WireGuard is a modern VPN protocol built into the Linux kernel since version 5.6, offering a significantly smaller codebase, faster handshakes, and lower latency compared to OpenVPN or IPsec. This guide sets up a WireGuard server on Ubuntu 26.04, generates key pairs for the server and a client, configures IP forwarding, and walks through connecting a client device with a verified tunnel.
Install WireGuard
WireGuard is available directly from Ubuntu 26.04's default APT repository.
1. Update the APT package index:
$ sudo apt update
2. Install WireGuard:
$ sudo apt install wireguard -y
Configure the WireGuard Server
The server configuration requires generating a key pair, identifying the active network interface, and creating the wg0 interface configuration file.
1. Generate the server private key:
$ wg genkey | sudo tee /etc/wireguard/server_private.key
$ sudo chmod 600 /etc/wireguard/server_private.key
2. Derive the server public key:
$ sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
3. Identify the main network interface:
$ ip route | grep default
Note the interface name in the output, commonly eth0 or ens3.
4. Create the server interface configuration:
$ sudo nano /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <paste server private key here>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Replace eth0 with your actual interface name.
Generate a Client Configuration
Each client requires its own key pair and a configuration file that references the server's public key and endpoint.
1. Generate the client key pair:
$ wg genkey | tee client_private.key
$ cat client_private.key | wg pubkey | tee client_public.key
2. Get the server public key:
$ sudo cat /etc/wireguard/server_public.key
3. Create the client configuration file:
$ nano client.conf
[Interface]
Address = 10.0.0.2/32
PrivateKey = <client private key>
DNS = 8.8.8.8
[Peer]
PublicKey = <server public key>
Endpoint = YOUR-SERVER-IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
4. Register the client as a peer on the server:
Add the following block to /etc/wireguard/wg0.conf:
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32
Configure IP Forwarding and Firewall
IP forwarding must be enabled at the kernel level for the server to route traffic between the VPN interface and the external network.
1. Enable IPv4 forwarding:
$ echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p
2. Open the WireGuard UDP port:
$ sudo ufw allow 51820/udp
Start WireGuard
Enable the wg0 interface as a systemd service so it starts automatically on every boot.
1. Enable and start the service:
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
2. Check the service status:
$ sudo systemctl status wg-quick@wg0
3. View the interface and connected peers:
$ sudo wg show
Connect a Client
Transfer the client configuration to the target device and establish the tunnel.
1. Transfer the client configuration securely:
$ scp client.conf user@your-local-machine:~/
2. Connect from the client device:
-
Linux:
sudo wg-quick up ~/client.conf -
Windows / macOS / iOS / Android: Install the WireGuard app and import
client.conf
3. Test the tunnel:
$ ping 10.0.0.1
Replies from 10.0.0.1 confirm the VPN tunnel is active and traffic is flowing through the encrypted interface.
Next Steps
WireGuard is running and accepting client connections. From here you can:
- Add more clients by generating additional key pairs and adding new
[Peer]blocks towg0.conf - Restrict each client to specific subnets by adjusting
AllowedIPsper peer - Reload the configuration without restarting using
sudo wg syncconf wg0 <(sudo wg-quick strip wg0)
For the complete guide, visit the original article on Vultr Docs.
Top comments (0)