generate WireGuard Private/Public Keys

Next, you need to generate WireGuard based64-encoded private and public keys.

Private keys can be generated using wg genkey command as follows.

To begin with, update the files/directories permissions using umask. By default,theumaskfor most users is002.This means,when creating files,the default permissions are664for files (read/write for owner,read for group and others) and775for directories (read/write/execute for owner,read/execute for group,and read/execute for others).

For WireGuard private keys,these default permissions would allow anyone on the system to read the key,which poses a security risk.An attacker with access to the key could potentially impersonate your device and compromise your VPN connection.

Thus, ensure that you remove read,write,and execute permissions for everyone except the owner of the WireGuard configuration files.

umask 077

Next, generate the keys;

wg genkey

The command will print the private key to stdout. To write to a file, simply run;

wg genkey | sudo tee /etc/wireguard/wireguard.key

Generate WireGuard Public Keys

Public keys can be generated from the privates using wg pubkey command. The command similarly prints the key to standard output;

sudo cat /etc/wireguard/wireguard.key | wg pubkey

To write to a file;

sudo cat /etc/wireguard/wireguard.key | wg pubkey | sudo tee /etc/wireguard/wireguard.pub.key

Generate Both Private and Public Key at Once

You can run the command below to genereate WireGuard private key and public key at the same time;

wg genkey | sudo tee /etc/wireguard/wireguard.key | wg pubkey | sudo tee /etc/wireguard/wireguard.pub.key

Below are the contents of my private and public keys;

sudo cat /etc/wireguard/wireguard.key

uFgD3dDfMBP+SwPS+CTY5DY7U9+25laoleDsvXSJOmg=

sudo cat /etc/wireguard/wireguard.pub.key

T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU=

Generate WireGuard Server Configuration File

Once you have the keys in place, you can now generate WireGuard configuration file, /etc/wireguard/INTERFACE.conf.

Recommended INTERFACE names include ‘wg0’ or ‘wgvpn0’ or even ‘wgmgmtlan0’. However, the number at the end is in fact optional, and really any free-form string [a-zA-Z0-9_=+.-]{1,15} will work. So even interface names corresponding to geographic locations would suffice, such as ‘cincinnati’, ‘nyc’, or ‘paris’, if that’s somehow desirable.

First of all, let’s list our current interfaces;

ip -br a

lo UNKNOWN 127.0.0.1/8 ::1/128 enp0s3 UP 10.0.2.15/24 fe80::a00:27ff:feee:d66c/64 enp0s8 UP 192.168.56.104/24 fe80::a00:27ff:fe5e:3b83/64

Confirm the routes, to get the default route interface;

ip route list default

default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100 

You can then simply run the command below to create a config file, named, /etc/wireguard/wg0.conf.

Be sure to update the file as per your environment setup!

sudo tee /etc/wireguard/wg0.conf << 'EOL'[Interface]Address = 10.8.0.1/24SaveConfig = trueListenPort = 51820DNS = 8.8.8.8,10.8.0.1PrivateKey = uFgD3dDfMBP+SwPS+CTY5DY7U9+25laoleDsvXSJOmg=PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPTPostDown = echo 0 > /proc/sys/net/ipv4/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPTEOL

You can get explanation of the configuration options from man wg-quick.

• Address: a comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. May be specified multiple
  times.
• ListenPort: WireGuard starts at 51820/UDP by default. However, you can choose any free higher range port.
• DNS : a comma-separated list of IP (v4 or v6) addresses to be set as the interface’s DNS servers, or non-IP hostnames to be set as the interface’s DNS search domains. May be specified multiple times.
• PrivateKey: The key extracted from the Private key file created above, /etc/wireguard/wireguard.key
• PostUp, PostDown: script snippets which will be executed before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules.
  • Enable IP forwarding
  • Open port 51820/udp on firewall
  • Masquerade traffic through the default route interface
  • Allow forwarding of VPN traffic to the default route interface
  • And opposite is true for all the above for PostDown configuration.
• SaveConfig: if set to ‘true’, the configuration is saved from the current state of the interface upon shutdown. Any changes made to the configuration file before the interface is removed will therefore be overwritten.

Enable IP Forwarding on WireGuard VPN Server

To route packets between VPN clients, you need to enable Kernel IP forwarding by simply running the command below.

However, we have already enabled this on the WireGuard interface configuration above (echo 1 > /proc/sys/net/ipv4/ip_forward).

Similarly, you would also enable as follows (if you want to use this approach, remove the above lines from the configuration file;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Reload sysctl settings

sysctl -p

Running WireGuard VPN Server

You can run WireGuard by bringing up the WireGuard VPN server interface using the wg-quick command or by using systemd service.

Use wg-quick to Manage WireGuard VPN Tunnel Interface

To use wg-quick command to bring up the interface.

sudo wg-quick up wg0

Sample command output;

[#] ip link add wg0 type wireguard[#] wg setconf wg0 /dev/fd/63[#] ip -4 address add 10.8.0.1/24 dev wg0[#] ip link set mtu 1420 up dev wg0[#] resolvconf -a wg0 -m 0 -x[#] echo 1 > /proc/sys/net/ipv4/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPT

Show WireGuard VPN interface configuration;

sudo wg

interface: wg0 public key: T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU= private key: (hidden) listening port: 51820

Checking the wg0 interface details:

ip add show wg0

4: wg0:  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.8.0.1/24 scope global wg0 valid_lft forever preferred_lft forever

Listing Firewall rules on an active interface;

sudo iptables -L -nv

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- wg0 enp0s3 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

sudo iptables -L -nv -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3 218 MASQUERADE 0 -- * enp0s3 0.0.0.0/0 0.0.0.0/0

Use Systemd to Manage WireGuard VPN Tunnel Interface

If you had already brought up the WireGuard tunnel interface using wg-quick command, take the interface down;

sudo wg-quick down wg0

[#] wg showconf wg0[#] ip link delete dev wg0[#] resolvconf -d wg0 -f[#] echo 0 > /proc/sys/net/ipv4/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPT

After that, you can use systemd service to manage WireGuard, by simply running the command below to start it.

sudo systemctl start wg-quick@wg0

To check the status;

systemctl status wg-quick@wg0

● [emailprotected] - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/[emailprotected]; disabled; preset: enabled) Active: active (exited) since Tue 2024-02-06 18:57:33 CET; 7s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 41652 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 41652 (code=exited, status=0/SUCCESS) CPU: 44msFeb 06 18:57:33 noble-numbat systemd[1]: Starting [emailprotected] - WireGuard via wg-quick(8) for wg0...Feb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip link add wg0 type wireguardFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] wg setconf wg0 /dev/fd/63Feb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip -4 address add 10.8.0.1/24 dev wg0Feb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip link set mtu 1420 up dev wg0Feb 06 18:57:33 noble-numbat wg-quick[41652]: [#] echo 1 > /proc/sys/net/ipv4/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t n>Feb 06 18:57:33 noble-numbat systemd[1]: Finished [emailprotected] - WireGuard via wg-quick(8) for wg0.

To enable it to run on boot;

sudo systemctl enable wg-quick@wg0

Stopping WireGuard VPN

To stop the WireGuard VPN, run;

sudo wg-quick down wg0

Or

sudo systemctl stop wg-quick@wg0

Configure WireGuard VPN Clients

Once the server is setup, you can now proceed to configure WireGuard VPN clients.

Generate WireGuard VPN Clients Private/Public Keys

To begin with, you need to generate the clients keys. You can use the same command as used above while generating the keys for the server.

The command below generates keys for our three test servers.

for i in ubuntu debian rocky8; do wg genkey | sudo tee /etc/wireguard/$i.key | wg pubkey | sudo tee /etc/wireguard/$i.pub.key; done

ls -1 /etc/wireguard

debian.keydebian.pub.keyrocky8.keyrocky8.pub.keyubuntu.keyubuntu.pub.keywg0.confwireguard.keywireguard.pub.key

Checking the contents of each keys;

sudo cat /etc/wireguard/debian.key /etc/wireguard/debian.pub.key

0INvLkZU64dJd/41r1RuCEW0/mpHGycXOQvvuEWd7ks=c9rhdbHHY1EVXThhTnzYkE0lto+5UK4/raGEhVnTLRQ=

sudo cat /etc/wireguard/ubuntu.key /etc/wireguard/ubuntu.pub.key

GODF2MimY+nATXMbjJUdCo19Q7edYEOg3PuegNSad1o=ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp/iKIjc=

sudo cat /etc/wireguard/rocky8.key /etc/wireguard/rocky8.pub.key

YCEfv6oDxjEVxqnTI1caPsAm+efapiKYkcfLtn6gp1A=BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=

Add Client Peer Settings in WireGuard VPN Server configuration

Next, you need to add the client peer settings in the WireGuard VPN Server configuration file as shown below.

Be sure to replace the Public Keys and IP addresses for the respective clients accordingly.

sudo tee -a /etc/wireguard/wg0.conf << 'EOF'[Peer]PublicKey = c9rhdbHHY1EVXThhTnzYkE0lto+5UK4/raGEhVnTLRQ=AllowedIPs = 10.8.0.10[Peer]PublicKey = ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp/iKIjc=AllowedIPs = 10.8.0.20[Peer]PublicKey = BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=AllowedIPs = 10.8.0.30EOF

Our WireGuard VPN server configuration file now looks like;

sudo cat /etc/wireguard/wg0.conf

[Interface]Address = 10.8.0.1/24SaveConfig = truePostUp = echo 1 > /proc/sys/net/ipv4/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPTPostDown = echo 0 > /proc/sys/net/ipv4/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPTListenPort = 51820PrivateKey = KCDg87QMVzrw7IXtIT9A/E7vmuOCQAXsIxIiPcsPGVg=[Peer]PublicKey = c9rhdbHHY1EVXThhTnzYkE0lto+5UK4/raGEhVnTLRQ=AllowedIPs = 10.8.0.10[Peer]PublicKey = ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp/iKIjc=AllowedIPs = 10.8.0.20[Peer]PublicKey = BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=AllowedIPs = 10.8.0.30

Reload WireGuard;

Reload WireGuard VPN using Systemctl

You can reload WireGuard VPN setting;

sudo systemctl reload wg-quick@wg0

Check the status;

systemctl status wg-quick@wg0

Reload WireGuard VPN using wg-quick command

If you started WireGuard using wg-quick command, then you can reload as follows;

sudo bash -c wg syncconf wg0 <(sudo wg-quick strip wg0)

Sample output;

interface: wg0 public key: 60UScq0EQ7ZHXIdHcOnjFYK6N/TLtmtPGTBqLwLd0WY= private key: (hidden) listening port: 51820peer: c9rhdbHHY1EVXThhTnzYkE0lto+5UK4/raGEhVnTLRQ= allowed ips: 10.8.0.10/32peer: ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp/iKIjc= allowed ips: 10.8.0.20/32peer: BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg= allowed ips: 10.8.0.30/32

Show current WireGuard configuration and runtime information of specified interface;

sudo wg show

interface: wg0 public key: T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU= private key: (hidden) listening port: 51820peer: ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp/iKIjc= endpoint: 192.168.56.103:40122 allowed ips: 10.8.0.20/32 latest handshake: 1 minute, 6 seconds ago transfer: 648 B received, 184 B sentpeer: c9rhdbHHY1EVXThhTnzYkE0lto+5UK4/raGEhVnTLRQ= allowed ips: 10.8.0.10/32peer: BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg= allowed ips: 10.8.0.30/32

Install and Setup WireGuard VPN Client on Ubuntu 24.04

Follow the link below to learn how to install and setup WireGuard VPN client on Ubuntu 24.04.

That concludes our guide on how to install WireGuard VPN server on Ubuntu 24.04.