WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than other VPN protocols such as OpenVPN and IPSec.

WireGuard is designed as a general purpose VPN fit for almost any use case. It is available widely on almost all platforms. While still being in development, it is regarded as the most secure, easiest to use, and simplest VPN solution.

WireGurad establishes connection by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as iptables and ip. Prerequisites

A Linux Server with root privileges which would be running on cloud server or your local publicly accessible computer.

A Client which can be your phone, laptop, tablet or another computer.

Server Side Config

Here we are using Ubuntu 20.04 for server.

Step 1: Installation

WireGuard is available from the default Ubuntu repositories.

First we update the repos and then we install the wireguard using the below commands:

sudo apt update
sudo apt install wireguard

Step 2: Generate Keys

Every device (server or client) needs to have their own private and public keys for identification.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

The above command will generate the key pair in /etc/wireguard directory.

You can view file using cat. Always keep your private key secure and never share it with anyone.

sudo cat /etc/wireguard/privatekey

Step 3: Create Config file

Now we create config file for server where we define all the server configurations. Config file needs to be in /etc/wireguard directory. Config file is generally named as wg0 but you can name it anything.

sudo vim /etc/wireguard/wg0.conf
Address =
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Step 4: Network Configs

IP forwarding must be enabled for NAT wot work. For that dit the sysctl file.

sudo vim /etc/sysctl.conf

The following line would be there as commented. Just uncomment the line and save the file.


Now lets apply the updated config by running the following command.

sudo sysctl -p

If you are using ufw firewall. Port 51820 must be opened for UDP traffic

sudo ufw allow 51820/udp

Step 5: Start WireGuard

All server side config is complete. Now we can just start the instance.

If you have used different name than wg0 make sure to use that here.

sudo wg-quick up wg0

Client Side Config

Follow the Step 1 & 2 from server side config.

Step 3: Create Config

Now we create config file for client where we define all the configurations. Config file needs to be in /etc/wireguard directory. Config file is generally named as wg0 but you can name it anything. Its same as for server just some values are different.

sudo vim /etc/wireguard/wg0.conf
Address =

Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs =

In the above config we allow all traffic to pass though VPN. However if you want to setup only private network and pass regular traffic normally and not through the VPN you just need to change the value of AllowedIPs.

AllowedIPs =

Step 4: Add Client to Server

This step is needed to be performed on server.

The public key of client needs to be added to the server to allow the client to connect.

sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips

Step 5: Start WireGuard

We start wireguard same way as in server.

Replace wg0 with your config file name in client side.

sudo wg-quick up wg0

Use Systemctl

You can use systemctl to control the wireguard process on either server or client. Following the the format you need to use. Same way as above replace wg0 with your wireguard interface.

sudo systemctl start wg-quick@wg0

To enable wireguard to startup on boot you can enable it with systemctl

sudo systemctl enable wg-quick@wg0