DEV Community

johanputra
johanputra

Posted on

WireGuard Setup for Ubuntu Server (Laptop to be Remote Accessed)

#linux #networking #tutorial #ubuntu

Step 1: Install WireGuard 

# Update system
sudo apt update && sudo apt upgrade -y

# Install WireGuard
sudo apt install wireguard resolvconf -y
Enter fullscreen mode Exit fullscreen mode

Step 2: Generate Server Key Pair 

# Navigate to WireGuard directory
cd /etc/wireguard/

# Generate private key and save
sudo umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

# Display keys (save these securely)
echo "=== SERVER PRIVATE KEY ==="
sudo cat privatekey
echo -e "\n=== SERVER PUBLIC KEY ==="
sudo cat publickey
Enter fullscreen mode Exit fullscreen mode

Save both keys in a secure location!

Step 3: Create Server Configuration

Create configuration file:

sudo nano /etc/wireguard/wg0.conf
Enter fullscreen mode Exit fullscreen mode

Add the following content (replace [SERVER_PRIVATE_KEY] with your private key from Step 2):

[Interface]
PrivateKey = [SERVER_PRIVATE_KEY]
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

# DNS configuration
DNS = 1.1.1.1, 8.8.8.8

# Firewall and routing rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Enter fullscreen mode Exit fullscreen mode

Example with actual values:

[Interface]
PrivateKey = ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdef=
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
DNS = 1.1.1.1, 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Enter fullscreen mode Exit fullscreen mode

Step 4: Enable IP Forwarding 

# Edit sysctl configuration
sudo nano /etc/sysctl.conf

# Uncomment or add this line:
net.ipv4.ip_forward=1

# Apply changes
sudo sysctl -p
Enter fullscreen mode Exit fullscreen mode

Step 5: Configure Firewall 

# Allow WireGuard port
sudo ufw allow 51820/udp

# Allow SSH (don't forget!)
sudo ufw allow ssh

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status
Enter fullscreen mode Exit fullscreen mode

Step 6: Start WireGuard Service 

# Start WireGuard interface
sudo wg-quick up wg0

# Enable auto-start on boot
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg show
Enter fullscreen mode Exit fullscreen mode

Step 7: Generate Client Configuration

7.1 Generate Client Keys 

# Generate client keys
wg genkey | tee client_private.key
cat client_private.key | wg pubkey > client_public.key

echo "=== CLIENT PRIVATE KEY ==="
cat client_private.key
echo -e "\n=== CLIENT PUBLIC KEY ==="
cat client_public.key
Enter fullscreen mode Exit fullscreen mode

7.2 Add Client to Server 

# Add client to server configuration
sudo wg set wg0 peer $(cat client_public.key) allowed-ips 10.8.0.2/32

# Save configuration permanently
sudo wg-quick save wg0
Enter fullscreen mode Exit fullscreen mode

7.3 Create Client Config File

Create ubuntu-client.conf file:

[Interface]
PrivateKey = [CLIENT_PRIVATE_KEY]
Address = 10.8.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = [SERVER_PUBLIC_KEY]
Endpoint = [SERVER_IP]:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Enter fullscreen mode Exit fullscreen mode

How to get SERVER_IP:

# For public IP (if you have one)
curl -4 ifconfig.me

# For local IP
ip addr show | grep inet
Enter fullscreen mode Exit fullscreen mode

Step 8: Enable Services for Remote Access

8.1 Enable SSH (if not already enabled) 

# Install SSH server if not present
sudo apt install openssh-server -y

# Enable SSH service
sudo systemctl enable ssh
sudo systemctl start ssh

# Check status
sudo systemctl status ssh
Enter fullscreen mode Exit fullscreen mode

8.2 Optional: Enable VNC for GUI access 

# Install VNC server
sudo apt install x11vnc -y

# Set VNC password
x11vnc -storepasswd

# Create VNC service
sudo nano /etc/systemd/system/x11vnc.service
Enter fullscreen mode Exit fullscreen mode

Service file content:

[Unit]
Description=x11vnc service
After=display-manager.service network.target syslog.target

[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -forever -display :0 -auth guess -passwd /home/$(whoami)/.vnc/passwd
ExecStop=/usr/bin/killall x11vnc
Restart=on-failure

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode 
# Enable VNC service
sudo systemctl daemon-reload
sudo systemctl enable x11vnc
sudo systemctl start x11vnc
Enter fullscreen mode Exit fullscreen mode

Step 9: Testing

9.1 Test WireGuard Server 

# Check interface
ip addr show wg0

# Check WireGuard status
sudo wg show

# Test port listening
sudo netstat -tulnp | grep 51820
Enter fullscreen mode Exit fullscreen mode

9.2 Test from Client

After setting up the client, test the connection:

# Ping server
ping 10.8.0.1

# SSH through VPN
ssh username@10.8.0.1
Enter fullscreen mode Exit fullscreen mode

Step 10: Automated Setup Script

Create setup-wireguard-ubuntu.sh file:

#!/bin/bash

echo "=== WireGuard Auto Setup for Ubuntu ==="

# Install dependencies
sudo apt update
sudo apt install wireguard resolvconf -y

# Generate keys
cd /etc/wireguard
sudo umask 077
sudo wg genkey | sudo tee privatekey | sudo wg pubkey | sudo tee publickey

SERVER_PRIVATE_KEY=$(sudo cat privatekey)
SERVER_PUBLIC_KEY=$(sudo cat publickey)

# Create config
sudo tee /etc/wireguard/wg0.conf > /dev/null <<EOF
[Interface]
PrivateKey = $SERVER_PRIVATE_KEY
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
DNS = 1.1.1.1, 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF

# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Setup firewall
sudo ufw allow 51820/udp
sudo ufw allow ssh

# Start service
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

echo "=== Setup Complete! ==="
echo "Server Public Key: $SERVER_PUBLIC_KEY"
echo "WireGuard interface: wg0"
echo "Server VPN IP: 10.8.0.1"
Enter fullscreen mode Exit fullscreen mode

Make executable and run:

chmod +x setup-wireguard-ubuntu.sh
sudo ./setup-wireguard-ubuntu.sh
Enter fullscreen mode Exit fullscreen mode

Step 11: Management Commands

Useful commands: 

# Start/Stop WireGuard
sudo wg-quick up wg0
sudo wg-quick down wg0

# Check status
sudo wg show
sudo systemctl status wg-quick@wg0

# View logs
sudo journalctl -u wg-quick@wg0 -f

# Add client manually
sudo wg set wg0 peer [CLIENT_PUBLIC_KEY] allowed-ips 10.8.0.2/32

# Remove client
sudo wg set wg0 peer [CLIENT_PUBLIC_KEY] remove
Enter fullscreen mode Exit fullscreen mode

Troubleshooting

If you encounter issues: 

# Restart service
sudo wg-quick down wg0
sudo wg-quick up wg0

# Check kernel module
lsmod | grep wireguard

# Check firewall
sudo ufw status

# Check routing
ip route show

# Check interface status
ip link show wg0
Enter fullscreen mode Exit fullscreen mode

Common Issues and Solutions:

  1. Interface not starting: 
   # Check if module is loaded
   sudo modprobe wireguard

   # Check for errors in config
   sudo wg-quick down wg0
   sudo wg-quick up wg0
Enter fullscreen mode Exit fullscreen mode
  1. Connection issues: 
   # Check if port is open
   sudo ufw status

   # Verify keys match
   sudo wg show
Enter fullscreen mode Exit fullscreen mode
  1. No internet access through VPN: 
   # Check IP forwarding
   cat /proc/sys/net/ipv4/ip_forward

   # Check NAT rules
   sudo iptables -t nat -L
Enter fullscreen mode Exit fullscreen mode

With this setup, your Ubuntu laptop is ready to be securely accessed remotely through WireGuard VPN connection!

Top comments (0)