Jump toUpdate content

Installing and Configuring WireGuard® on Linux as a VPN server

Reviewed on 01 July 2021Published on 28 March 2019
  • compute
  • mediaserver
  • vpn
  • wireguard

WireGuard is a modern VPN (Virtual Private Network) software. It is designed to be run almost anywhere and to be cross-platform. Compared to other similar software, it is faster, more secure and simpler.


WireGuard is currently under development.

Installing and Configuring WireGuard on the server

The installation process is based on Ubuntu. Documentation regarding other platforms is available on the WireGuard website.


WireGuard needs kernel modules that are not yet implemented in the kernel. The installation process will install new kernel modules via DKMS.

  1. Connect to your instance via SSH.

  2. Install Linux kernel headers and WireGuard.

    $ sudo apt update && apt upgrade -y
    $ sudo apt install linux-headers-$(uname --kernel-release) # installs the right kernel headers for your version
    $ sudo apt install wireguard

Once WireGuard is installed, you can check that the installation succeeded by running: wg, if you get no output it’s all good. In order to check that the WireGuard kernel module has loaded you can run sudo modprobe wireguard.

Generating Public and Private Keys on the Server

WireGuard relies on a public/private key authentication (asymmetric cryptography;; thus you need to create those keys. They are easily created with the wg genkey and wg pubkey subcommands.

  1. Create a directory to store the keys.

    # mkdir -p /etc/wireguard/keys
  2. Now you can create the public and private key. The creation of the private key is done with wg genkey and the public key is generated by piping it into wg pubkey. umask tells the system to set the permissions of the new files to 600.

    # cd /etc/wireguard/keys
    # umask 077
    # wg genkey | tee privatekey | wg pubkey > publickey

Configuring WireGuard Server

The first step is to choose an IP range which will be used by the server. The private IP ranges defined by the RFC 19198 are the following:


For this tutorial we will use which is inside the range. The server will have the following IP address: It is also required to choose a port, which will be exposed publicly, for the server to listen on. Here it will be 8999. Note that the standard documentation port is usually 51820.

Create the file /etc/wireguard/wg0.conf with the following content:

PrivateKey = <private key of the server>
Address =
ListenPort = 8999

Configuring the Linux, MacOS or Windows WireGuard Client

  1. On Linux you can install WireGuard the same way you did for the server. To install WireGuard on MacOS just run: brew install wireguard-tools. You can also use the Mac App Store application. To install WireGuard on Windows you can find the executable on the WireGuard installation page but this guide will not cover the Windows use case.

  2. Create the key pair.

    # mkdir -p /etc/wireguard/keys
    # cd /etc/wireguard/keys
    # umask 077
    # wg genkey | tee privatekey | wg pubkey > publickey
  3. Create the configuration file /etc/wireguard/wg0.conf:

    PrivateKey = <private key of the client>
    Address =
    DNS =

    PublicKey = <public key of the server>
    Endpoint = <public ip of the server>:8999
    AllowedIPs =
    PersistentKeepalive = 25

    It is quite similar to the server configuration. The DNS line specifies the DNS resolver for the client. The Endpoint tells WireGuard where to connect. AllowedIPs configures which IP range will be forwarded to the VPN server.

    In this case, means that all the traffic from the client will go through the VPN. If you only want to communicate within the VPN network, you can set PersistentKeepalive tells WireGuard to send a UDP packet every 25 seconds, this is useful if you are behind a NAT and you want to keep the connection alive.


    If you decide to route all your traffic to the VPN server be sure to do the following on the server:

    • Add the following lines in the [Interface] section of the server (Replace ens2 by your main network interface if it is not ens2):
      • PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE
      • PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE
  4. Now that the client is configured, you need to add the peer configuration to the server. Just add the following to your /etc/wireguard/wg0.conf on the server:

    PublicKey = <public key of the client>
    AllowedIPs = # the ip address in the VPN network of the client you just created

Configuring the Android or iOS WireGuard Client

You can download the official WireGuard Android client from the PlayStore and the official WireGuard iOS Client from the iOS App store (this guide will only cover Android but the steps are the same).

There are two ways to configure the Android or iOS client. The easiest one is to follow the previous part and once the configuration file is done, export it with qrencode like this: qrencode -t ansiutf8 < path/to/phone.conf. Finally scan the generated QR code with the WireGuard application.

For the second way, follow these steps:

  1. Once the application is downloaded, open the application and click the + icon and select Create from scratch.

  2. You will need to click GENERATE to generate the key pair (copy the public key in order to use in on the server). The rest is like the Linux client configuration, fill in the addresses, DNS servers and name. Now you will need to add the server as a peer.

  3. Click ADD PEER and add the public key of the server, the public IP of the server and the port on which it is listening. If you decide to route all the traffic through the VPN, please read the Important section above.

  4. Finally, add the following to the server’s /etc/wireguard/wg0.conf:

    PublicKey = <public key of the android client>
    AllowedIPs = # the ip address in the VPN network of the client you just created

Launching WireGuard Server

Now that everything is configured, you can launch the WireGuard server with:

# wg-quick up wg0

And start the client with the same command:

# wg-quick up wg0

You can also enable the start of WireGuard at boot time with the following command:

# systemctl enable wg-quick@wg0.service

You can check the connection with the wg command (client or server):

# wg # on the client
interface: wg0
public key: <public key of the client>
private key: (hidden)
listening port: 57576
fwmark: 0xca6c

peer: <public key of the server>
endpoint: <public IP of the server>:8999
allowed ips:
latest handshake: 50 seconds ago
transfer: 8.35 KiB received, 18.00 KiB sent
persistent keepalive: every 25 seconds

# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=3.50 ms
64 bytes from icmp_seq=2 ttl=64 time=4.53 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 3.499/4.015/4.532/0.520 ms

# curl ifconfig.co
<public IP of the server>

As you can see, you can ping the VPN server through the VPN and all your traffic is being routed through the VPN server.

For more information you can check the WireGuard website.

The next tutorial with WireGuard will be about setting up a virtual private network between servers with WireGuard acting as a mesh VPN.

“WireGuard” is a registered trademark of Jason A. Donenfeld.