Tutorials How to get started with WireGuard VPN

How to get started with WireGuard VPN

contributor

WireGuard is a fast and modern VPN that utilizes state-of-the-art cryptography. It’s much faster than OpenVPN or IPsec while also having a smaller codebase that is easier to audit and maintain.

In this tutorial, we will set up WireGuard on Ubuntu 18.04 server and configure a firewall. WireGuard was previously only available as a DKMS kernel module but it has since been added as LKM module to the 5.6 kernel.

Test hosting on UpCloud!

Sign up with UpCloud

First things first, if you have not yet registered on UpCloud, begin by getting signed up.

Deploy a new cloud server

Deploying a new server on UpCloud is an easy and straightforward process. To get started, log into your UpCloud Control Panel and select to Deploy a server under the Servers section.

The deployment page shows a number of options for customizing a new cloud server.

  1. Choose the server location from the available data centres
  2. Pick a configuration, the $5 per month plan is a good starting point
  3. Select Ubuntu 18.04 for the operating system
  4. Add any SSH keys you want to use
  5. Give your server a hostname and description
  6. Deploy!

You can find more detailed instructions on server deployment at the UpCloud newcomer’s tutorials.

Installing WireGuard

When your new cloud server is up and running, log in using SSH.

WireGuard is now available directly from the official repositories on Ubuntu 18.04. However, before you begin installing WireGuard, make sure your system is up to date.

sudo apt-get update && sudo apt-get upgrade -y

Now we can install WireGuard itself and all of its dependencies.

sudo apt-get install wireguard

Repeat the installation steps on each client you wish to connect to the WireGuard server.

WireGuard has software for most operating systems and you can connect your Windows, Linux or macOS and Android or iOS devices easily. You can find the available packages at their download page.

With WireGuard installed, continue below with the steps to further configure your server.

IP forwarding

Next, to be able to connect through your WireGuard server, you’ll need to enable packet forwarding. This is only done on the WireGuard server and not necessary for any clients.

Open the system variables file for edit.

sudo nano /etc/sysctl.conf

Then uncomment the following line by removing the # at the beginning of the line.

net.ipv4.ip_forward=1

Once done, save the file and exit the editor.

Then apply the new option with the command below.

sudo sysctl -p
net.ipv4.ip_forward=1

If you see the option repeated like above when reloading the system variables it was enabled successfully.

Configuring firewall rules

You should also configure a firewall to block any unwanted connections and keep your server secure. You can do this by either installing a software firewall on your cloud server or by using the Firewall service at your UpCloud Control Panel.

For Ubuntu servers, you can install the ufw, the Uncomplicated Firewall, using the command below.

sudo apt install ufw

Next, add the following rules to allow SSH and WireGuard connections.

sudo ufw allow ssh
sudo ufw allow 51820/udp

Enable the firewall with the next command.

sudo ufw enable

Then confirm the command when prompted.

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Afterwards, you can check the active firewall rules with the command below.

sudo ufw status

The other option is to use UpCloud’s L3 firewall that can be utilized to secure your WireGuard server. In order to add firewall rules open your UpCloud Control Panel and navigate to the Firewall tab in your server settings.

The easiest way to configure the firewall is to import a set of premade rules that work for our intended use case. Click to Import premade profile from the Import rules menu.

Wireguard firewall import premade profile

Then select the Only SSH allowed rule set and click the Import rules button.

Wireguard SSH only premade firewall rules

We also need to allow WireGuard connection which uses the UDP protocol and can be configured to any port. We’ll be using the port 51820 so add the following incoming traffic rule.

Wireguard add firewall rule

Once the rules have been added successfully check that the default rule is set to drop then click Save changes and Enable firewall to confirm.

Generating private and public keys

WireGuard works by encrypting the connection using a pair of cryptographic keys. The keypair is used by sharing the public key with the other party who then can encrypt their message in such a way that it can only be decrypted with the corresponding private key. To make the communication secure both ways, each party needs to have their own private and public keys as each pair only enables one-way messaging.

For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.

To get started with generating the keys for the server change into the WireGuard directory.

cd /etc/wireguard

Next, set the permissions for the directory with the following command. Note that you need to be logged in with the root account to do this.

umask 077

Then with the required permissions set, generate a new key pair with the command below.

wg genkey | tee privatekey | wg pubkey > publickey

Repeat these steps on each client you want to connect to the WireGuard server.

Remember that you should never share your private key with anyone.

Generate server config

We are then set to start configuring the WireGuard server. The config files are generally stored in /etc/wireguard folder. Create a new configuration file called wg0.conf in that folder.

sudo nano /etc/wireguard/wg0.conf

The configuration below will make your WireGuard server accept connections to 51820 and allow a client with the public key corresponding to the private key we made above.

Add the following directives to the configuration file.

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32

Note that you need to include the actual keys, a string of letters, numbers and symbols, in the configuration file. You can read the key files with the following commands.

sudo cat /etc/wireguard/publickey
sudo cat /etc/wireguard/privatekey

Then save the file and exit the editor.

Starting WireGuard and enabling it at boot

With the configuration in place, we are ready to start the server. WireGuard has a convenient wrapper called wg-quick that can be used to start new interfaces without needing to go into the setup details. You can use it to start your configuration using the following command.

wg-quick up wg0

You should see an output like below upon successfully starting the interface.

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Your WireGuard server is then running. You can check your configuration with the following command.

wg show
interface: wg0
  public key: pcDxSxSZp5x87cNoRJaHdAOzxrxDfDUn7pGmrY/AmzI=
  private key: (hidden)
  listening port: 51820

peer: gCQKfJL8Xff2MNmvceVQ0nQAmLsSM0tXClhvVNzSil4=
  allowed ips: 10.0.0.2/32

To enable WireGuard to start automatically at system boot, also enable the systemd service.

systemctl enable [email protected]

In case you get an error starting the server such as the example below.

RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Make sure your server software is fully up-to-date.

sudo apt-get update && sudo apt-get upgrade -y

Then check that the WireGuard kernel module is loaded with the command below. If successful, you should not see any output.

sudo modprobe wireguard

If you get an error saying the module is missing, restart your WireGuard server and try again.

sudo reboot

When the kernel module is loaded, you can try starting WireGuard again.

Client configuration 

Once your WireGuard server is up and running, you need to configure your client device. They offer software for most operating systems to connect any of your Windows, Linux or macOS and Android or iOS devices easily. You can find available packages at their download page.

On a client computer, create a new configuration file in the /etc/wireguard directory.

sudo nano /etc/wireguard/wg0.conf

Then add the following to that file. Remember to set the client private key and server public key to their corresponding places and also include your WireGuard server’s public IP address.

[Interface]
Address = 10.0.0.2/32
PrivateKey = <contents-of-client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Note that setting AllowedIPs to 0.0.0.0/0, ::/0 will forward all traffic over the WireGuard VPN connection. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.

Once you’ve set the keys and the server address, save the file and exit the editor.

Start the connection with the command below.

sudo wg-quick up wg0

You can also use the system command to start WireGuard as a service.

sudo systemctl start [email protected]

Then when you want to disconnect, use either of the following commands depending on which method you used to start it.

sudo wg-quick down wg0
sudo systemctl stop [email protected]

WireGuard will then disconnect from the server and remove the related network settings.

Adding more clients

If you want to also use the WireGuard VPN on other devices, you can add more clients to your server. Adding clients is really simple and easy.

First, install WireGuard on your new client devices as before and create a new key pair.

Then edit the wg0.conf file on your WireGuard server.

sudo nano /etc/wireguard/wg0.conf

Add the following entry at the end of the file to include your second client’s public key and set the IP address.

[Peer]
PublicKey = <content-of-client2-publickey>
AllowedIPs = 10.0.0.3/32

Afterwards, save the file and exit the editor.

Then restart the service to update the configuration.

sudo systemctl restart [email protected]

All done! You can then connect with the new client as you did before.

30 thoughts on “How to get started with WireGuard VPN

  1. In many of the tutorials I see that the address tends to be “ 10.0.0.x” should we keep it like that or change it to “192.168.0.x” to match our networks?

    1. Hi James, thanks for the question. Wireguard is used to create a virtual private network and the IP addresses define that network range. It should be different from any existing network ranges to prevent conflict.

  2. Hi. How to remove a client from linux terminal? If I edit wg0.conf in server and remove the client entry, it is coming back again after the service is restarted. Do we have a command to remove the peer? I tried few commands, it says improper usage of command every time. Thank you.

    1. Hi there, thanks for the question. You can remove peers from the Wireguard server by using the wg command-line tool. After removing the peer from your wg0.conf file, run the following command.

      wg set wg0 peer <public-key> remove

      Then restart the server with systemctl restart [email protected] after which the peer you removed shouldn’t show up when checking the config with wg command.

  3. Hello – Great tutorial. When I try to access my online banking, the connection is refused while on VPN. I’ve tried wireguard, shadowsocks proxy, openvpn all with same results. Is there any other tool I could use for privacy that won’t be detected by my bank? I always have to disable the VPN before I connect to my bank, and would like to avoid doing this. I use vultr’s cloud servers. My bank is bbvausa.com

    Thanks!

    1. Hi Danny, thanks for the comment. It’s most likely the IP address you are using to connect via a VPN that has been classified as unsafe by your banking provider. You could test another IP before looking for an alternative VPN solution as Wireguard should really do the trick.

  4. Hello,
    I just installed WireGuard on an LCX container using Proxmox. I created a Ubutu 18.04 machine and run all the instructions listed, but when I run the “wg-quick up wg0” command, I got the following error:
    [#] ip link add wg0 type wireguard
    Error: Unknown device type.
    Unable to access interface: Protocol not supported
    [#] ip link delete dev wg0
    Cannot find device “wg0”

    I also have another error by running:
    [email protected]:/etc/wireguard# sudo modprobe wireguard
    modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.4.44-1-pve
    [email protected]:/etc/wireguard#

    How can I fix this?
    Thank you.

    1. Hi Fabio, thanks for the question. The WireGuard network module for Ubuntu 18.04 was added in a system update, make sure your container is running all the latest updates. Note that the update also requires a system restart to be applied. Once your Ubuntu machine is all up to date, the sudo modprobe wireguard shouldn’t return anything and the wg-quick will be able to create the interface.

  5. When I attempted to add the repo in Ubuntu 18.04 it said:

    “`$ sudo add-apt-repository ppa:wireguard/wireguard
    Cannot add PPA: ‘ppa:~wireguard/ubuntu/wireguard’.
    The team named ‘~wireguard’ has no PPA named ‘ubuntu/wireguard’
    Please choose from the following available PPAs:“`

    So I did “`sudo apt-get install wireguard“` and it installed but seems to be an old version (1.0.20200513-1~18.04.2). Current version would appear to be 1.0.20201112 from the wireguard website.

    Suggestions?

    1. Hi Michael, thanks for the comment. WireGuard has been added to the Ubuntu repository and the old additional repo is no longer needed. The currently latest v1.0.20201112 seems to be a development release hence why it’s not yet in the repositories. WireGuard also recommends installing the official repository version. We’ve updated the tutorial to reflect the changes.

  6. Hello,
    I already update to the least version but sitll get the same problem with Janne Ruostemaa, but i use the gcp vm with debain is that the problem let me get this error?

    [#] ip link add wg0 type wireguard
    RTNETLINK answers: Operation not supported
    Unable to access interface: Protocol not supported
    [#] ip link delete dev wg0
    Cannot find device “wg0”

    thx for your reply!

    1. Hi there, thanks for the question. Wireguard does work on Debian but you need to have the latest modules installed. You should still check for updates again as the linux-image-4.19.0-12-amd64 package that you need might not show up until your server is otherwise fully up to date.

    1. Hi Dario, thanks for the comment. The first address in the WireGuard server configuration is akin to a router address which defines the address space. You can set it to use a smaller address block if you wish but not sure it’ll accept connections is set to a single address.

  7. Also, I’m using ubuntu 20.04, when i run command
    net.ipv4.ip_forward=1
    i got response “net.ipv4.ip_forward=1: command not found”

    1. The forwarding is meant to go in the /etc/sysctl.conf file. If you’d prefer a one-liner to accomplish this, try using sed with the following:

      sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
  8. Thank you for the helpful guide, everything is up and running except I want to use the DNS that’s on my server, which is connected to my home network. I’ve tried inputting the DNS IP that’s listed in my home modem/router settings, but the connection doesn’t transmit anything. Actually putting a DNS manually for the client seems to be mandatory as my connection won’t start transmitting anything without it, so it can’t seem to be configured automatically. Any ideas how I can use my home DNS on my client when using Wireguard?

    1. Hi Mario, if your DNS server is on your home network it’s likely behind a firewall and NAT on your router. You would need to expose the DNS port 53 via your router to be able to use it on your WireGuard server.

  9. I’m still quite new to this, but am very interested in using this as a possible solution for my use case.
    Could you confirm for me that this would work:

    Computer “A” has some inventory software on it, and
    Remotely Computer “B” has a client that naturally connects to that software but is not located in the same location.

    If I have a Wireguard VPN setup on a linux server, and I have both computers connect to it, will the 2 pieces of the software be able to communicate like they are on the same Local Network?

    While connected, will the computers still be able to access the internet to do (for example) a Google Search?

    Thanks for the help.

    1. Hi Greg, thanks for the question. WireGuard can allow connected clients to communicate though you’ll need to configure the VPN network to simulate local network. You can also choose to only tunnel certain connections through the WireGuard VPN leaving other traffic to use the default network connection instead.

    1. Hi Michael, thanks for the comment. You are right that the trial restrictions prevent the use of default port 51820 but this can be changed arbitrarily. For example, if you wish to test WireGuard during the free trial, it can run on the NTP port 123. Alternatively, you can always upgrade your UpCloud account for full access with a 30-day money-back guarantee on your first payment.

  10. Hello,

    By following your tutorial, it works, but the dns will be exposed, please test your vpn connection at https://www.dnsleaktest.com/
    or
    https://dnsleak.com/

    I also tried this tutorial to avoid DNS leaking and please check the part of Configure DNS:
    https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

    But it still not work, and no luck to me.

    I know you are expert here, is it possible to show a tutorials upon DNS configuration to avoid DNS leaking?

    Thanks so much and have a nice day.

    1. Hi Alex, thanks for the question. When running WireGuard following the above example configuration, your DNS shouldn’t be leaking. The test you mentioned should only ever show the Cloudflare DNS 1.1.1.1 which is considered trustworthy thanks to their Privacy first guarantee.

    1. Hi there, thanks for the comment. If you are unable to access the internet through the WireGuard server, there are a few things you should check.
      – First, make sure you’ve set the net.ipv4.ip_forward=1 in your /etc/sysctl.conf and applied the changes with sudo sysctl -p
      – Check that your firewall rules allow the UDP connection to your chosen port number. Some ports might also be blocked by your ISP.
      – You might also be connecting just fine but unable to make DNS queries through the WireGuard server. Test if you are able to ping common public resources such as the Cloudflare DNS 1.1.1.1. If ping responds but normal web traffic doesn’t work, check that DNS port 53 is open on your server for both TCP and UDP.

  11. how can I use this to forward a static public IP from upcloud to my home private VM lab I use when building servers and websites for clients before they get moved to upcloud for perm hosting???

    1. Hi Marc, thanks for the question. While WireGuard itself doesn’t serve this function, you can set up a reverse-proxy to forward traffic via WireGuard to your local VM.

Leave a Reply

Your email address will not be published. Required fields are marked *

Locations

Helsinki (HQ)

In the capital city of Finland, you will find our headquarters, and our first data centre. This is where we handle most of our development and innovation.

London

London was our second office to open, and a important step in introducing UpCloud to the world. Here our amazing staff can help you with both sales and support, in addition to host tons of interesting meetups.

Singapore

Singapore was our 3rd office to be opened, and enjoys one of most engaged and fastest growing user bases we have ever seen.

Seattle

Seattle is our 4th and latest office to be opened, and our way to reach out across the pond to our many users in the Americas.