WireGuard is a lightweight Virtual Private Network (VPN) that supports IPv4 and IPv6 connections.

Here at Ibmi Media, we shall look into more about using wireguard on a DigitalOcean Ubuntu server.

More about WireGuard on DigitalOcean ?

WireGuard is a new VPN implementation in the Linux 5.6 kernel in 2020 and is faster and easier to use than other popular VPN options such as IPsec and OpenVPN. So we can use a VPN to access untrusted networks as if they were private networks. It allows us to use our smartphone or laptop to access the internet safely and securely when connected to an untrusted network, such as the WiFi at a hotel or coffee shop.

For peers to establish an encrypted tunnel between themselves, WireGuard's encryption relies on public and private keys. To ensure simplicity, security, and peer compatibility, each version of WireGuard employs a unique cryptographic cypher suite. Other VPN software, such as OpenVPN and IPSec, authenticate and establish encrypted tunnels between systems using Transport Layer Security (TLS) and certificates. 

While different versions of TLS support hundreds of different cryptographic suites and algorithms, this provides a lot of flexibility in terms of supporting different clients, but it also makes configuring a VPN that uses TLS more time consuming, complex, and error prone.

Steps to install Wireguard server on Digitalocean server running Ubuntu Jammy Jellyfish

1. Perform System Update

To begin, update the system's package index by running the below command:

$ sudo apt update

2. Install Wireguard Package

Now, install Wireguard by running:

$ sudo apt install wireguard

3. Use root user and set permission

Now, switch to the root user and ensure that it can access any files created after this point:

$ sudo -s
$ umask 077

4. Create private key for WireGuard

Now, Create the private key for WireGuard and change its permissions using the following commands:

$ cd /etc/wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey

5. Create WireGuard configuration file

Now we have a private key that only the server should have and be aware of, as well as a public key that all VPN clients connecting to this server should be aware of. Then, at /etc/wireguard/wg0.conf, create a configuration file.

6. When we use wg-quick to start/stop the VPN interface, it creates one with the name wg0.

7. Update Wireguard config

Then, using cat /etc/wireguard/privatekey, print out our private key, and then add the following to the configuration file:

# /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = k^XBKbavc3#=dqymh*#STut4hmLd856ssyEVr8@ffBRZ^mFP

8. Start VPN

You can start the VPN with the below command:

wg-quick up wg0 : create and configure the user interface
wg : To see the interface's WireGuard-specific details

9. Start VPN automatically on boot

If you want the VPN to start automatically when you boot up your server, use the command:

$ systemctl enable wg-quick@wg0

How to configure WireGuard client on Ubuntu ?

1. To begin, install WireGuard with the below commands:

$ sudo apt update
$ sudo apt install wireguard

2. Now, switch to the root user:

$ sudo -s

3. Ensure that only root user can access any files created after this point:

$ umask 077

4. Then, in /etc/wireguard, generate keys:

$ cd /etc/wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey

5. Then, create a configuration file with the following content at /etc/wireguard/wg0.conf:

# /etc/wireguard/wg0.conf on the client
[Interface]
# The address your computer will use on the VPN
Address = 10.0.0.8/32
# Load your privatekey from file
PostUp = wg set %i private-key /etc/wireguard/privatekey
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 10.0.0.1
[Peer]
# VPN server's wireguard public key (USE YOURS!)
PublicKey = ewSCb&v?fUF95+KyhTKaAN4F^25!2cPGmw%UbaLAR+uxc99S
# Public IP address of your VPN server (USE YOURS!)
# Use the floating IP address if you created one for your VPN server
Endpoint = 123.123.123.123:51820
# 10.0.0.0/24 is the VPN subnet
AllowedIPs = 10.0.0.0/24
# To also accept and send traffic to a VPC subnet at 10.110.0.0/20
# AllowedIPs = 10.0.0.0/24,10.110.0.0/20
# To accept traffic from and send traffic to any IP address through the VPN
# AllowedIPs = 0.0.0.0/0
# To keep a connection open from the server to this client
# (Use if you're behind a NAT, e.g. on a home network, and
# want peers to be able to connect to you.)
# PersistentKeepalive = 25

6. The VPN server must be configured to allow connections from the client before the VPN can be started on the client. Reopen /etc/wireguard/wg0.conf on the VPN server and make the following changes:

# /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = k^XBKbavc3#=dqymh*#STut4hmLd856ssyEVr8@ffBRZ^mFP
[Peer]
# VPN client's public key
PublicKey = ewSCb&v?fUF95+KyhTKaAN4F^25!2cPGmw%UbaLAR+uxc99T
# VPN client's IP address in the VPN
AllowedIPs = 10.0.0.8/32

The [Peer] section has been added to allow the VPN server to coordinate encryption keys with the client and to verify that traffic from and to the client is permitted.

7. Then, on the server, restart the WireGuard interface to apply the changes:

$ wg-quick down wg0 && wg-quick up wg0

8. If we don't want active VPN connections to be disrupted or dropped, reload the configuration file with:

$ wg syncconf wg0 <(wg-quick strip wg0)

9. Finally, we can start the VPN on the client wg syncconf wg0 <(wg-quick strip wg0):

$ wg-quick up wg0
$ wg

When using a Chromebook to Connect WireGuard ?

It's preferable to use the official Android WireGuard app when connecting to a WireGuard VPN from a Chromebook. Because crouton uses a chroot, my attempts to run WireGuard under it failed, and we wwere stuck with the Chromebook's old Linux kernel (4.19) and unable to add kernel modules or network interfaces from within crouton. Similarly, crostini does not support updating or using custom kernel modules, but it does offer a convenient way to SSH into VPN-accessible servers while the Android WireGuard app is running.

When using other devices to connect WireGuard ?

If we want to connect to a VPN from a device that doesn't have root access, we can install wireguard-go, a userspace implementation of WireGuard. Look into setting up WireGuard on our router (e.g. instructions for OpenWRT) so we can route all of those devices outbound traffic through a VPN if we want to connect to a VPN from devices we don't control (e.g. smart TVs, IoT sensors).

[Need help in fixing DigitalOcean Linux system issues ? We can help you. ]