0. Prerequisite

You need a working WireGuard VPN server. Learn how to set that up here: How to Set Up WireGuard VPN Server on Ubuntu

1. Install

First we update our Ubuntu host machine then install WireGuard:

$ sudo apt update
$ sudo apt install wireguard


You may see over the web that you should install WireGuard with ppa, like:

$ sudo add-apt-repository ppa:wireguard/wireguard

This is an outdated method and as we seen in https://launchpad.net/%7Ewireguard:

This formerly was responsible for producing a PPA for WireGuard on Ubuntu. That functionality has now been folded into Ubuntu itself, so our old PPA has been removed. Simply run apt install wireguard on all Ubuntus ≥ 16.04

2. Configure

2.0. Keys

WireGuard ships with two command-line tools: wg and wg-quick that allow you to configure and manage the WireGuard.

Run the following command to generate the public and private keys:

$ sudo mkdir -p /etc/wireguard/clients
$ wg genkey | sudo tee /etc/wireguard/clients/desktop.key | wg pubkey | sudo tee /etc/wireguard/clients/desktop.key.pub

This places our keys under our /etc/wireguard/clients directory that we just created. As usual, DO NOT share your private key with anyone else, otherwise your VPN will be compromised.

You can view these files with cat:

$ cat /etc/wireguard/clients/desktop.key
$ cat /etc/wireguard/clients/desktop.key.pub

2.1. dekstop.conf File

Create configuration file,

$ sudoedit /etc/wireguard/wg0.conf

and add following settings:

Address =

AllowedIPs =

Replace DESKTOP_CLIENT_PRIVATE_KEY with your private key in /etc/wireguard/clients/desktop.key.

2.2. Add Desktop Client to Server

The last configuration step is to add your dekstip client’s public key and IP address to your server:

$ sudo wg set wg0 peer DESKTOP_CLIENT_PUBLIC_KEY allowed-ips

3. Start WireGuard

3.0. wg up

When everything done above, bring the wg0 interface up using the attributes specified in the configuration file:

$ sudo wg-quick up wg0

Now you should be connected to your Ubuntu VPN server, and the traffic from your client machine should be routed through it. You can check the connection with:

$ sudo wg

and the output should be like:

interface: wg0
  public key: HFqTSN2SE6LvvEU/xV3eJ0KArQEkTx1mYZpAjRtAjwE=
  private key: (hidden)
  listening port: 22870
  fwmark: 0xca6c

peer: 8Mg3Vgw+QduVhJaLERXQbyrPL1/nUWa27Ly8ZVTGTHs=
  endpoint: XXX.XXX.XXX.XXX:51820
  allowed ips:
  latest handshake: 1 minute, 18 seconds ago
  transfer: 67.58 KiB received, 170.36 KiB sent

3.1. Start at Boot

If you want to to start your WireGuard after every system reboot just run:

$ sudo systemctl enable wg-quick@wg0

To remove this:

$ sudo systemctl disable wg-quick@wg0

4. Test WireGuard

You can now check you IP searching on the browser what is my ip or just use curl to achieve that from your cli:

$ curl ifconfig.me

You should now see your YOUR_SERVER_IP_ADDRESS instead of your your local IP which your ISP provided.


All done!


  • 2021-04-26 : Fixed typo on pub key name when generating wg genkey