DEV Community

loading...

How to Set Up WireGuard VPN Server on Ubuntu

serhatteker profile image Serhat Teker Originally published at tech.serhatteker.com on ・4 min read

This post covers how to configure the WireGuard VPN server. All of your clients/devices will connect to this machine first, then route out to the Internet.

After some researches I decided to use WireGuard since it is Free and open-source software. OK, to be honest my main reason could be this: Linus Torvalds merged WireGuard into the Linux kernel.

0. EntrΓ©e

WireGuard is a modern VPN (Virtual Private Network) technology with state-of-the-art cryptography.

It is a cross-platform and can run almost anywhere, including Linux, Windows, Android, macOS and iOS.

It is a peer-to-peer VPN; it does not use the client-server model.

It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, like SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.

It is fast, easy to configure (especially compared to some of other alternatives), and lightweight.

For more detail you can check official website: WireGuard

1. Install

First we update the server then install WireGuard:

$ sudo apt update
$ sudo apt install wireguard
Enter fullscreen mode Exit fullscreen mode

NOTE:

You may see over the web that you should install WireGuard with ppa, like:

$ sudo add-apt-repository ppa:wireguard/wireguard

This is an outdated method and as we seen in https://launchpad.net/%7Ewireguard:

This formerly was responsible for producing a PPA for WireGuard on Ubuntu. That functionality has now been folded into Ubuntu itself, so our old PPA has been removed. Simply run apt install wireguard on all Ubuntus β‰₯ 16.04

2. Configure

2.0. Keys

WireGuard ships with two command-line tools: wg and wg-quick that allow you to configure and manage the WireGuard.

Run the following command to generate the public and private keys:

$ sudo mkdir -p /etc/wireguard/server
$ wg genkey | sudo tee /etc/wireguard/server/server.key | wg pubkey | sudo tee /etc/wireguard/server/server.key.pub
Enter fullscreen mode Exit fullscreen mode

This places our keys under our /etc/wireguard/server directory that we just created. As usual, DO NOT share your private key with anyone else, otherwise your VPN will be compromised.

You can view these files with cat:

$ cat /etc/wireguard/server/server.key
$ cat /etc/wireguard/server/server.key.pub
Enter fullscreen mode Exit fullscreen mode

2.1. conf File

Create configuration file,

$ sudoedit /etc/wireguard/wg0.conf
Enter fullscreen mode Exit fullscreen mode

and add following settings:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
Enter fullscreen mode Exit fullscreen mode
  • Replace SERVER_PRIVATE_KEY with your private key in /etc/wireguard/server/server.key.

  • Make sure to replace both eth0 to match the name of your public network interface. You can easily find the interface by running the following command:

  $ ip -o -4 route show to default | awk '{print $5}'
Enter fullscreen mode Exit fullscreen mode

2.2 chmod

The wg0.conf and server.key files should not be readable to normal users.
Use chmod to set the permissions to 600:

$ sudo chmod 600 /etc/wireguard/wg0.conf
$ sudo chmod 600 /etc/wireguard/server/server.key
Enter fullscreen mode Exit fullscreen mode

3. Start WireGuard

3.0. wg up

When everything done above, bring the wg0 interface up using the attributes specified in the configuration file:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Enter fullscreen mode Exit fullscreen mode

3.1. Start at Boot

Probably you want to start your WireGuard after every system reboot. In order to achieve that run:

$ sudo systemctl enable wg-quick@wg0
Enter fullscreen mode Exit fullscreen mode

4.0 Firewall and Networking

4.1. IP Forwarding

We need to allow traffic forwarding in order for the VPN to work correctly.

We modify the /etc/sysctl.conf file: Uncomment the line icludes
net.ipv4.ip_forward=1:

$ sudoedit /etc/sysctl.conf
Enter fullscreen mode Exit fullscreen mode
##############################################################
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
Enter fullscreen mode Exit fullscreen mode

Save the file and apply the change:

$ sudo sysctl -p
Enter fullscreen mode Exit fullscreen mode

4.1. Open WireGuard Server Port

Open the ListenPort we defined in our /etc/wireguard/wg0.conf file:

$ sudo ufw allow 51820/udp
Enter fullscreen mode Exit fullscreen mode

Now enable the firewall:

$ sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

You can verify everything by checking the status

$ sudo ufw status verbose
Enter fullscreen mode Exit fullscreen mode

That's it. Your WireGuard server is now ready!

All done!


TODO:

  • [X] Add client posts:
    • [X] Add Ubuntu Desktop Client
    • [X] Add Android Client
  • [ ] Add IPV6 conf as well

Discussion (0)

pic
Editor guide