Back to log

Setting Up a Secure WireGuard VPN Server

A comprehensive guide on configuring a high-performance WireGuard VPN server on Ubuntu 24.04 with firewall settings, routing, and client configurations.

wireguardvpnsysadminlinux
Table of Contents

In this tutorial, we will walk through setting up a self-hosted WireGuard VPN server. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It is faster, simpler, and more efficient than IPSec and OpenVPN.

Note

WireGuard operates as a kernel module on Linux, which is why it achieves such incredibly low latency and high bandwidth speeds compared to user-space openvpn solutions.

Prerequisites

Before starting, make sure you have:

  1. An Ubuntu 24.04 server with a public IP address.
  2. Root access or a user account with sudo privileges.

Step 1: Install WireGuard

First, update your package repository index and install WireGuard from the official repository:

sudo apt update
sudo apt install wireguard -y

Verify that the installation was successful by running:

wg --version

Step 2: Generate Key Pairs

WireGuard uses asymmetric cryptography to authenticate peers. You need to generate a private and public key pair for the server:

# Go to the WireGuard configuration directory
cd /etc/wireguard/

# Set secure permissions
umask 077

# Generate server keys
wg genkey | tee server_private.key | wg pubkey > server_public.key

Warning

Keep your server_private.key file highly secure. Anyone with access to this private key can decrypt traffic and access your VPN network!

Step 3: Configure the Server

Now, create the primary WireGuard interface configuration file named wg0.conf:

sudo nano /etc/wireguard/wg0.conf

Paste the following configurations into the file:

[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PrivateKey = <insert_contents_of_server_private_key>
ListenPort = 51820

# PostUp and PostDown rules for IP forwarding
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Make sure to replace eth0 with the name of your server’s primary network interface, which you can find by running ip route show | grep default.

Step 4: Enable IP Forwarding

To allow the server to forward client traffic to the internet, we must enable IPv4 forwarding:

# Temporarily enable forwarding
sudo sysctl -w net.ipv4.ip_forward=1

To make this setting persistent across system reboots, edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Step 5: Start WireGuard Service

Enable and start the WireGuard systemd service:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Verify the status of the virtual tunnel interface:

sudo wg show

Tip

You should see details about your active wg0 interface, including the generated public key, listen port (51820), and zero active peers. We will add our first client next!