In this article, we’ll explain how to install WireGuard VPN on Ubuntu 20.04.
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. Compared to other popular VPN solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and has a smaller footprint. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS.
WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.
Prerequisites
- A Ubuntu 20.04 installed dedicated server or KVM VPS.
- A root user access or normal user with administrative privileges.
Let’s get started with the installation.
1. Keep the server up to date
# apt update -y
2. Install WireGuard VPN
We’ll install WireGuard from default Ubuntu repository.
# apt install wireguard -y
This will install the WireGuard module and tools.
3. Generate private and public key
WireGuard has two command-line tools wg and wg-quick. We’ll use those commands to configure WireGuard VPN.
Using wg command, we’ll generate a private and public key like shown below:
# wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Each device in the WireGuard VPN network needs to have a private and public key. The files will be generated in the /etc/wireguard directory. You should not share private key to anyone and keep it secured.
4. Configure tunnel device
Next, we need to configure tunnel device that will route the VPN traffic. We’ll do this task by creating the configuration file with the named wg0.conf.
# vi /etc/wireguard/wg0.conf
Add following contents in the file.
[Interface] Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
Note: Replace enp0s3 with your public network interface name.
Replace SERVER_PRIVATE_KEY with your private key. You can find private key using following command:
# cat /etc/wireguard/privatekey
The wg0.conf and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:
# chmod 600 /etc/wireguard/{privatekey,wg0.conf}
Once done, bring the wg0 interface up using the attributes specified in the configuration file:
# wg-quick up wg0
Output:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
To check the interface state and configuration, enter:
# wg show wg0
Output:
interface: wg0
public key: hV6hSNnGfUi3dFWrR1GMZTMV3gzJ/HUs3N0HYCVfA3U=
private key: (hidden)
listening port: 51820
To bring the WireGuard interface at boot time, run the following command:
# systemctl enable wg-quick@wg0
5. Server networking
IP forwarding must be enabled for NAT to work. Open the /etc/sysctl.conf file and add or uncomment the following line:
# vi /etc/sysctl.conf
Uncomment following parameter
net.ipv4.ip_forward=1
Save the file and apply the change:
# sysctl -p
Output:
net.ipv4.ip_forward = 1
6. Configure firewall
If you are using UFW to manage your firewall you need to open UDP traffic on port 51820:
# ufw allow 51820/udp
That’s it. The installation and configuration has been completed successfully.
In this article, we have seen how to install WireGuard VPN on Ubuntu 20.04.