Skip to main content

WireGuard Installation Tutorial

WireGuard is a fast and simple virtual private network protocol that utilizes modern cryptography. It's much faster than OpenVPN or IPsec while also having a smaller codebase that is easier to audit and maintain. For more information about WireGuard please refer to our WireGuard Guide.

Working remotely has become common practice and is deemed necessary for most organizations around the world following the COVID-19 pandemic. But remote work also has high-security risks, especially for corporate networks. To provide more secure internet access for colleagues and to make company networks/resources more secure, we advise you to use WireGuard protocol and Zenarmor together.

In this tutorial, we will configure a simple peer connection between a Ubuntu 20.04 TLS server and a client. The client can be either your local computer or a mobile device. First, we will install and configure the WireGuard on Ubuntu 20.04 TLS as a VPN server. Then, we'll configure WireGuard as a client on both a desktop PC and an Android device. The Desktop PC may run a Ubuntu desktop or a Windows 7/10. The client's traffic will be routed through the Ubuntu 20.04 server.

WireGuard P2P VPN Topology (WireGuard Ubuntu Server and Ubuntu/Android/Windows Clients)

Figure 1. WireGuard P2P VPN Topology (WireGuard Ubuntu Server and Ubuntu/Android/Windows Clients)

This setup can provide you protection against Man in the Middle attacks, and anonymity while surfing the web. Also, you can use this WireGuard configuration for accessing your company network remotely from anywhere around the world in a secure way.

tip

It is strongly recommended that installing the Sensei (ZENARMOR) on your WireGuard VPN server will make your network more secure. By configuring the Sensei (ZENARMOR), applying web filtering, and application control, you can block security threats coming from your WireGuard tunnel interface. For more information, please refer to installing Sensei (ZENARMOR) and managing policies.

The WireGuard configuration is very easy. You can use WireGuard VPN tunnel by just following the 5 main steps given below:

  • Download and install WireGuard for both server and clients
  • Generate cryptographic key pairs(Public and private keys) for both server and clients
  • Configure WireGuard tunnel interfaces on both server and clients
  • Configure firewall rules on your WireGuard VPN server
  • Enable WireGuard tunnel interfaces on both server and clients

Installing WireGuardโ€‹

To follow this WireGuard setup guide, you will need to have the listed devices below:

  • Ubuntu 20.04 TLS Linux Server which will be configured as a WireGuard VPN server.
  • Ubuntu Desktop or Windows PC or an Android device will be configured as WireGuard VPN client.
warning

Privileged access to your Linux system as root or via the sudo command.

All below given commands to be executed with root privileges either directly as a root user or by use of sudo command.

WireGuard Setup as a VPN Server on Ubuntuโ€‹

Before you begin installing WireGuard, make sure your system is up to date and has already installed the required packages.

1. Update your local package index by running the following command:

sudo apt update && sudo apt upgrade -y

2. Install IPTABLES if your system doesn't have it yet

sudo apt install iptables -y

Installation of WireGuard on Ubuntuโ€‹

Ubuntu 20.04 ships with Linux kernel 5.4, which has a built-in WireGuard module. Therefore, you can easily install WireGuard itself and all of its dependencies by running the following command:

sudo apt install wireguard wireguard-tools

After you've installed WireGuard, follow the steps below to further configure your server.

Generating private and public keysโ€‹

One of the main pros of the WireGuard is that it is based on state-of-the-art cryptographic primitives. It allows you a secure VPN tunnel by encrypting your connection using a pair of cryptographic keys. Each peer must have their own private and public keys to ensure secure communication both ways.To use WireGuard, each server and client must generate their own key pair and then exchange public keys.

Run the following command on the Ubuntu server to create a public/private key pair, which will be saved under /etc/wireguard/ directory.

$ wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

[sudo] password for alp:

hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

This will save both the private and public keys to the /etc/wireguard directory.

caution

The private key should never be shared with anyone and should always be kept secure.

info

Wireguard also supports a pre-shared key. To increase the level of security in your VPN tunnel, you can use this optional key that must be unique for each peer pair.

You can view the contents of the WireGuard key files with cat or less.

$ sudo cat /etc/wireguard/server_private.key

aIfECLKHoeCHsSr3qYfOgqm9BiNFEqQgYiDJQdUlJV8=
tip

Please note down the key pair which will be used for updating the WireGuard configuration file in the following steps.

$ sudo cat /etc/wireguard/server_public.key

hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

The next step is to configure the tunnel device that will route the VPN traffic.

Generating WireGuard Server Configuration Fileโ€‹

You can configure the WireGuard tunnel device in two different ways:

  • using the ip and wg commands on CLI

  • creating the configuration file with a text editor

In this guide, we will use the last method.

Let's start to configure the WireGuard server by creating a new configuration file called wg0.conf in the /etc/wireguard folder and add the configuration line given below.

Firstly, open wg0.conf file by using nano editor.

sudo nano /etc/wireguard/wg0.conf

tip

You can name the WireGuard interface as you wish. But, it is recommended to use something like wg0.

The configuration below will make your WireGuard server accept connections to 51820 and allow a client with the public key corresponding to the private key we made above.

Secondly, Add the following directives to the configuration file.

[Interface]

PrivateKey = <contents-of-server-privatekey>

Address = 10.10.10.1/24

PostUp = iptables -A FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ufw route allow in on wg0 out on ens18; ufw route allow in on ens18 out on wg0; ufw allow proto udp from any to any port 51820

PostDown = iptables -D FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ufw route delete allow in on wg0 out on ens18; ufw route delete allow in on ens18 out on wg0; ufw delete allow proto udp from any to any port 51820


ListenPort = 51820
  • PrivateKey: The private key of VPN server, which can be found in the /etc/wireguard/server_private.key file on the server.
  • Address: defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique IP address.
  • ListenPort: specifies which port WireGuard will use for incoming connections. can be freely selected from the high ports range. If no port is specified, it is 51820/UDP by default.
  • PostUp and PostDown: define steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server's IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.

Then save and close the file.

Install a DNS Resolver on the Serverโ€‹

Since we will specify the VPN server as the DNS server for the clients, we need to run a DNS resolver on the VPN server. We can install the bind9 DNS server.

sudo apt install bind9

Once it's installed, BIND will automatically start. You can check its status with:

systemctl status bind9

Sample output:

? named.service - BIND Domain Name Server

Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)

Active: active (running) since Mon 2021-06-28 07:14:24 UTC; 16s ago

Docs: man:named(8)

Main PID: 1568 (named)

Tasks: 5 (limit: 10387)

Memory: 15.1M

CGroup: /system.slice/named.service

??1568 /usr/sbin/named -f -u bind


Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:2::c#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:1::53#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:200::b#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53

Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53

Jun 28 07:14:25 myfirsfw named[1568]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is>

Jun 28 07:14:25 myfirsfw named[1568]: resolver priming query complete

If it's not running, you can start it with the following commands:

sudo systemctl start bind9

Edit the BIND DNS server's configuration file.

sudo nano /etc/bind/named.conf.options

Add the following line to allow VPN clients to send recursive DNS queries.

allow-recursion { 127.0.0.1; 10.10.10.0/24; };

Allowing VPN clients to send recursive DNS queries

Figure 2. Allowing VPN clients to send recursive DNS queries

Save and close the file.

Restart BIND9 for the changes to take effect.

sudo systemctl restart bind9

How To Set Up WireGuard Firewall Rules on Ubuntu Serverโ€‹

You should also configure a firewall to allow WireGuard clients to access your WireGuard server and other services that you wish such as DNS and SSH. Configuring a firewall will block any unwanted connections and keep your server secure. You can follow the next steps given below:

1. Install the ufw, the Uncomplicated Firewall, using the command below.

sudo apt install ufw

2. Add the following rules to allow WireGuard connections.

sudo ufw allow 51820/udp

3. Add the following rules to allow VPN clients to connect DNS service.

sudo ufw allow 53/tcp

sudo ufw allow 53/udp

4. Add the following rules to allow SSH connections. (This step is optional. You may also allow any other connections that you need such as https/443)

sudo ufw allow 22

5. Enable the firewall with the next command.

sudo ufw enable

6. Confirm the command when prompted.

Command may disrupt existing ssh connections. Proceed with operation (y|n)? Y

Firewall is active and enabled on system startup

7. Following that, use the command below to check the active firewall rules.

sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip



To Action From

-- ------ ----

51820/udp ALLOW IN Anywhere

53/tcp ALLOW IN Anywhere

53/udp ALLOW IN Anywhere

22/tcp ALLOW IN Anywhere

51820/udp (v6) ALLOW IN Anywhere (v6)

53/tcp (v6) ALLOW IN Anywhere (v6)

53/udp (v6) ALLOW IN Anywhere (v6)

22/tcp (v6) ALLOW IN Anywhere (v6)

Congratulations. The Ubuntu peer that will serve as a server has been configured.

Enabling Clients to Access the Internet/LAN Through WireGuard VPN Serverโ€‹

By allowing clients to access the WireGuard port we have set up and configured peer-to-peer VPN networking for our Ubuntu server and client. However, you may want to give access to the Internet or your company network/LAN for all VPN clients through the WireGuard server. For these purposes, you must configure the firewall rules, including IP forwarding and NAT.

IP forwardingโ€‹

In order for the VPN server to route packets between VPN clients and the Internet/LAN, you must enable IP forwarding on the WireGuard server. You can follow the given instructions outlined below:

1. Open the system variables file for edit.

sudo nano /etc/sysctl.conf

2. Add or uncomment the following line by removing the # at the beginning of the line.

net.ipv4.ip_forward=1

3. Save the file and exit the editor.

4. Open /etc/ufw/sysctl.conf and uncomment these lines:

net/ipv4/ip_forward=1

net/ipv6/conf/default/forwarding=1

net/ipv6/conf/all/forwarding=1
```jsx


**5.** Apply the changes with the below command. The `-p` option will load sysctl settings from `/etc/sysctl.conf` file. This command will keep our changes after a system restart.

```jsx
sudo sysctl -p

Configure IP Masquerading on the Serverโ€‹

You must set up IP masquerading in the server firewall, so that the server becomes a virtual router for VPN clients. PostUP and PostDown definitions in the WireGuard configuration file given above(/etc/wireguard/wg0.conf) will automatically activate the UFW configuration when you enable the WireGuard interface. So, your VPN clients are hidden from the outside world and any device on the Internet can only see your WireGuard VPN server's WAN IP.

Starting WireGuard Server and Enabling it at Bootโ€‹

We're ready to start the server now that we've completed the configuration. WireGuard has a handy wrapper called wg-quick that can be used to start new interfaces without having to go into the configuration details. How you can manage the WireGuard interface by using wg-quick tool is shown below:

To start WireGuard service and bring the WireGuard interface (wg0) up run the following command on the server:

sudo wg-quick up wg0

This will load the configuration file /etc/wireguard/wg0.conf and you should see an output like below upon successfully starting the interface:

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip -4 address add 10.10.10.1/24 dev wg0

[#] ip link set mtu 1420 up dev wg0

[#] iptables -A FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ufw route allow in on wg0 out on ens18; ufw route allow in on ens18 out on wg0; ufw allow proto udp from any to any port 51820

Rule added

Rule added (v6)

To stop it, run

sudo wg-quick down wg0

You can also use systemd service to start WireGuard.

sudo systemctl start [email protected]

You can check WireGuard state and configuration with the following commands. Its status should be active (exited).

sudo wg show wg0

interface: wg0

public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

private key: (hidden)

listening port: 51820

You can also run ip a show wg0 to verify the interface state:

ip a show wg0



6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000

link/none

inet 10.10.10.1/24 scope global wg0

valid_lft forever preferred_lft forever

To enable the WireGuard interface automatically at system boot time, run the following command:

sudo systemctl enable wg-[email protected]

Created symlink /etc/systemd/system/multi-user.target.wants/wg-[email protected].service ? /lib/systemd/system/wg-[email protected].service.

Now that the WireGuard server is up and running, it is ready to accept client connections.

WireGuard Setup as a VPN Client on Ubuntu Desktopโ€‹

Once your WireGuard server is up and running, you need to configure your client device. They offer software for most operating systems to connect any of your Windows, Linux or macOS and Android or iOS devices easily.

Before you begin installing WireGuard on your Ubuntu desktop, make sure your system is up to date and has already installed the required packages.

Update your local package index by running the following command:

sudo apt update && sudo apt upgrade -y

Note that you also need to install the openresolv package on the client to configure the DNS server.

sudo apt install openresolv

WireGuard Installation on Ubuntuโ€‹

The procedure for setting up a WireGuard client on Ubuntu Desktop is nearly identical to that for installing the server.

You can easily install WireGuard itself and all of its dependencies by running the following command:

sudo apt install wireguard wireguard-tools

After you've installed WireGuard, follow the steps below to further configure your server.

Generate Public/Private Keypair for Clientโ€‹

To create a public/private key pair run the following command on the VPN client.

wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

Generate WireGuard Client Configuration File on Ubuntuโ€‹

Use a command-line text editor like Nano to create a WireGuard configuration file on your Ubuntu VPN client. wg0 will be the WireGuard network interface name on the client.

sudo nano /etc/wireguard/wg0.conf

Copy the following text and paste it to your configuration file. You need to use your own client private key and server public key.

[Interface]

Address = 10.10.10.2/24

DNS = 10.10.10.1

PrivateKey = MCzL/mO/L6Ak8HRp16aWPwefXpg+RoukBHG/LwiKcks=

[Peer]

PublicKey = hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

AllowedIPs = 0.0.0.0/0

Endpoint = 22.33.44.55:51820

PersistentKeepalive = 25

Where:

  • Address: Specify the private IP address of the VPN client.
  • DNS: specify 10.10.10.1 (VPN server) as the DNS server. It will be configured via the resolvconf command. For redundancy, you can also specify multiple DNS servers such as: DNS = 10.10.10.1 8.8.8.8
  • PrivateKey: The client's private key, which can be found in the /etc/wireguard/client_private.key file on the client computer.
  • PublicKey: The server's public key, which can be found in the /etc/wireguard/server_public.key file on the server.
  • AllowedIPs: 0.0.0.0/0 represents the whole Internet, which means all traffic to the Internet should be routed via the VPN. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.
  • Endpoint: The public/WAN IP address and port number of VPN server. Replace 22.33.44.55 with your server's real public IP address.
  • PersistentKeepalive: Send an authenticated empty packet to the peer every 25 seconds to keep the connection alive. If PersistentKeepalive isn't enabled, the VPN server might not be able to ping the VPN client.

Save and close the file.

If you need to configure additional clients, just repeat the same steps using a different private IP address.

Adding the VPN Client Peer to the Serverโ€‹

To add the client's public key and IP address to the server. To do that, you can either:

  • run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.2
  • Or add the following lines to the /etc/wireguard/wg0.conf file
[Peer]

PublicKey = <contents-of-client-publickey>

AllowedIPs = 10.10.10.2/32
  • PublicKey: The public key of the VPN client, which can be found in the /etc/wireguard/client_public.key file on the client computer.
  • AllowedIPs: IP addresses the VPN client is allowed to use. In this example, the client can only use the 10.10.10.2 IP address inside the VPN tunnel.

Save and close the file.

Next start the service again, run:

sudo systemctl start [email protected]

Once done, go back to the client machine and bring up the tunneling interface.

Starting WireGuard Service on Clientโ€‹

We're ready to start the service now that we've completed the configuration. The wg and wg-quick command-line tools allow you to configure and manage the WireGuard interfaces.

Run the following command the bring up the interface and Start the connection:

sudo wg-quick up wg0

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip -4 address add 10.10.10.2/24 dev wg0

[#] ip link set mtu 1420 up dev wg0

[#] resolvconf -a wg0 -m 0 -x

[#] wg set wg0 fwmark 51820

[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

[#] iptables-restore -n

You can also use the system command to start WireGuard as a service.

sudo systemctl start [email protected]

You can enable auto-start at system boot time.

sudo systemctl enable [email protected]

You can check its status:

systemctl status [email protected]

Now you should be connected to the Ubuntu server, and the traffic from your client machine should be routed through it. You can check the connection with:

sudo wg

interface: wg0

public key: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=

private key: (hidden)

listening port: 51229

fwmark: 0xca6c



peer: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

endpoint: Server-WAN-IP:51820

allowed ips: 0.0.0.0/0

latest handshake: 2 minutes, 16 seconds ago

transfer: 248.02 KiB received, 189.02 KiB sent

persistent keepalive: every 25 seconds

When you want to disconnect, use either of the following commands depending on which method you used to start it.

sudo wg-quick down wg0

or

sudo systemctl stop [email protected]

WireGuard will then disconnect from the server and remove the related network settings.

Adding more VPN clientsโ€‹

If you want to also use the WireGuard VPN on other devices, you can add more clients to your server. Adding clients is really simple and easy.

First, install WireGuard on your new client devices as before and create a unique private/public key pair for each client.

WireGuard is designed to associate one IP address with one VPN client. To add more VPN clients, you need to create then n the server's config file

Then edit the wg0.conf file on your WireGuard server.

sudo nano /etc/wireguard/wg0.conf

Add the following entry at the end of the file to include client's public keys and set the IP addresses for each client.

[Peer]

PublicKey = <content-of-client2-publickey>

AllowedIPs = 10.10.10.2/32

[Peer]

PublicKey = <content-of-client3-publickey>

AllowedIPs = 10.10.10.3/32

[Peer]

PublicKey = <content-of-client4-publickey>

AllowedIPs = 10.10.10.4/32

Afterwards, save the file and exit the editor.

Then restart the WireGuard server for the changes to take effect.

sudo systemctl restart [email protected]

Each VPN client will have a static private IP address (10.10.10.2, 10.10.10.3, 10.10.10.4, etc).

Then add WireGuard configuration on each VPN client as usual.

All done! You can then connect with the new clients as you did before.

WireGuard VPN Client Setup on Windowsโ€‹

WireGuard for Windows supports Windows 7, 8, 8.1, 10, 2012, 2016, and 2019 and is available in a 64-bit and a 32-bit version. In this section, we will cover how to install the WireGuard Windows client and connect to a WireGuard Virtual Private Server(VPS) via VPN.

To install and configure WireGuard as a VPN client on a Windows platform, you can follow the instructions below:

Download and install Windows WireGuard Clientโ€‹

Download and install the Windows installer from the WireGuard website. This selects the most recent version for your hardware, downloads, and installs it.

Downloading WireGuard Windows installer

Figure 3. Downloading WireGuard Windows installer

After the installation, you should see the WireGuard icon in the notification area on the taskbar.

WireGuard icon on taskbar

Figure 4. WireGuard icon on taskbar

Configuring Windows WireGuard Clientโ€‹

Launch the WireGuard application and click on the down arrow beside the button that says Add Tunnel in Tunnels Tab.

Configuring WireGuard on Windows Client

Figure 5. Configuring WireGuard on Windows Client

Click on Add empty tunnel as shown on the image below:

Adding empty tunnel

Figure 6. Adding empty tunnel

This will automatically create a public/private key pair and display them on the screen.

Creating new WireGuard tunnel on Windows client

Figure 7. Creating new WireGuard tunnel on Windows client

Enter a name with alphanumeric characters only (no spaces or punctuation)for the tunnel and edit the configuration as follows:

[Interface]

PrivateKey = CLIENT_PRIVATE_KEY

Address = 10.10.10.3/24

DNS = 10.10.10.1

[Peer]

PublicKey = SERVER_PUBLIC_KEY

Endpoint = SERVER_IP_ADDRESS:51820

AllowedIPs = 0.0.0.0/0

Explanations of the fields in the interface section are given below:

  • PrivateKey: Private key of this client
  • Address: VPN IP address of this client. It must be unique among all clients.
  • DNS: IP address of a DNS server. In this case, I use the DNS server running on the WireGuard server.

Explanations of the fields in the peer section are given below:

  • PublicKey: The public key of the Ubuntu WireGuard server (/etc/wireguard/publickey file).
  • Endpoint: The Public/Real IP address of the Ubuntu server followed by a colon, and WireGuard port (51820).
  • AllowedIPs: 0.0.0.0/0 : Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.

Block untunneled traffic(kill switch) optionโ€‹

In the Edit tunnel window, there is a Block untunneled traffic option. You can enable this option when your configuration has precisely one [Peer] section and AllowedIPs is set to a catch-all address.

If the option is enabled the WireGuard client adds Windows Firewall rules to block all traffic that is neither to nor from the tunnel interface. So that it prevents accidentally sending IP packets outside the VPN

WireGuard Tunnel configuration on Windows client

Figure 8. WireGuard Tunnel configuration on Windows client

Once done, click on the Save button.

Add the Client Peer to the Serverโ€‹

To add the client's public key and IP address to the server, you can either:

  • run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.3
  • Or add the following lines to the /etc/wireguard/wg0.conf file:
[Peer]

PublicKey = <contents-of-client-publickey>

AllowedIPs = 10.10.10.3/32

Save and close the file. Next start the service again, run:

sudo systemctl start [email protected]

You can check the status of the wg0 interface:

sudo wg

interface: wg0

public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

private key: (hidden)

listening port: 51820



peer: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=

allowed ips: 10.10.10.2/32


peer: U14mlsR8wV23KO7vxqhiy4gcsqzF6i1nrpba1M4X4iw=

allowed ips: 10.10.10.3/32

Return to the Windows client machine and activate the tunneling interface.

Activating/Deactivating WireGuard Tunnel Interface on Windows Clientโ€‹

After installing and configuring the WireGuard on the Windows client, click on the Activate button. Once the peers are connected, the tunnel status will change to Active:

Activating WireGuard tunnel on Windows client

Figure 9. Activating WireGuard tunnel on Windows client

Deactivating WireGuard tunnel on Windows client

Figure 10. Deactivating WireGuard tunnel on Windows client

To close the VPN connection click on Deactivate button.

Installing WireGuard as Client on an Android Deviceโ€‹

Before installing and configuring the WireGuard client on your Android device, you may generate client key pairs and QR code for the Android in your Ubuntu WireGuard server. So that you can easily configure the WireGuard application on your mobile device to connect the VPN.

Generate QR Codeโ€‹

To generate the QR Code you will need the qrencode package installed on your Ubuntu 20.04 TLS WireGuard server. To install the qrencode package type the following command on your VPN server:

sudo apt install qrencode

Creating Client Private/Public Key Pairsโ€‹

Unlike Windows and Ubuntu/Linux WireGuard clients, we will generate the key pairs on Ubuntu 20.04 TLS WireGuard Server for our Android device. To create the client private/public key pairs you can follow the following steps:

1. Create a directory called as clients under /etc/wireguard.

sudo mkdir /etc/wireguard/clients

2. Create a keypair called android

wg genkey | sudo tee /etc/wireguard/clients/android_private.key | wg pubkey | sudo tee /etc/wireguard/clients/android_public.key

This will create the client key pairs for your Android in /etc/wireguard/clients directory.

3. You can view the key pairs by using cat.

sudo cat /etc/wireguard/clients/android_private.key

eDUqYVRI0BmCBkAjER2wmgVeqUaGW5Ihnh2meVbKDGg=

sudo cat /etc/wireguard/clients/android_public.key

1O4+y9FsExnNlqbG4qR6Tdf3JQJx9200uF92TWF03gw=

Creating the client configuration fileโ€‹

You will then must create a client configuration file to be encoded into a QR code.

1. Create a client configuration file using nano.

sudo nano /etc/wireguard/clients/android.conf

2. Copy and paste the following lines into the WireGuard client configuration file.

[Interface]

PrivateKey = eDUqYVRI0BmCBkAjER2wmgVeqUaGW5Ihnh2meVbKDGg=

Address = 10.10.10.4/24

DNS = 10.10.10.1, 8.8.8.8



[Peer]

PublicKey = YOUR_SERVER_PUBLIC_KEY

AllowedIPs = 0.0.0.0/0

Endpoint = YOUR_SERVER_WAN_IP:51820

Explanations of the fields in the interface section are given below:

  • PrivateKey: Private key of this client (it is in /etc/wireguard/clients/android_private.key)
  • Address: IP address of this client. It must be unique among all clients.
  • DNS: IP address of a DNS server. In this case, I use the DNS server running on the WireGuard server.

Explanations of the fields in the peer section are given below:

  • PublicKey: The public key of the Ubuntu WireGuard server (/etc/wireguard/publickey file).
  • Endpoint: The Public/Real IP address of the Ubuntu server followed by a colon, and WireGuard port (51820).
  • AllowedIPs: 0.0.0.0/0 : Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.

Generate QR Codeโ€‹

You can now generate a QR code with the following command as root:

qrencode -t ansiutf8 < /etc/wireguard/clients/android.conf

It will generate an QR code image like this:

WireGuard QR code for Android VPN Client

Figure 11. WireGuard QR code for Android VPN Client

You can take a screenshot and securely send it to your android client.

Add the Client Peer to the Serverโ€‹

To add the client's public key and IP address to the server, you can either:

  • run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.4
  • Or add the following lines to the /etc/wireguard/wg0.conf file
[Peer]

PublicKey = <contents-of-client-publickey>

AllowedIPs = 10.10.10.4/32

Save and close the file.

Next start the service again, run:

sudo systemctl start [email protected]

You can check the status of the wg interface

sudo wg

interface: wg0

public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=

private key: (hidden)

listening port: 51820


peer: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=

allowed ips: 10.10.10.2/32


peer: U14mlsR8wV23KO7vxqhiy4gcsqzF6i1nrpba1M4X4iw=

allowed ips: 10.10.10.3/32


peer: 1O4+y9FsExnNlqbG4qR6Tdf3JQJx9200uF92TWF03gw=

allowed ips: 10.10.10.4/32

Download and install WireGuard Application on Android deviceโ€‹

You can get and install the official application from the Google Play Store on your Android device.

Installing WireGuard Android Application from Playstore

Figure 12. Installing WireGuard Android Application from Playstore

Configuring WireGuard Client on Androidโ€‹

Once the WireGuard application is installed, we need to add a new configuration file for the VPN tunnel. Click on the blue button with + icon.

Adding WireGuard tunnel for Android client

Figure 13. Adding WireGuard tunnel for Android client

This will open a new view on your device to configure the tunnel. Tab on the Scan From QR Code.

Importing tunnel configuration by scanning QR code

Figure 14. Importing tunnel configuration by scanning QR code

After giving permission for the camera, you can scan your QR code.

Giving permission to WireGuard

Figure 15. Giving permission to WireGuard

Enter the name of the VPN tunnel and click on the Create Tunnel button. This will import the WireGuard client configuration from the QR Code.

Giving permission to WireGuard

Figure 16. Naming WireGuard tunnel on Android client

You'll be prompted to confirm the connection request, tab on OK.

WireGuard connection request on Android client

Figure 17. WireGuard connection request on Android client

Connecting/Disconnecting WireGuard Android Clientโ€‹

You can easily connect your Android device to the VPN server by just launching the WireGuard application and turning it on.

Activating/deactivating WireGuard tunnel on Android client

Figure 18. Activating/deactivating WireGuard tunnel on Android client

To disconnect from the WireGuard VPN tunnel, turn off the toggle button next to the VPN connection.

Testing WireGuard Connectionโ€‹

You can test your WireGuard connection by following the instructions given below:

1. Ping Testโ€‹

You should ping your WireGuard server from the client and vice versa successfuly:

ping 10.10.10.1
sudo wg

The last two lines of the output from running the wg command should be similar to:

latest handshake: 1 minute, 17 seconds ago

transfer: 98.86 KiB received, 43.08 KiB sent

This indicates that you now have a private connection between the server and client. You can also ping the client from the server to verify that the connection works both ways.

2. IP Controlโ€‹

On your client machine go to this website https://www.whatismyip.com to check your public IP address. If your WireGuard tunnel works well, you should see your VPN server's public IP address instead of your client computer's public IP address in the browser

3. Traceroute Testโ€‹

You should see the WireGuard Server VPN IP address in the traceroute command output:

traceroute 8.8.8.8

1 10.10.10.1 (10.10.10.1) 0.391 ms 0.348 ms 0.349 ms

2 _gateway (192.168.0.1) 0.641 ms 0.606 ms 0.625 ms

3 * * *

15 * * *

16 142.250.212.20 (142.250.212.20) 27.320 ms 74.125.37.238 (74.125.37.238) 29.852 ms 216.239.49.198 (216.239.49.198) 30.107 ms

17 142.251.52.83 (142.251.52.83) 34.252 ms 34.216 ms 38.622 ms

18 sof02s44-in-f4.1e100.net (142.250.187.100) 38.637 ms 38.542 ms 38.593 ms

4. DNS service Testโ€‹

Your DNS queries should be answered by your WireGuard VPN server.

dig -p 53 www.google.com 10.10.10.1


; <<>> DiG 9.16.1-Ubuntu <<>> -p 53 www.google.com 10.10.10.1

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 77

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;www.google.com. IN A



;; ANSWER SECTION:

www.google.com. 216 IN A 142.250.187.100



;; Query time: 24 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Mon Jun 28 10:52:12 UTC 2021

;; MSG SIZE rcvd: 59



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35631

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;10.10.10.1. IN A



;; Query time: 44 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Mon Jun 28 10:52:12 UTC 2021

;; MSG SIZE rcvd: 39