In this article I will describe how to setup and connect to a WireGuard VPN with the purpose of keeping all of your network traffic secure when accessing your remote servers.
Before WireGuard, OpenVPN was the go-to VPN, but it’s configuration is tricky and not the most user friendly for non-tech users.
An additional plus point as stated in the WireGuard website:
It intends to be considerably more performant than OpenVPN
How it works
From the WireGuard website:
WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys — exactly like exchanging SSH keys — and all the rest is transparently handled by WireGuard.
What does it mean? It means that setting up WireGuard is as easy as setting up a public and private key pair, a few basic settings and it’s up and running.
Installing on Ubuntu 20.04
It’s easy to install WireGuard on Ubuntu 20.04, since it’s part of the standard repositories, so the usual commands apply:
sudo apt update
sudo apt install wireguard
Configuration of the server
After the server is installed, the next step is to generate the public and private keys for the server. To do this, we can run the following command:
wg genkey | tee server_private_key | wg pubkey > server_public_key
This will create two files, server_public_key and server_private_key, containing, respectively, the public and the private keys to use with the server.
Now that we have the keys, we need to create the server configuration file, using our favorite text editor (nano, of course), the configuration file can be created at ‘/etc/wireguard/wg0.conf’:
sudo nano /etc/wireguard/wg0.conf
In the file we add the following configuration:
PrivateKey = <private key of the server (the content of the server_private_key file)>
Address = 10.0.0.1/24
ListenPort = 51820
After this step, the file will look like this:
The private key is the contents of the file generated in the previous step, that can be viewed quickly with, for instance:
The address should be an unused IP range, meaning not your internal network, this will be the address of the server for the clients connections.
The port can be any unused port, in this case we picked 51820.
Before activating the server, it is also a good idea to make sure that our firewall is up and running and that the WireGuard port is allowed:
sudo ufw allow 51820/udp
Notice that the port is opened as UDP and not TCP (I’ve spent quite some hours troubleshooting a connection because of that rookie mistake).
It is also good to enable SSH access (if it is not enabled already) and then activate the firewall:
sudo ufw allow ‘OpenSSH’
sudo ufw enable
The status of the firewall can be checked by:
sudo ufw status
That will generate a response like:
Last step is to activate the VPN itself, which can be done with the command:
sudo systemctl enable — now wg-quick@wg0
We can check WireGuard server status with:
That will produce an output like this:
Now our WireGuard VPN server is up and running.
Configuration of the client
To connect to the VPN we will need a client, of course. WireGuard provides clients for all major operating systems and mobile versions as well.
For our purpose we will configure the iOS version of the client. After installing our WireGuard app from the App Store, we open it and choose ‘Add a tunnel’ and ‘Create from scratch’:
On the Edit configuration screen we input the following information (hit ‘Generate keypair’ to generate a public and private key for the client):
Now click on ‘Add peer’ and input the following information:
After all the information is entered, hit the ‘Save’ button on the top right to save this configuration. You need to allow Wireguard to add VPN connections, if prompted by iOS.
Connecting and usage
Before connecting to the VPN we need to go back to the server and edit the wg0.conf file and add our client as a peer:
sudo nano /etc/wireguard/wg0.conf
Then add the following information, below the existing interface definition:
After that, we need to restart the WireGuard server with:
sudo systemctl restart wg-quick@wg0
Now that both the server and client know each other’s keys we are ready to connect, so upon going back to our iOS app, we connect to the VPN.
If all went well after going back to the server, we should see the client connected:
This will produce the following output:
The WireGuard VPN is easy to setup, you only need to know the public keys. It is faster and demands less resources from the server.
Since it’s now part of the Linux kernel, its adoption rate is likely to increase even more.
The configuration described in this article allows the client to reach the resources on the server. In case the internet connection also needs to be shared, then a firewall configuration needs to be added on the server. This will be explained in detail in a following article.
You can check out my GitHub at https://github.com/nunombispo
Or check my website at https://bispo-mobile.net
For low cost Nextcloud hosting, check out: https://cloudhomelab.com (50% discount with promo code 50OFF)
Until the next article…