Wireguard is an open-source, dependable, advanced, VPN tunneling software you can install and use right now to create a secure, point-to-point connection to a server. It is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS. Wireguard is a peer-to-peer VPN. it does not use the client-server model. Depending on its configuration, a peer can act as a traditional server or client.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Software Installation queries.

In this context, we shall look into how to install Wireguard on Ubuntu 20.04 LTS.

Steps to Install and configure Wireguard on Ubuntu 20.04 LTS Focal Fossa

1. Perform System Update

First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal:

$ sudo apt update
$ sudo apt upgrade

2. Install Wireguard on the system

WireGuard is available from the default Ubuntu repositories. Run the following commands to install it:

$ sudo apt install wireguard

3. Configure WireGuard

First, run the following command to generate the key pair:

$ wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Then, create a new file named wg0.conf and add the following contents:

$ sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

The above terms from the wg0.conf file is defined below:

• Address – a comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).
• ListenPort – the port on which WireGuard will accept incoming connections.
• PrivateKey – a private key generated by the wg genkey command. (To see the contents of the file run: sudo cat /etc/wireguard/privatekey)
• SaveConfig – when set to true, the current state of the interface is saved to the configuration file when shutdown.
• PostUp – command or script which is executed before bringing the interface up. In this example, we’re using iptables to enable masquerading. This will allow traffic to leave the server, giving the VPN clients access to the Internet.
• PostDown – command or script which is executed before bringing the interface down. The iptables rules will be removed once the interface is down.

The wg0.conf and private key files should not be readable to normal users. Use chmod to set the permissions to 600:

$ sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Once done, bring the wg0 interface up using the attributes specified in the configuration file:

$ sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

To bring the WireGuard interface at boot time run the following command:

$ sudo systemctl enable wg-quick@wg0

4. Configure Firewall

You need to open UDP traffic on port 51820:

$ sudo ufw allow 51820/udp

Finally, we can start the Wireguard service using the following command:

$ sudo wg-quick up wg0

[Need assistance in installing VPN on your Linux system ? We can help you today. ]