How to Set Up Wireguard VPN on Linux - 56juqingba: How-to instructions you can trust

Spread the love

Wireguard is a powerful open source virtual private network (VPN) daemon that can run on both desktop and mobile devices. It provides a fast and lightweight alternative to traditional VPN solutions such as IPsec and OpenVPN. Here, we show you how to install Wireguard and create a simple VPN set up using three Linux machines.

Content

Table of Contents

Why Use Wireguard as a VPN Solution?

One of the biggest selling points of Wireguard is that it’s a fast and lightweight VPN daemon. Unlike traditional solutions, Wireguard doesn’t add a lot of overhead to your network. This results in lower latency and a high overall throughput rate across your nodes.

Another key feature of Wireguard is that it’s a module inside the Linux kernel. This allows it to run without taking up any additional system resources from your computer, making it an ideal choice for deploying on low-end and SOC devices.

Lastly, Wireguard also takes advantage of modern cryptographic standards and development practices. It also had multiple formal verifications, which confirm Wireguard’s code correctness, security guarantees, and ability to resist attacks.

On a side note: still not convinced with Wireguard? Learn how Wireguard stacks against OpenVPN.

Obtaining Wireguard

The first step to set up Wireguard on Linux is to download its core tools from your distro’s repository. This allows you to control the built-in Wireguard kernel module using userspace commands.

To install the core tools in Ubuntu and Debian, run the following command:

sudo apt install wireguard wireguard-tools

In Fedora, you can use the dnf package manager:

sudo dnf install wireguard-tools

For Arch Linux, you can run pacman to obtain the Wireguard core tools:

sudo pacman -S wireguard-tools

Confirm that you’ve properly installed the Wireguard tools by loading its help screen:

wg -h

Setting Up the Wireguard Server

Assumption: This article assumes that you’re installing the Wireguard server on a Linux system with a publicly accessible IPv4 address. The instructions will still work on a server behind a NAT, but it won’t find nodes outside its subnet.

With the Wireguard core toolkit on your Linux machines, you can now set up your VPN’s server node. This will serve as the internet gateway for your client nodes in the network.

Start by navigating to your Wireguard config directory and set its default permissions to “root only:”

cd /etc/wireguard
sudo umask 077

Note: some systems might prevent you from going inside the “/etc/wireguard” folder as a regular user. To fix that, switch to the root user using sudo -s.

Generate the public and private key for your Wireguard server:

sudo sh -c 'wg genkey | tee /etc/wireguard/server-private-key | wg pubkey > /etc/wireguard/server-public-key'

Create your server’s configuration file using your favorite text editor:

sudo nano /etc/wireguard/wg0.conf

Paste the following block of code inside your server config file:

[Interface]
PrivateKey = PASTE-YOUR-SERVER-PRIVATE-KEY-HERE
Address = 10.0.0.1/32
ListenPort = 60101
PostUp = iptables -t nat -I POSTROUTING -o NETWORK-INTERFACE-HERE -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o NETWORK-INTERFACE-HERE -j MASQUERADE

Open a new terminal session, then print your server’s Wireguard private key:

sudo cat /etc/wireguard/server-private-key

Copy your server’s private key to your clipboard.

Replace the value of the PrivateKey variable with the key on your clipboard.

Find the network interface that has access to the internet using the ip command:

ip route get 8.8.8.8

Set the value of the -o flag on both PostUp and PostDown variables to the interface with internet access, then save your config file.

Open the server’s “/etc/sysctl.conf” file using your favorite text editor:

sudo nano /etc/sysctl.conf

Scroll down to the line that contains net.ipv4.ip_forward=1, then remove the pound (#) sign in front of it.

Reload your new sysctl config by running: sudo sysctl -p.

FYI: Wireguard is not the only VPN solution that you can run on Linux. Learn how to create your own VPN using OpenVPN.

Setting Up and Connecting the Wireguard Client

At this point, you now have a properly configured Wireguard server without any peers. To use it, you need to set up and connect your first Wireguard client.

Navigate to your client system’s Wireguard config directory and set its default permissions:

cd /etc/wireguard
sudo umask 077

Generate your client’s Wireguard keypair using the following command:

sudo sh -c 'wg genkey | tee /etc/wireguard/client1-private-key | wg pubkey > /etc/wireguard/client1-public-key'

Create the client’s Wireguard config file using your favorite text editor:

sudo nano /etc/wireguard/wg0.conf

Paste the following block of code inside your client config file:

[Interface]
PrivateKey = PASTE-YOUR-CLIENT1-PRIVATE-KEY-HERE
Address = 10.0.0.2/32
ListenPort = 60101
 
[Peer]
PublicKey = PASTE-YOUR-SERVER-PUBLIC-KEY-HERE
AllowedIPs = 0.0.0.0/0
Endpoint = PASTE-YOUR-SERVER-IP-ADDRESS-HERE:60101
PersistentKeepalive = 25

Replace the PrivateKey variable with your client’s private key.

Open your Wireguard server’s terminal session, then print its public key:

sudo cat /etc/wireguard/server-public-key

Set the value of the PublicKey variable to your server’s public key.

Change the Endpoint variable to the IP address of your Wireguard server.

Save your config file, then use the wg-quick command to start the Wireguard client:

sudo wg-quick up wg0

Note: this command will disable your client’s network connectivity until you start your Wireguard server. To go back to your original network, run sudo wg-quick down wg0.

Linking the Wireguard Server to the Client

Go to your Wireguard server’s terminal session, then open its config file:

sudo nano /etc/wireguard/wg0.conf

Paste the following block of code after the [Interface] section:

[Peer]
PublicKey = PASTE-YOUR-CLIENT1-PUBLIC-KEY-HERE
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

Set the PublicKey variable to the public key of your Wireguard client.

Note: you can get the public key by running sudo cat /etc/wireguard/client1-public-key on your client machine.

Save the config file, then run the following command to start the Wireguard service on your server:

sudo wg-quick up wg0

Adding a Second Client to the Server

One key feature of every VPN service is that it can link together multiple machines from different networks. This is useful if you have computers on different locations or want to host a private game server for your friends.

To do this in Wireguard, you need to create a config file for a new VPN interface on your server. The easiest way to do this is to copy your current server config and giving the copy a new name:

sudo cp /etc/wireguard/wg0.conf /etc/wireguard/wg1.conf

Open your new config file using your favorite text editor:

sudo nano /etc/wireguard/wg1.conf

Set the ListenPort variable to 60102. Doing this will prevent any port collisions between the wg0 and wg1 VPN interfaces.

Go to the [Peer] section and change the AllowedIPs variable from “10.0.0.2/32” to “10.0.0.3/32,” then save your config file.

Configuring the Second Wireguard Client

cd /etc/wireguard
sudo umask 077

Generate a new Wireguard keypair using the following command:

sudo sh -c 'wg genkey | tee /etc/wireguard/client2-private-key | wg pubkey > /etc/wireguard/client2-public-key'

Create a new config file using your favorite text editor:

sudo nano /etc/wireguard/wg0.conf

Paste the following block of code inside your new config file:

[Interface]
PrivateKey = PASTE-YOUR-CLIENT2-PRIVATE-KEY-HERE
Address = 10.0.0.3/32
ListenPort = 60102
 
[Peer]
PublicKey = PASTE-YOUR-SERVER-PUBLIC-KEY-HERE
AllowedIPs = 0.0.0.0/0
Endpoint = PASTE-YOUR-SERVER-IP-ADDRESS-HERE:60102
PersistentKeepalive = 25

Set the PrivateKey variable to your second machine’s private key, then change the PublicKey variable to the public key of your server.

Replace the Endpoint variable with the IP address of your server, followed by “:60102.”

Save your config file, then start the second machine’s Wireguard client:

sudo wg-quick up wg0

Linking the Second Client to the Wireguard Server

Log back in to your Wireguard server, then open the VPN interface config for your second client:

sudo nano /etc/wireguard/wg1.conf

Scroll down to the [Peer] section, then replace the PublicKey variable with your second client’s public key.

Save your config file, then start the second VPN interface using the wg-quick command:

sudo wg-quick up wg1

Confirm that your first and second Wireguard clients are showing up correctly on your server by running wg.

Testing the Wireguard Network

With both your server and clients on the Wireguard network, you can now test the connectivity and latency between your nodes. To do this, make sure that you have network diagnostics tools installed on your system:

sudo apt install net-tools curl

In Fedora, you only need to install curl since it already comes with networking tools right out of the box:

sudo dnf install curl

For Arch Linux, you can use pacman to install the network tools and curl:

sudo pacman -S traceroute curl

Start by tracking the route of a packet between two clients. The following will show how an IP packet goes from “10.0.0.2” to “10.0.0.3:”

traceroute 10.0.0.3

Check whether any of your nodes can access the public internet by pinging a common IP address:

ping -c 5 8.8.8.8

Lastly, confirm that your nodes share the same public IP address to your Wireguard server:

curl ipinfo.io/ip

Learning to set up a Wireguard network on Linux is the first step in exploring the fascinating world of VPNs. Take a deep dive and look at our picks for the best security-focused VPN providers you can get today.

Image credit: Kari Shea via Unsplash and Wikimedia Commons. All alterations and screenshots by Ramces Red.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe

Ramces Red –
Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.