Linux Commands and Scripts

Steps to Install WireGuard VPN on Ubuntu 20.04

In this article, we’ll explain how to install WireGuard VPN on Ubuntu 20.04.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. Compared to other popular VPN solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and has a smaller footprint. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS.

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.

Prerequisites

Let’s get started with the installation.

1. Keep the server up to date

# apt update -y

2. Install WireGuard VPN

We’ll install WireGuard from default Ubuntu repository.

# apt install wireguard -y

This will install the WireGuard module and tools.

3. Generate private and public key

WireGuard has two command-line tools wg and wg-quick. We’ll use those commands to configure WireGuard VPN.

Using wg command, we’ll generate a private and public key like shown below:

# wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Each device in the WireGuard VPN network needs to have a private and public key. The files will be generated in the /etc/wireguard directory. You should not share private key to anyone and keep it secured.

4. Configure tunnel device

Next, we need to configure tunnel device that will route the VPN traffic.  We’ll do this task by creating the configuration file with the named wg0.conf.

# vi /etc/wireguard/wg0.conf

Add following contents in the file.

[Interface] Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE 

Note: Replace enp0s3 with your public network interface name.

Replace SERVER_PRIVATE_KEY with your private key. You can find private key using following command:

# cat /etc/wireguard/privatekey

The wg0.conf and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:

# chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Once done, bring the wg0 interface up using the attributes specified in the configuration file:

# wg-quick up wg0

Output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0 

[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE 

To check the interface state and configuration, enter:

# wg show wg0

Output:

interface: wg0
public key: hV6hSNnGfUi3dFWrR1GMZTMV3gzJ/HUs3N0HYCVfA3U=
private key: (hidden)
listening port: 51820

To bring the WireGuard interface at boot time, run the following command:

# systemctl enable wg-quick@wg0

5. Server networking

IP forwarding must be enabled for NAT to work. Open the /etc/sysctl.conf file and add or uncomment the following line:

# vi /etc/sysctl.conf

Uncomment following parameter

net.ipv4.ip_forward=1

Save the file and apply the change:

# sysctl -p

Output:

net.ipv4.ip_forward = 1

6. Configure firewall

If you are using UFW to manage your firewall you need to open UDP traffic on port 51820:

# ufw allow 51820/udp

That’s it. The installation and configuration has been completed successfully.

In this article, we have seen how to install WireGuard VPN on Ubuntu 20.04.

Related Articles