Tutorials How to get started with WireGuard VPN

How to get started with WireGuard VPN

contributor

WireGuard is a fast and modern VPN that utilizes state-of-the-art cryptography. It’s much faster than OpenVPN or IPsec while also having a smaller codebase that is easier to audit and maintain.

In this tutorial, we will set up WireGuard on Ubuntu 18.04 server and configure a firewall. WireGuard was previously only available as a DKMS kernel module but it has since been added as LKM module to the 5.6 kernel.

Sign up with UpCloud

First things first, if you have not yet registered on UpCloud, begin by getting signed up.

Deploy a new cloud server

Deploying a new server on UpCloud is an easy and straightforward process. To get started, log into your UpCloud Control Panel and select to Deploy a server under the Servers section.

The deployment page shows a number of options for customizing a new cloud server.

  1. Choose the server location from the available data centres
  2. Pick a configuration, the $5 per month plan is a good starting point
  3. Select Ubuntu 18.04 for the operating system
  4. Add any SSH keys you want to use
  5. Give your server a hostname and description
  6. Deploy!

You can find more detailed instructions on server deployment at the UpCloud newcomer’s tutorials.

Installing WireGuard

When your new cloud server is up and running, log in using SSH.

Now, in order to install WireGuard on Ubuntu 18.04, we’ll need to add the WireGuard PPA repository.

sudo add-apt-repository ppa:wireguard/wireguard

Confirm the addition by pressing enter when prompted. The command will automatically update the list of repositories afterwards. Once the repository is successfully added we can proceed.

Now we can install WireGuard itself and all of its dependencies.

sudo apt-get install wireguard

Repeat the installation steps on each client you wish to connect to the WireGuard server.

WireGuard has software for most operating systems and you can connect your Windows, Linux or macOS and Android or iOS devices easily. You can find the available packages at their download page.

With WireGuard installed, continue below with the steps to further configure your server.

IP forwarding

Next, to be able to connect through your WireGuard server, you’ll need to enable packet forwarding. This is only done on the WireGuard server and not necessary for any clients.

Open the system variables file for edit.

sudo nano /etc/sysctl.conf

Then uncomment the following line by removing the # at the beginning of the line.

net.ipv4.ip_forward=1

Once done, save the file and exit the editor.

Then apply the new option with the command below.

sudo sysctl -p
net.ipv4.ip_forward=1

If you see the option repeated like above when reloading the system variables it was enabled successfully.

Configuring firewall rules

You should also configure a firewall to block any unwanted connections and keep your server secure. You can do this by either installing a software firewall on your cloud server or by using the Firewall service at your UpCloud Control Panel.

For Ubuntu servers, you can install the ufw, the Uncomplicated Firewall, using the command below.

sudo apt install ufw

Next, add the following rules to allow SSH and WireGuard connections.

sudo ufw allow ssh
sudo ufw allow 51820/udp

Enable the firewall with the next command.

sudo ufw enable

Then confirm the command when prompted.

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Afterwards, you can check the active firewall rules with the command below.

sudo ufw status

The other option is to use UpCloud’s L3 firewall that can be utilized to secure your WireGuard server. In order to add firewall rules open your UpCloud Control Panel and navigate to the Firewall tab in your server settings.

The easiest way to configure the firewall is to import a set of premade rules that work for our intended use case. Click to Import premade profile from the Import rules menu.

Wireguard firewall import premade profile

Then select the Only SSH allowed rule set and click the Import rules button.

Wireguard SSH only premade firewall rules

We also need to allow WireGuard connection which uses the UDP protocol and can be configured to any port. We’ll be using the port 51820 so add the following incoming traffic rule.

Wireguard add firewall rule

Once the rules have been added successfully check that the default rule is set to drop then click Save changes and Enable firewall to confirm.

Generating private and public keys

WireGuard works by encrypting the connection using a pair of cryptographic keys. The keypair is used by sharing the public key with the other party who then can encrypt their message in such a way that it can only be decrypted with the corresponding private key. To make the communication secure both ways, each party needs to have their own private and public keys as each pair only enables one-way messaging.

For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.

To get started with generating the keys for the server change into the WireGuard directory.

cd /etc/wireguard

Next, set the permissions for the directory with the following command. Note that you need to be logged in with the root account to do this.

umask 077

Then with the required permissions set, generate a new key pair with the command below.

wg genkey | tee privatekey | wg pubkey > publickey

Repeat these steps on each client you want to connect to the WireGuard server.

Remember that you should never share your private key with anyone.

Generate server config

We are then set to start configuring the WireGuard server. The config files are generally stored in /etc/wireguard folder. Create a new configuration file called wg0.conf in that folder.

sudo nano /etc/wireguard/wg0.conf

The configuration below will make your WireGuard server accept connections to 51820 and allow a client with the public key corresponding to the private key we made above.

Add the following directives to the configuration file.

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32

Note that you need to include the actual keys, a string of letters, numbers and symbols, in the configuration file. You can read the key files with the following commands.

sudo cat /etc/wireguard/publickey
sudo cat /etc/wireguard/privatekey

Then save the file and exit the editor.

Starting WireGuard and enabling it at boot

With the configuration in place, we are ready to start the server. WireGuard has a convenient wrapper called wg-quick that can be used to start new interfaces without needing to go into the setup details. You can use it to start your configuration using the following command.

wg-quick up wg0

You should see an output like below upon successfully starting the interface.

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Your WireGuard server is then running. You can check your configuration with the following command.

wg show
interface: wg0
  public key: pcDxSxSZp5x87cNoRJaHdAOzxrxDfDUn7pGmrY/AmzI=
  private key: (hidden)
  listening port: 51820

peer: gCQKfJL8Xff2MNmvceVQ0nQAmLsSM0tXClhvVNzSil4=
  allowed ips: 10.0.0.2/32

To enable WireGuard to start automatically at system boot, also enable the systemd service.

systemctl enable [email protected]

In case you get an error starting the server such as the example below.

RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Check that the WireGuard kernel module is loaded with the command below. If successful, you should not see any output.

sudo modprobe wireguard

If you get an error saying the module is missing, restart your WireGuard server and try again.

sudo reboot

When the kernel module is loaded, you can try starting WireGuard again.

Client configuration 

Once your WireGuard server is up and running, you need to configure your client device. They offer software for most operating systems to connect any of your Windows, Linux or macOS and Android or iOS devices easily. You can find available packages at their download page.

On a client computer, create a new configuration file in the /etc/wireguard directory.

sudo nano /etc/wireguard/wg0.conf

Then add the following to that file. Remember to set the client private key and server public key to their corresponding places and also include your WireGuard server’s public IP address.

[Interface]
Address = 10.0.0.2/32
PrivateKey = <contents-of-client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Note that setting AllowedIPs to 0.0.0.0/0, ::/0 will forward all traffic over the WireGuard VPN connection. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.

Once you’ve set the keys and the server address, save the file and exit the editor.

Start the connection with the command below.

sudo wg-quick up wg0

You can also use the system command to start WireGuard as a service.

sudo systemctl start [email protected]

Then when you want to disconnect, use either of the following commands depending on which method you used to start it.

sudo wg-quick down wg0
sudo systemctl stop [email protected]

WireGuard will then disconnect from the server and remove the related network settings.

Adding more clients

If you want to also use the WireGuard VPN on other devices, you can add more clients to your server. Adding clients is really simple and easy.

First, install WireGuard on your new client devices as before and create a new key pair.

Then edit the wg0.conf file on your WireGuard server.

sudo nano /etc/wireguard/wg0.conf

Add the following entry at the end of the file to include your second client’s public key and set the IP address.

[Peer]
PublicKey = <content-of-client2-publickey>
AllowedIPs = 10.0.0.3/32

Afterwards, save the file and exit the editor.

Then restart the service to update the configuration.

sudo systemctl restart [email protected]

All done! You can then connect with the new client as you did before.

Leave a Reply

Your email address will not be published. Required fields are marked *

Locations

Helsinki (HQ)

In the capital city of Finland, you will find our headquarters, and our first data centre. This is where we handle most of our development and innovation.

London

London was our second office to open, and a important step in introducing UpCloud to the world. Here our amazing staff can help you with both sales and support, in addition to host tons of interesting meetups.

Singapore

Singapore was our 3rd office to be opened, and enjoys one of most engaged and fastest growing user bases we have ever seen.

Seattle

Seattle is UpCloud’s current base in the USA and our way to reach out across the pond to many users in the Americas.