One of the technologies that has recently been implemented in the kernel is Wireguard. That is why in this post, you will learn how to install Wireguard on Ubuntu 20.04 and have a reliable VPN server that is well integrated with the system.
What is Wireguard?
According to the Wireguard website:
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general-purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.
WireGuard has been designed to use VPN on Linux-based devices, and because it consumes few resources and thanks to the combination of cryptographic techniques used by WireGuard, the performance it provides is superior to IPSec and OpenVPN.
Thanks to this, WireGuard is being used more and more by users worldwide and by enterprise solutions that see in WireGuard a perfect VPN.
Install WireGuard on Ubuntu 20.04
First, access your server via SSH and update the distribution:
sudo apt update sudo apt upgrade
Fortunately, the WireGuard package is available from the distribution’s official repositories. This makes the process so easy that it is summarized in this command:
sudo apt install wireguard
Once you enter your password, the process will start. You also have to open the UDP protocol port 61951 inside your Firewall. This port is where WireGuard works.
sudo ufw allow 61951/udp
For WireGuard to work you have to allow kernel-level network packet redirection. To do this you have to edit a configuration file called sysctl.conf.
sudo nano /etc/sysctl.conf
And uncomment the following line:
net.ipv4.ip_forward=1
Save the changes and close the text editor.
To check that the change has taken effect run this command
sudo sysctl -p
And you will get an output screen like this:
net.ipv4.ip_forward = 1
Now we have to continue configuring WireGuard.
Configuring WireGuard on Ubuntu 20.04
Even though we already have WireGuard in the system, it is not yet configured. But we have to do that in this step.
So, it generates the private keys that the server will use to allow client connections. Note that each client has to generate its keys as well.
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Sample Output:
gbohCfIuonz9anr9izMK7bMzRA2S4Y4doUdQfS7YQ2Y=
Now for security, make it accessible only to the root user:
sudo chmod 600 /etc/wireguard/server_private.key
After that, it is necessary to create the main configuration file that will govern WireGuard.
Create it with the following command:
sudo nano /etc/wireguard/wg0.conf
And add the following content:
# Server configuration [Interface] PrivateKey = gbohCfIuonz9anr9izMK7bMzRA2S4Y4doUdQfS7YQ2Y= Address = 10.5.5.1/24 ListenPort = 61951 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE [Peer] PublicKey = gsgfB29uYjpuFTCjC1+vHr9M7++MHJcG6Eg4rtuTu34= AllowedIPs = 10.5.5.2/32
I proceed to explain:
- PrivateKey: You have to put the value of the Key you have generated.
- Address: IP address of the server
- ListenPort: The port where WireGuard will work. It has to be open in the port.
- PostUp and PostDown: Replace
wg0with the name of the network interface that the VPN will use. These lines contain instructions for the firewall. - Peer: This section contains information about each client that will connect. Therefore you have to add a new section for each of them.
- PublicKey: Client’s key value.
- AllowedIPs: Internal IP address of the VPN client.
Save the changes and close the editor.
After that, start the service and enable it to start with the system:
sudo systemctl start wg-quick@wg0 sudo systemctl enable wg-quick@wg0
Remember to replace wg0 with the name of the network interface you will be using.
Configuring the client
Now that the server is ready, it is time to do the same with the client:
In the case of the client, we will use another computer with Ubuntu 20.04 and we will have to install the necessary packages:
sudo apt install wireguard resolvconf
And generate the private key
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Sample output:
MFhd1/CB9CPRRnydhokzgBcU3CWZVNkwuv468Io68Xo=
Make the root user the one who has permissions on the file:
sudo chmod 600 /etc/wireguard/client_private.key
And now it is necessary to create the client configuration file:
sudo nano /etc/wireguard/wg0.conf
and add the following content:
# Client configuration [Interface] PrivateKey = gbohCfIuonz9anr9izMK7bMzRA2S4Y4doUdQfS7YQ2Y= Address = 10.5.5.2/24 DNS = 8.8.8.8 # Server configuration [Peer] PublicKey = MFhd1/CB9CPRRnydhokzgBcU3CWZVNkwuv468Io68Xo= AllowedIPs = 0.0.0.0/0 Endpoint = 82.213.236.27:61951 PersistentKeepalive = 25
The values are very similar to the server one so I will go a little bit faster. In the [interface] section you add the client parameters like PrivateKey, Address which is the IP address of the client, and the DNS.
Then comes the server section, and in PublicKey you have to add the server one. In the AllowedIPs value, you set the addresses that will be routed through the VPN tunnel. In this case, they are set to all. The EndPoint value refers to the Ip address of the server along with the port set for WireGuard.
Save the changes and close the editor.
To establish a connection to the VPN, you have to run:
wg
And you are all set.
Conclusion
WireGuard is a recent technology that already shows that it will be of great help for private and secure connections. Setting it up is not as complex as you might think but it does require some configuration files to help you with the task.