Jump toSuggest an edit

Installing and Configuring WireGuard® on Linux as a VPN server

Reviewed on 29 May 2024Published on 28 March 2019
  • vpn
  • WireGuard
  • Linux
  • android

WireGuard® is a VPN (Virtual Private Network) software designed for simplicity and efficiency. It is distinguished by its small codebase, which aims to reduce complexity and potential security vulnerabilities, and offers faster performance compared to some other VPN solutions, due to its streamlined design.

In terms of security, WireGuard uses modern cryptographic protocols, including Curve25519, ChaCha20, and Poly1305, focusing on established cryptographic methods.

It is compatible with various platforms, such as Windows, macOS, Linux, iOS, and Android, making it versatile for different users and environments.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Instance configured with local boot and running on a Linux kernel ≥ 3.10

WireGuard® is currently under development.

Installing and Configuring WireGuard on the server

The installation process is based on Ubuntu. Documentation regarding other platforms is available on the WireGuard website.


WireGuard needs kernel modules that are not yet implemented in the kernel. The installation process will install new kernel modules via DKMS.

  1. Connect to your Instance via SSH.
  2. Install Linux kernel headers and WireGuard.
    sudo apt update && apt upgrade -y
    sudo apt install linux-headers-$(uname --kernel-release) # installs the right kernel headers for your version
    sudo apt install wireguard

Once WireGuard is installed, you can check that the installation succeeded by running: wg. No output means that the installation has succeeded. To check that the WireGuard kernel module has loaded you can run sudo modprobe wireguard.

Generating public and private keys on the server

WireGuard relies on public/private key authentication (asymmetric cryptography). You must create these keys, which can be done with the wg genkey and wg pubkey subcommands.

  1. Create a directory to store the keys:
    mkdir -p /etc/wireguard/keys
  2. Create the public and private key. The creation of the private key is done with wg genkey and the public key is generated by piping it into wg pubkey. umask tells the system to set the permissions of the new files to 600.
    cd /etc/wireguard/keys
    umask 077
    wg genkey | tee privatekey | wg pubkey > publickey

Configuring WireGuard server

The first step is to choose an IP range that will be used by the server. The private IP ranges defined by the RFC 1918 are the following:


For this tutorial, we will use which is inside the range. The server will have the following IP address:

It is also required to choose a port, which will be exposed publicly, for the server to listen on. Here it will be 8999. Note that the standard documentation port is usually 51820.

Create the file /etc/wireguard/wg0.conf with the following content:

PrivateKey = <private key of the server>
Address =
ListenPort = 8999

Configuring the Linux, macOS, or Windows WireGuard client

  1. Install WireGuard. On Linux, you can install WireGuard the same way you did for the server. To install WireGuard on macOS just run: brew install wireguard-tools. You can also use the Mac App Store application. To install WireGuard on Windows you can find the executable on the WireGuard installation page, but this guide will not cover the Windows use case.

  2. Create the key pair:

    mkdir -p /etc/wireguard/keys
    cd /etc/wireguard/keys
    umask 077
    wg genkey | tee privatekey | wg pubkey > publickey
  3. Create the configuration file /etc/wireguard/wg0.conf:

    PrivateKey = <private key of the client>
    Address =
    DNS =
    PublicKey = <public key of the server>
    Endpoint = <public ip of the server>:8999
    AllowedIPs =
    PersistentKeepalive = 25

    It is quite similar to the server configuration. The DNS line specifies the DNS resolver for the client. The Endpoint tells WireGuard where to connect. AllowedIPs configures which IP range will be forwarded to the VPN server.

    In this case, means that all the traffic from the client will go through the VPN. If you only want to communicate within the VPN network, you can set PersistentKeepalive tells WireGuard to send a UDP packet every 25 seconds, this is useful if you are behind a NAT and you want to keep the connection alive.


    If you decide to route all your traffic to the VPN server be sure to do the following on the server:

    • Add the following lines in the [Interface] section of the server (Replace ens2 with your main network interface if it is not ens2):
      • PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE
      • PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE
  4. Add the peer configuration to the server. Just add the following to your /etc/wireguard/wg0.conf on the server:

    PublicKey = <public key of the client>
    AllowedIPs = # the ip address in the VPN network of the client you just created

Configuring the Android or iOS WireGuard client

You can download the official WireGuard Android client from Google Play, and the official WireGuard iOS Client from the iOS App Store (this guide will only cover Android, but the steps are the same).

There are two ways to configure the Android or iOS client. The easiest one is to follow the previous part and once the configuration file is done, export it with qrencode like this: qrencode -t ansiutf8 < path/to/phone.conf. Finally, scan the generated QR code with the WireGuard application.

For the second way, follow these steps:

  1. Download and open the application and click the + icon and select Create from scratch.
  2. Click GENERATE to generate the key pair (copy the public key to use on the server). The rest is like the Linux client configuration, fill in the addresses, DNS servers, and name. Now you will need to add the server as a peer.
  3. Click ADD PEER and add the public key of the server, the public IP of the server, and the port on which it is listening. If you decide to route all the traffic through the VPN, read the Important section above.
  4. Add the following to the server’s /etc/wireguard/wg0.conf:
    PublicKey = <public key of the android client>
    AllowedIPs = # the ip address in the VPN network of the client you just created

Launching WireGuard server

Now that everything is configured, you can launch the WireGuard server with:

wg-quick up wg0

Start the client with the same command:

wg-quick up wg0

You can also enable the start of WireGuard at boot time with the following command:

systemctl enable wg-quick@wg0.service

You can check the connection with the wg command (client or server):

# wg # on the client
interface: wg0
public key: <public key of the client>
private key: (hidden)
listening port: 57576
fwmark: 0xca6c
peer: <public key of the server>
endpoint: <public IP of the server>:8999
allowed ips:
latest handshake: 50 seconds ago
transfer: 8.35 KiB received, 18.00 KiB sent
persistent keepalive: every 25 seconds
# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=3.50 ms
64 bytes from icmp_seq=2 ttl=64 time=4.53 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 3.499/4.015/4.532/0.520 ms
# curl
<public IP of the server>

As you can see, you can ping the VPN server through the VPN and all your traffic is being routed through the VPN server.

For more information, you can check the WireGuard website.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway