WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than other VPN protocols such as OpenVPN and IPSec.
WireGuard is designed as a general purpose VPN fit for almost any use case. It is available widely on almost all platforms. While still being in development, it is regarded as the most secure, easiest to use, and simplest VPN solution.
WireGurad establishes connection by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as iptables and ip. Prerequisites
A Linux Server with root privileges which would be running on cloud server or your local publicly accessible computer.
A Client which can be your phone, laptop, tablet or another computer.
Server Side Config
Here we are using Ubuntu 20.04 for server.
Step 1: Installation
WireGuard is available from the default Ubuntu repositories.
First we update the repos and then we install the wireguard using the below commands:
sudo apt update
sudo apt install wireguardStep 2: Generate Keys
Every device (server or client) needs to have their own private and public keys for identification.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickeyThe above command will generate the key pair in /etc/wireguard directory.
You can view file using cat. Always keep your private key secure and never share it with anyone.
sudo cat /etc/wireguard/privatekeyStep 3: Create Config file
Now we create config file for server where we define all the server configurations. Config file needs to be in /etc/wireguard directory. Config file is generally named as wg0 but you can name it anything.
sudo vim /etc/wireguard/wg0.conf[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADEStep 4: Network Configs
IP forwarding must be enabled for NAT wot work. For that dit the sysctl file.
sudo vim /etc/sysctl.confThe following line would be there as commented. Just uncomment the line and save the file.
net.ipv4.ip_forward=1Now lets apply the updated config by running the following command.
sudo sysctl -pIf you are using ufw firewall. Port 51820 must be opened for UDP traffic
sudo ufw allow 51820/udpStep 5: Start WireGuard
All server side config is complete. Now we can just start the instance.
If you have used different name than wg0 make sure to use that here.
sudo wg-quick up wg0Client Side Config
Follow the Step 1 & 2 from server side config.
Step 3: Create Config
Now we create config file for client where we define all the configurations. Config file needs to be in /etc/wireguard directory. Config file is generally named as wg0 but you can name it anything. Its same as for server just some values are different.
sudo vim /etc/wireguard/wg0.conf[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.10.0.2/24
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0In the above config we allow all traffic to pass though VPN. However if you want to setup only private network and pass regular traffic normally and not through the VPN you just need to change the value of AllowedIPs.
AllowedIPs = 10.10.0.0/24Step 4: Add Client to Server
This step is needed to be performed on server.
The public key of client needs to be added to the server to allow the client to connect.
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.0.2Step 5: Start WireGuard
We start wireguard same way as in server.
Replace wg0 with your config file name in client side.
sudo wg-quick up wg0Use Systemctl
You can use systemctl to control the wireguard process on either server or client. Following the the format you need to use. Same way as above replace wg0 with your wireguard interface.
sudo systemctl start wg-quick@wg0To enable wireguard to startup on boot you can enable it with systemctl
sudo systemctl enable wg-quick@wg0