How to Set Up WireGuard VPN Server on Ubuntu
This post covers how to configure the WireGuard VPN server. All of your clients/devices will connect to this machine first, then route out to the Internet.
After some researches I decided to use WireGuard since it is Free and open-source software. OK, to be honest my main reason could be this: Linus Torvalds merged WireGuard into the Linux kernel.
0. Entrée
WireGuard is a modern VPN (Virtual Private Network) technology with state-of-the-art cryptography.
It is a cross-platform and can run almost anywhere, including Linux, Windows, Android, macOS and iOS.
It is a peer-to-peer VPN; it does not use the client-server model.
It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, like SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.
It is fast, easy to configure (especially compared to some of other alternatives), and lightweight.
For more detail you can check official website: WireGuard
1. Install
First we update the server then install WireGuard:
$ sudo apt update
$ sudo apt install wireguard
Info
You may see over the web that you should install WireGuard with ppa, like:
$ sudo add-apt-repository ppa:wireguard/wireguard
This is an outdated method and as we seen in https://launchpad.net/%7Ewireguard:
This formerly was responsible for producing a PPA for WireGuard on Ubuntu. That functionality has now been folded into Ubuntu itself, so our old PPA has been removed. Simply run apt install wireguard on all Ubuntus ≥ 16.04
2. Configure
2.0. Keys
WireGuard ships with two command-line tools: wg
and wg-quick
that allow you
to configure and manage the WireGuard.
Run the following command to generate the public and private keys:
$ sudo mkdir -p /etc/wireguard/server
$ wg genkey | sudo tee /etc/wireguard/server/server.key | wg pubkey | sudo tee /etc/wireguard/server/server.key.pub
This places our keys under our /etc/wireguard/server
directory that we just created.
As usual, DO NOT share your private key with anyone else, otherwise your VPN will be
compromised.
You can view these files with cat
:
$ cat /etc/wireguard/server/server.key
$ cat /etc/wireguard/server/server.key.pub
2.1. conf File
Create configuration file,
$ sudoedit /etc/wireguard/wg0.conf
and add following settings:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
Replace
SERVER_PRIVATE_KEY
with your private key in/etc/wireguard/server/server.key
.Make sure to replace both
eth0
to match the name of your public network interface. You can easily find the interface by running the following command:$ ip -o -4 route show to default | awk '{print $5}'
2.2 chmod
The wg0.conf
and server.key
files should not be readable to normal users.
Use chmod
to set the permissions to 600
:
$ sudo chmod 600 /etc/wireguard/wg0.conf
$ sudo chmod 600 /etc/wireguard/server/server.key
3. Start WireGuard
3.0. wg up
When everything done above, bring the wg0
interface up using the attributes specified in the
configuration file:
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
3.1. Start at Boot
Probably you want to start your WireGuard after every system reboot. In order to achieve that run:
$ sudo systemctl enable wg-quick@wg0
4.0 Firewall and Networking
4.1. IP Forwarding
We need to allow traffic forwarding in order for the VPN to work correctly.
We modify the /etc/sysctl.conf
file: Uncomment the line icludes
net.ipv4.ip_forward=1
:
$ sudoedit /etc/sysctl.conf
##############################################################
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
Save the file and apply the change:
$ sudo sysctl -p
4.1. Open WireGuard Server Port
Open the ListenPort
we defined in our /etc/wireguard/wg0.conf
file:
$ sudo ufw allow 51820/udp
Now enable the firewall:
$ sudo ufw enable
You can verify everything by checking the status
$ sudo ufw status verbose
That’s it. Your WireGuard server is now ready!
All done!
TODO:
- Add client posts:
- Add Ubuntu Desktop Client
- Add Android Client
- Add
IPV6
conf as well