WireGuard is a new, modern VPN service open source, which positions itself as a replacement OpenVPN and uses modern cryptography. It is implemented as a Linux kernel module. Initially, it supported only Linux, but then I developed applications for Windows, MacOS and Android.
In today’s article we will talk about how to install WireGurad Ubuntu 20.04 and how to configure a connection configured between the VPN server and the client.
- WireGuard installation on Ubuntu
- Step 1. Installing the repository
- Step 2. Install WireGuard
- Step 3. System setup
- Step 4. Generate the server key
- Step 5. Generation of client key
- Step 6. The server configuration file
- Step 7. The configuration file of the client
- Step 8. Start the server
- Step 9. Setting brandmauer
- Step 10. The client connection
- Step 11. Check
WireGuard installation on Ubuntu
Step 1. Installing the repository
In this article example of installation on Ubuntu 20.04, you can get the WireGuard from the official repositories, but in older distributions, or for the latest version, you must use a PPA. To add a PPA to the system, run:
sudo add-apt-repository ppa:wireguard/wireguard
After this list of packages will be automatically updated.
Step 2. Install WireGuard
In the installation there is nothing complicated, run the following commands:
sudo apt install wireguard
These two steps should be performed on the server and on the client computer, on work only on the server.
Step 3. System setup
To ensure that the packets are forwarded wherever necessary, should allow redirection of network packets at the kernel level. To do this, open the file /etc/sysctl.conf and add at the end the following lines:
sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
Then run the command sysctl-p to reread the configuration:
Step 4. Generate the server key
For server, generate a private and public key. These keys, then it will be necessary to write to the configuration file of the server and client, the key files you need, so you can create them wherever you want, e.g. in your home folder:
wg genkey | sudo tee server_private.key | pubkey wg | sudo tee server_public.key
The keys created can utility tee will write to a file, and displays on the screen, which is very convenient.
Step 5. Generation of client key
Similarly create keys for the client. The team is the same:
wg genkey | sudo tee client_private.key | pubkey wg | sudo tee client_public.key
Step 6. The server configuration file
Our server configuration file is located in /etc/wireguard/wg0.conf and will look like the following:
sudo vi /etc/wireguard/wg0.conf
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 63665
PrivateKey = OFCMMpdPYUTndTkTuCDCZDg6uYrzGcjcl6tg4aap5ku=
PostUp = iptables-A FORWARD -i wg0 -j ACCEPT; iptables-t nat -A POSTROUTING -o enp0s8 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
PostDown = iptables-D FORWARD -i wg0 -j ACCEPT; iptables-t nat -D POSTROUTING -o enp0s8 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp0s8 -j MASQUERADE
PublicKey = 2g8MWhxN1QGLAfGwEnxHG38/krdcPbgjo87zSKurP1g=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
The file is divided into two sections:
- Interface – configuring the server;
- Peer – configure the clients that can connect to the server, sections Peer may be several.
In this case we set up the server WireGuard for working with IPv4 and IPv6 at the same time, here’s what the basic parameters:
- Address – address of the server in the VPN;
- ListenPort – the port on which to expect the connection WireGuard;
- PrivateKey – the private key of the server generated previously;
- PostUp is a command that is executed after server startup. In this case, it includes support for the interface MASQUERADE enp0s8, and also accepts packets on the interface wg0. Network interfaces you will have to replace on your own.
- PostDown – performed after the completion WireGuard, in this case, remove all rules added in PostUp.
Section Peer contain settings of clients that can connect to the server:
- PublicKey – the public key of the client generated previously;
- AllowedIPs – IP address, which can take the client. Please note, the mask for the IPv4 should be 32.
You can now proceed to create the configuration file directly to the client.
Step 7. The configuration file of the client
The configuration file will look something like this:
the vi client.conf
PrivateKey = GMJXo+phyNS/kodizn353D2MN8bPNOSqJEhQ83caKkY=
Address = 10.66.66.2/24,fd42:42:42::2/64
DNS = 220.127.116.11,18.104.22.168
PublicKey = xxIV2fvMp7J2H1GxVuQcfVi2TJ0lQ/2K8UXSKC/byhM=
Endpoint = 192.168.56.101:63665
AllowedIPs = 0.0.0.0/0,::/0
Please note that all the keys we generate on the server, and then throws a configuration file for the client that needs to connect to the network. Let us consider what is responsible for what:
- PrivateKey – the private key of the client generated previously;
- Address – IP address of the interface wg0 of the client;
- DNS – the DNS servers used to resolve domain names;
- PublicKey – the public key of the server to which it should connect.
- Endpoint – you need to specify the IP address of the server on which you installed WireGuard and port;
- AllowedIPs – IP address, traffic from which will be routed in the VPN, in this example, select all addresses.
After you have made all your changes, copy the file to the client computer under the name /etc/wireguard/wg0.conf.
Step 8. Start the server
To start the server use the following command:
sudo wg-quick up wg0
Similarly, you can use systemd:
sudo systemctl start [email protected]
With systemd, you can configure the startup of the interface:
sudo systemctl enable [email protected]
Step 9. Setting brandmauer
In this tutorial we used port 63665 for WireGuard. The program uses UDP, you need to allow connection to that port. To do this, run:
sudo ufw allow 63665/udp
Or make sure that ufw is disabled and ports no block:
sudo ufw status
Setting WireGuard Ubuntu completed.
Step 10. The client connection
It is time to go to the client. I guess WireGuard is already installed, and the configuration file is located here: /etc/wireguard/wg0.conf. The connection is similar to the server startup:
sudo wg-quick up wg0
Then you can see the statistics of your connection using the command:
sudo wg show
Step 11. Check
To make sure that everything is working you can ping the server WireGuard. It needs to be available:
If the packages are, then all is well. If not, we need to check carefully the user manual and see what was done wrong. Have WireGuard there are problems. The program does not have detailed logs, where it would be possible to see which error occurred, and the causes of the problems may be too much. Often it is the mismatched keys, closed port, or invalid server address. The availability of the port on the server can be checked using utility nc. Need to run on the client machine:
nc-z-v-u 192.168.56.101 63665
You can also make sure the WireGuard packets reach to the server, use tcpdump on the server:
tcpdump -n-i enp0s8 port 63665
Instead enp0s0 you need to register the name of your network interface.
In this article, we discussed how to install WireGuard on Ubuntu 20.04. The installation process isn’t complicated, but I managed to deploy to Ubuntu. If you can’t install WireGuard yourself, you can try the unattended script. The script will download and install all required dependencies and configure the system and create the configuration files for clients. Despite the benefits of WireGuard I don’t intend for him to go because of the difficulty in debugging errors. What do you think about the program? Write in the comments!