WireGuard is a modern VPN protocol for creating encrypted tunnels between servers, laptops, and other devices. It is fast, lightweight, and built directly into the Linux kernel, making it one of the simplest ways to secure access to a VPS or cloud server.
In this tutorial, you will install WireGuard on Ubuntu 24.04, generate server and client key pairs, configure the wg0 interface, enable IP forwarding, open the firewall, configure a client, and verify that the encrypted tunnel is working.
This setup uses a common “road warrior” configuration: one server and one or more remote clients. Each client receives a private VPN IP address in the 10.0.0.0/24 range and connects to the server through an encrypted WireGuard tunnel.
Prerequisites
You will need:
- An Ubuntu 24.04 VPS or cloud server
- SSH access to the server
- A non-root user with
sudoprivileges - A second device, such as a laptop or another server, to act as the VPN client
- UFW or another firewall configured on the server
Step 1 — Update the System and Install WireGuard
Start by updating your package index and installing WireGuard.
On Ubuntu 24.04, WireGuard is available from the standard apt repository, so no external PPA is required.
sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y
WireGuard installs the wg command-line tool and the wg-quick helper, which manages the interface lifecycle.
Verify the installation:
wg --version
Expected output:
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/
The version number may differ slightly, but any v1.0.x build is fine.
If the command is not found, load the WireGuard kernel module and retry:
sudo modprobe wireguard
wg --version
Ubuntu 24.04 ships with a modern Linux kernel that includes WireGuard support natively, so you normally do not need to install any separate kernel modules.
Step 2 — Generate Server and Client Key Pairs
WireGuard uses asymmetric Curve25519 key pairs. Each peer needs its own private key and public key.
The private key must remain secret. The public key is shared with the other peer.
On the server, generate the server key pair:
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Lock down the private key file so only root can read it:
sudo chmod 600 /etc/wireguard/server_private.key
Now generate the client key pair.
You can generate this directly on the client machine, which is safer, or generate it on the server and transfer it securely. For simplicity, this example generates both on the server:
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
sudo chmod 600 /etc/wireguard/client_private.key
Display the keys so you can use them in the configuration files:
sudo cat /etc/wireguard/server_private.key
sudo cat /etc/wireguard/server_public.key
sudo cat /etc/wireguard/client_private.key
sudo cat /etc/wireguard/client_public.key
Keep these values available for the next steps.
Never share or commit private keys. If a private key is exposed, regenerate the key pair and update all peer configurations immediately.
Step 3 — Configure the WireGuard Server Interface
Create the server configuration file at:
/etc/wireguard/wg0.conf
First, identify your server’s public-facing network interface.
Run:
ip route | grep default
Example output:
default via 203.0.113.1 dev eth0 proto dhcp
The interface name appears after dev. In this example, it is eth0.
You will use this interface name in the PostUp and PostDown rules.
Open the WireGuard server configuration file:
sudo nano /etc/wireguard/wg0.conf
Paste the following configuration and replace the placeholders with your actual keys:
[Interface]
# Server private key
PrivateKey = <paste-server-private-key-here>
# VPN IP address assigned to the server
Address = 10.0.0.1/24
# WireGuard listens on this UDP port
ListenPort = 51820
# Enable IP masquerading so VPN clients can reach the internet
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Client public key
PublicKey = <paste-client-public-key-here>
# IP address assigned to this client inside the VPN
AllowedIPs = 10.0.0.2/32
If your public-facing interface is not eth0, replace eth0 in the PostUp and PostDown lines with the correct interface name.
Save and exit the file.
If you plan to support multiple clients, add a separate [Peer] block for each client. Each client should receive a unique VPN IP address, such as:
10.0.0.3/32
10.0.0.4/32
10.0.0.5/32
Step 4 — Enable IP Forwarding
WireGuard needs the Linux kernel to forward packets between interfaces.
Open the system configuration file:
sudo nano /etc/sysctl.conf
Find this line:
#net.ipv4.ip_forward=1
Uncomment it by removing the #:
net.ipv4.ip_forward=1
Apply the change without rebooting:
sudo sysctl -p
Expected output:
net.ipv4.ip_forward = 1
Without IP forwarding, the client may connect to the VPN but fail to reach networks beyond the server itself.
Step 5 — Open the Firewall for WireGuard
WireGuard uses UDP port 51820 by default.
If you are using UFW, allow WireGuard traffic:
sudo ufw allow 51820/udp
sudo ufw status
Expected output should include:
51820/udp ALLOW Anywhere
51820/udp (v6) ALLOW Anywhere (v6)
For production environments, restrict the allowed source IPs for port 51820 to known client IP ranges when possible.
For example:
sudo ufw allow from 203.0.113.25 to any port 51820 proto udp
Replace 203.0.113.25 with your trusted client IP address.
Step 6 — Start WireGuard and Enable Autostart
Bring the WireGuard interface up:
sudo wg-quick up wg0
Expected output:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; ...
Enable WireGuard to start automatically on boot:
sudo systemctl enable wg-quick@wg0
Verify that the interface is running:
sudo wg show
Expected output:
interface: wg0
public key: <your-server-public-key>
private key: (hidden)
listening port: 51820
At this stage, no peer handshake will appear yet. That happens after the client connects.
Step 7 — Configure the Client
On your client machine, create a WireGuard configuration.
For Linux clients, create:
/etc/wireguard/wg0.conf
For macOS, Windows, iOS, or Android, you can paste this configuration into the WireGuard app.
Use the following client configuration:
[Interface]
# Client private key
PrivateKey = <paste-client-private-key-here>
# IP address assigned to this client inside the VPN
Address = 10.0.0.2/24
# Optional DNS resolver
DNS = 1.1.1.1
[Peer]
# Server public key
PublicKey = <paste-server-public-key-here>
# Server public IP address and WireGuard port
Endpoint = <your-server-public-ip>:51820
# Route all traffic through the VPN
AllowedIPs = 0.0.0.0/0
# Keep the tunnel alive through NAT
PersistentKeepalive = 25
Replace <your-server-public-ip> with your server’s public IPv4 address.
On a Linux client, bring the tunnel up:
sudo wg-quick up wg0
On macOS or Windows, import the configuration into the WireGuard app and click Activate.
Full Tunnel vs Split Tunnel
This configuration uses a full tunnel:
AllowedIPs = 0.0.0.0/0
That routes all client traffic through the VPN.
If you only want to route traffic destined for the VPN subnet, use a split tunnel instead:
AllowedIPs = 10.0.0.0/24
A split tunnel keeps normal internet traffic on the client’s local connection while routing only VPN traffic through WireGuard.
Step 8 — Verify the Tunnel
Back on the server, check for a client handshake:
sudo wg show
After the client connects, you should see output similar to this:
interface: wg0
public key: <server-public-key>
private key: (hidden)
listening port: 51820
peer: <client-public-key>
endpoint: <client-ip>:<ephemeral-port>
allowed ips: 10.0.0.2/32
latest handshake: X seconds ago
transfer: 1.23 KiB received, 4.56 KiB sent
The latest handshake line confirms that the encrypted session is active.
From the client, ping the server’s VPN IP:
ping 10.0.0.1
Expected output:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=12.4 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=11.9 ms
If the ping succeeds, your WireGuard tunnel is working.
You can now connect to the server over its private VPN IP instead of relying on public access:
ssh user@10.0.0.1
After confirming VPN access works, consider restricting SSH to the VPN interface only. For example, you can configure SSH to listen on the WireGuard IP by adding this to /etc/ssh/sshd_config:
ListenAddress 10.0.0.1
Then restart SSH:
sudo systemctl restart ssh
Be careful when changing SSH settings. Keep your existing session open until you confirm that a new VPN-based SSH connection works.
Useful WireGuard Commands
Show the current WireGuard status:
sudo wg show
Bring the tunnel up:
sudo wg-quick up wg0
Bring the tunnel down:
sudo wg-quick down wg0
Restart WireGuard:
sudo systemctl restart wg-quick@wg0
Check whether WireGuard starts on boot:
sudo systemctl is-enabled wg-quick@wg0
View WireGuard service logs:
sudo journalctl -u wg-quick@wg0
View recent logs:
sudo journalctl -u wg-quick@wg0 -e
Common Troubleshooting Checks
If the client does not connect, check the following.
1. Is WireGuard listening?
On the server:
sudo wg show
You should see interface: wg0 and listening port: 51820.
2. Is the firewall open?
Check UFW:
sudo ufw status
Make sure UDP port 51820 is allowed.
3. Is IP forwarding enabled?
Run:
sysctl net.ipv4.ip_forward
Expected output:
net.ipv4.ip_forward = 1
4. Are the keys correct?
Make sure:
- The server config uses the server private key
- The server peer block uses the client public key
- The client config uses the client private key
- The client peer block uses the server public key
Private keys should never be shared between peers.
5. Is the endpoint correct?
In the client config, confirm that the endpoint is your server’s public IP and WireGuard port:
Endpoint = <your-server-public-ip>:51820
6. Are the AllowedIPs correct?
On the server, the client peer should usually use:
AllowedIPs = 10.0.0.2/32
On the client, full tunnel mode uses:
AllowedIPs = 0.0.0.0/0
Split tunnel mode uses:
AllowedIPs = 10.0.0.0/24
Conclusion
You have installed WireGuard on Ubuntu 24.04, generated server and client key pairs, configured the wg0 interface, enabled IP forwarding, opened UDP port 51820, configured a client, and verified the encrypted tunnel.
This setup gives you private access to your server through the 10.0.0.0/24 VPN subnet. Instead of exposing SSH, internal dashboards, databases, or admin services directly to the public internet, you can route administrative access through WireGuard.
Natural next steps include:
- Adding more clients with separate
[Peer]blocks - Assigning each client a unique VPN IP address
- Restricting SSH access to the WireGuard interface
- Using split tunnel mode for admin-only access
- Monitoring the tunnel with
sudo wg show - Backing up
/etc/wireguard/wg0.confsecurely
WireGuard is now ready to provide secure private access to your Ubuntu 24.04 server.
I'm Serdar, co-founder of Raff — affordable and reliable cloud infrastructure built to be the one platform your app needs — compute, storage, and beyond. Originally published on the Raff Technologies blog.
Top comments (0)