How to Set Up WireGuard VPN on Ubuntu.

How To Set Up WireGuard VPN On Ubuntu.

In this tutorial, we will set up WireGuard on an Ubuntu machine that will act as a VPN server. We’ll also show you how to configure WireGuard as a client. The client’s traffic will be routed through the Ubuntu 18.04 server.

WireGuard is a modern VPN (Virtual Private Network) technology with state-of-the-art cryptography. Compared to other similar solutions, such as IPsec and OpenVPN , WireGuard is faster, easier to configure, and more performant. It is a cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS. Wireguard is a peer-to-peer VPN; it does not use the client-server model. Depending on its configuration, a peer can act as a traditional server or client.


Setting Up the WireGuard Server

In this section, we’ll install WireGuard on the Ubuntu machine and set it up to act as a server. We’ll also configure the system to route the clients’ traffic through it.


Installing WireGuard on Ubuntu 18.04

WireGuard is included in the default Ubuntu repositories. To install it run the following commands:

sudo apt updatesudo apt install wireguard

WireGuard runs as a kernel module, which is compiled as a DKMS module. On success, you’ll see the following output:

Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.15.0-88-generic/updates/dkms/


DKMS: install completed.

When you update the kernel the WireGuard module will be compiled against the new kernel.


Configuring WireGuard

WireGuard ships with two command-line tools named wg and wg-quick that allow you to configure and manage the WireGuard interfaces.

Run the following command to generate the public and private keys:

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

The files will be generated in the /etc/wireguard directory. You can view the files with cat or less . The private key should never be shared with anyone.

Now that the keys are generated, we’ll need to configure the tunnel device that will route the VPN traffic.

The device can be set up either from the command line using the ip and wg or by creating the configuration file with a text editor.

Create a new file named wg0.conf and add the following contents:

sudo nano /etc/wireguard/wg0.conf
Address =
SaveConfig = true
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

The interface can be named anything, however it is recommended to use something like wg0 or wgvpn0. The settings in the interface section have the following meaning:

The wg0.conf and privatekey files should not be readable to normal users. Use chmod to set the permissions to 600:

sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Once done, bring the wg0 interface up using the attributes specified in the configuration file:

sudo wg-quick up wg0

The command will produce an output similar to the following:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

Run wg show wg0 to check the interface state and configuration:

sudo wg show wg0
interface: wg0
  public key: r3imyh3MCYggaZACmkx+CxlD6uAmICI8pe/PGq8+qCg=
  private key: (hidden)
  listening port: 51820

You can also run ip a show wg0 to verify the interface state:

ip a show wg0
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever

To bring the WireGuard interface at boot time run the following command:

sudo systemctl enable wg-quick@wg0


Server Networking and Firewall Configuration

For NAT to work, we need to enable IP forwarding. Open the /etc/sysctl.conf file and add or uncomment the following line:

sudo nano /etc/sysctl.conf

Save the file and apply the change:

sudo sysctl -p
net.ipv4.ip_forward = 1

If you are using UFW to manage your firewall you need to open UDP traffic on port 51820:

sudo ufw allow 51820/udp

That’s it. The Ubuntu peer that will act as a server has been set up.



We have shown you how to install WireGuard on an Ubuntu machine and configure it as a VPN server. This setup allows you to surf the web anonymously by keeping your traffic data private.