Installing and Configuring WireGuard® on Linux as a VPN server
WireGuard® is a VPN (Virtual Private Network) software designed for simplicity and efficiency. It is distinguished by its small codebase, which aims to reduce complexity and potential security vulnerabilities. WireGuard offers faster performance compared to some other VPN solutions, due to its streamlined design. In terms of security, WireGuard uses modern cryptographic protocols, including Curve25519, ChaCha20, and Poly1305, focusing on established cryptographic methods. It is compatible with various platforms, such as Windows, macOS, Linux, iOS, and Android, making it versatile for different users and environments.
You may need certain IAM permissions to carry out some actions described on this page. This means:
WireGuard® is currently under development.
The installation process is based on Ubuntu. Documentation regarding other platforms is available on the WireGuard website.
WireGuard needs kernel modules that are not yet implemented in the kernel. The installation process will install new kernel modules via DKMS.
- Connect to your Instance via SSH.
- Install Linux kernel headers and WireGuard.
sudo apt update && apt upgrade -ysudo apt install linux-headers-$(uname --kernel-release) # installs the right kernel headers for your versionsudo apt install wireguard
Once WireGuard is installed, you can check that the installation succeeded by running:
wg. No output means that the installation has succeeded. In order to check that the WireGuard kernel module has loaded you can run
sudo modprobe wireguard.
WireGuard relies on a public/private key authentication (asymmetric cryptography;; thus you need to create those keys. They are easily created with the
wg genkey and
wg pubkey subcommands.
- Create a directory to store the keys.
mkdir -p /etc/wireguard/keys
- Create the public and private key. The creation of the private key is done with
wg genkeyand the public key is generated by piping it into
umasktells the system to set the permissions of the new files to
600.cd /etc/wireguard/keysumask 077wg genkey | tee privatekey | wg pubkey > publickey
The first step is to choose an IP range which will be used by the server. The private IP ranges defined by the RFC 1918 are the following:
For this tutorial we will use
192.168.66.0/24 which is inside the
192.168.0.0/16 range. The server will have the following IP address:
It is also required to choose a port, which will be exposed publicly, for the server to listen on. Here it will be
8999. Note that the standard documentation port is usually 51820.
Create the file
/etc/wireguard/wg0.conf with the following content:
[Interface]PrivateKey = <private key of the server>Address = 192.168.66.1/32ListenPort = 8999
Install WireGuard. On Linux you can install WireGuard the same way you did for the server. To install WireGuard on macOS just run:
brew install wireguard-tools. You can also use the Mac App Store application. To install WireGuard on Windows you can find the executable on the WireGuard installation page, but this guide will not cover the Windows use case.
Create the key pair.mkdir -p /etc/wireguard/keyscd /etc/wireguard/keysumask 077wg genkey | tee privatekey | wg pubkey > publickey
Create the configuration file
/etc/wireguard/wg0.conf:[Interface]PrivateKey = <private key of the client>Address = 192.168.66.2/32DNS = 220.127.116.11[Peer]PublicKey = <public key of the server>Endpoint = <public ip of the server>:8999AllowedIPs = 0.0.0.0/0PersistentKeepalive = 25
It is quite similar to the server configuration. The
DNSline specifies the DNS resolver for the client. The
Endpointtells WireGuard where to connect.
AllowedIPsconfigures which IP range will be forwarded to the VPN server.
In this case,
0.0.0.0/0means that all the traffic from the client will go through the VPN. If you only want to communicate within the VPN network, you can set
PersistentKeepalivetells WireGuard to send a UDP packet every 25 seconds, this is useful if you are behind a NAT and you want to keep the connection alive.Important:
If you decide to route all your traffic to the VPN server be sure to do the following on the server:
- Add the following lines in the
[Interface]section of the server (Replace
ens2by your main network interface if it is not
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE
- Add the following lines in the
Add the peer configuration to the server. Just add the following to your
/etc/wireguard/wg0.confon the server:[Peer]PublicKey = <public key of the client>AllowedIPs = 192.168.66.2/32 # the ip address in the VPN network of the client you just created
You can download the official WireGuard Android client from Google Play, and the official WireGuard iOS Client from the iOS App Store (this guide will only cover Android, but the steps are the same).
There are two ways to configure the Android or iOS client. The easiest one is to follow the previous part and once the configuration file is done, export it with qrencode like this:
qrencode -t ansiutf8 < path/to/phone.conf. Finally, scan the generated QR code with the WireGuard application.
For the second way, follow these steps:
- Download and open the application and click the + icon and select Create from scratch.
- Click GENERATE to generate the key pair (copy the public key in order to use in on the server). The rest is like the Linux client configuration, fill in the addresses, DNS servers and name. Now you will need to add the server as a peer.
- Click ADD PEER and add the public key of the server, the public IP of the server and the port on which it is listening. If you decide to route all the traffic through the VPN, read the Important section above.
- Add the following to the server’s
/etc/wireguard/wg0.conf:[Peer]PublicKey = <public key of the android client>AllowedIPs = 192.168.66.3/32 # the ip address in the VPN network of the client you just created
Now that everything is configured, you can launch the WireGuard server with:
wg-quick up wg0
And start the client with the same command:
wg-quick up wg0
You can also enable the start of WireGuard at boot time with the following command:
systemctl enable firstname.lastname@example.org
You can check the connection with the
wg command (client or server):
# wg # on the clientinterface: wg0public key: <public key of the client>private key: (hidden)listening port: 57576fwmark: 0xca6cpeer: <public key of the server>endpoint: <public IP of the server>:8999allowed ips: 0.0.0.0/0latest handshake: 50 seconds agotransfer: 8.35 KiB received, 18.00 KiB sentpersistent keepalive: every 25 seconds# ping 192.168.66.1PING 192.168.66.1 (192.168.66.1) 56(84) bytes of data.64 bytes from 192.168.66.1: icmp_seq=1 ttl=64 time=3.50 ms64 bytes from 192.168.66.1: icmp_seq=2 ttl=64 time=4.53 ms--- 192.168.66.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 3msrtt min/avg/max/mdev = 3.499/4.015/4.532/0.520 ms# curl ifconfig.co<public IP of the server>
As you can see, you can ping the VPN server through the VPN and all your traffic is being routed through the VPN server.
For more information you can check the WireGuard website.
“WireGuard” is a registered trademark of Jason A. Donenfeld.