WireGuard on Ubuntu 20.04

Nuno Bispo
Jul 23, 2020 · 5 min read

In this article I will describe how to setup and connect to a WireGuard VPN with the purpose of keeping all of your network traffic secure when accessing your remote servers.

Before WireGuard, OpenVPN was the go-to VPN, but it’s configuration is tricky and not the most user friendly for non-tech users.

An additional plus point as stated in the WireGuard website:

It intends to be considerably more performant than OpenVPN

How it works

From the WireGuard website:

WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys — exactly like exchanging SSH keys — and all the rest is transparently handled by WireGuard.

What does it mean? It means that setting up WireGuard is as easy as setting up a public and private key pair, a few basic settings and it’s up and running.

Installing on Ubuntu 20.04

It’s easy to install WireGuard on Ubuntu 20.04, since it’s part of the standard repositories, so the usual commands apply:

sudo apt update

sudo apt install wireguard

Configuration of the server

After the server is installed, the next step is to generate the public and private keys for the server. To do this, we can run the following command:

wg genkey | tee server_private_key | wg pubkey > server_public_key

This will create two files, server_public_key and server_private_key, containing, respectively, the public and the private keys to use with the server.

Now that we have the keys, we need to create the server configuration file, using our favorite text editor (nano, of course), the configuration file can be created at ‘/etc/wireguard/wg0.conf’:

sudo nano /etc/wireguard/wg0.conf

In the file we add the following configuration:

[Interface]

PrivateKey = <private key of the server (the content of the server_private_key file)>

Address = 10.0.0.1/24

ListenPort = 51820

After this step, the file will look like this:

wg0.conf

The private key is the contents of the file generated in the previous step, that can be viewed quickly with, for instance:

cat server_private_key

The address should be an unused IP range, meaning not your internal network, this will be the address of the server for the clients connections.

The port can be any unused port, in this case we picked 51820.

Before activating the server, it is also a good idea to make sure that our firewall is up and running and that the WireGuard port is allowed:

sudo ufw allow 51820/udp

Notice that the port is opened as UDP and not TCP (I’ve spent quite some hours troubleshooting a connection because of that rookie mistake).

It is also good to enable SSH access (if it is not enabled already) and then activate the firewall:

sudo ufw allow ‘OpenSSH’

sudo ufw enable

The status of the firewall can be checked by:

sudo ufw status

That will generate a response like:

ufw status

Last step is to activate the VPN itself, which can be done with the command:

sudo systemctl enable — now wg-quick@wg0

We can check WireGuard server status with:

sudo wg

That will produce an output like this:

wg

Now our WireGuard VPN server is up and running.

Configuration of the client

To connect to the VPN we will need a client, of course. WireGuard provides clients for all major operating systems and mobile versions as well.

For our purpose we will configure the iOS version of the client. After installing our WireGuard app from the App Store, we open it and choose ‘Add a tunnel’ and ‘Create from scratch’:

iOS client

On the Edit configuration screen we input the following information (hit ‘Generate keypair’ to generate a public and private key for the client):

iOS configuration

Now click on ‘Add peer’ and input the following information:

iOS peer

After all the information is entered, hit the ‘Save’ button on the top right to save this configuration. You need to allow Wireguard to add VPN connections, if prompted by iOS.

Connecting and usage

Before connecting to the VPN we need to go back to the server and edit the wg0.conf file and add our client as a peer:

sudo nano /etc/wireguard/wg0.conf

Then add the following information, below the existing interface definition:

wg0.conf, adding peer

After that, we need to restart the WireGuard server with:

sudo systemctl restart wg-quick@wg0

Now that both the server and client know each other’s keys we are ready to connect, so upon going back to our iOS app, we connect to the VPN.

If all went well after going back to the server, we should see the client connected:

sudo wg

This will produce the following output:

wg, connect client

Final considerations

The WireGuard VPN is easy to setup, you only need to know the public keys. It is faster and demands less resources from the server.

Since it’s now part of the Linux kernel, its adoption rate is likely to increase even more.

The configuration described in this article allows the client to reach the resources on the server. In case the internet connection also needs to be shared, then a firewall configuration needs to be added on the server. This will be explained in detail in a following article.

You can check out my GitHub at https://github.com/nunombispo

Or check my website at https://bispo-mobile.net

For low cost Nextcloud hosting, check out: https://cloudhomelab.com (50% discount with promo code 50OFF)

Until the next article…

Cloud Home Lab

Your Lab in the Cloud

Nuno Bispo

Written by

Outsystems Professional Web Developer for over 10 years and also as a DevOps engineer. Trying to share my knowledge and experience of all things IT.

Cloud Home Lab

Your Lab in the Cloud

Nuno Bispo

Written by

Outsystems Professional Web Developer for over 10 years and also as a DevOps engineer. Trying to share my knowledge and experience of all things IT.

Cloud Home Lab

Your Lab in the Cloud

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store