All Articles

Setting up Wireguard on Ubuntu 18.04

Installation Software

Referencing the installation page

First, add the WireGuard PPA to your apt configuration. Press ENTER when prompted

sudo add-apt-repository ppa:wireguard/wireguard

Once the PPA has been added, update the local package index, then install WireGuard.

sudo apt-get update
sudo apt-get install wireguard

Generate keys

Referencing the Key Generation page.

You will need a private and public key for each computer, the computers must have each other’s public key on either end of the connection.

First create the private key with the below commands:

umask 077
wg genkey | tee privatekey

You can then derive your public key from your private key:

wg pubkey < privatekey > publickey

Or generate both keys with one line:

wg genkey | tee privatekey | wg pubkey > publickey

Config

After I installed Wireguard, I did the following configurations

Enable IPv4 forwarding

First intall the linux header

sudo apt install linux-headers-*$(*uname -r*)

then enable IPv4 forwarding

sysctl -w net.ipv4.ip_forward=1

To make the change permanant, insert or edit the following line in /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward = 1

Wireguard configuration

Edit /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = 0DpTFbW/p8NAmZd8O9FolgPCgX7N+gVc2LhvmHMbL0A=
  • Address defines the private IPv4 and IPv6 addresses for the computer in this network. Each peer in the VPN network should have a unique value for this field.
  • ListenPort specifies which port WireGuard will use for incoming connections.
  • PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.
  • SaveConfig tells the configuration file to automatically update whenever a new peer is added while the service is running.

Firewall

I use ufw on my server, thus use this line to open the ListenPort of wireguard.

sudo ufw allow 51820/udp

Enable

Once configuration is finished, use wg-quick to quickly enable the wg0 interface.

wg-quick up wg0

To enable auto start on boot, use the following:

sudo systemctl enable wg-quick@wg0

Utilities

Testing

To view connection status, use wg

% sudo wg
interface: wg0
  public key: DJtk4qLbQSlmm7CkrtTksQ2kUrTCuqfby5RG8qFZd1s=
  private key: (hidden)
  listening port: 51820

peer: qEUjlf3YlYvPFNe3akekJR+yf/zFWEweL/X3cUR+yFI=
  endpoint: 192.168.2.160:57547
  allowed ips: 10.0.0.9/32
  latest handshake: 50 seconds ago
  transfer: 15.50 MiB received, 508.70 MiB sent
  persistent keepalive: every 25 seconds

peer: RXMsmzLaCMUrMuK+uPtvvJi/FX/pwvTE6Fh1dtbtDFw=
  endpoint: 192.168.2.227:54696
  allowed ips: 10.0.0.4/32
  latest handshake: 58 seconds ago
  transfer: 3.12 KiB received, 10.18 KiB sent
  persistent keepalive: every 25 seconds

Maintenance

To tear down the wg0 interface for reconfiguration or just to stop using it, use:

wg-quick down wg0

Refernce

How To Create a Point-To-Point VPN with WireGuard on Ubuntu 16.04

Set Up WireGuard VPN on Ubuntu

Wireguard VPN: Typical Setup

Published 5 Nov 2019

Current EECS masters student at UC Berkeley.Howard Ke on Twitter