How to Install and Use Wireguard In Linux

How to Install & Use WireGuard on GNU/Linux (Your VPN)

WireGuard is an open-source tool that connects to your virtual private network to protect your data. Typically, you can access your home network from anywhere in the world (for free). The only thing you need? A Linux server and this installation guide.

WireGuard can be installed on any computer that will act as a server. From there, a pair of private and public keys are generated to ensure security, and the network can be configured to allow clients to access the server.

In this article, I will guide you step by step to configure a WireGuard server, and you will connect different clients into it. You will also learn how a VPN works, its structure and all the requirements for using WireGuard.

Linux doesn’t have to be intimidating. With my e-book, Master Linux Commands, you’ll uncover the secrets of the terminal in a fun, step-by-step journey. From basics to scripts, get ready to level up your Linux skills. Oh, and did I mention the handy cheat sheet you get as a bonus?

WireGuard 101: An Introduction and Overview

Let’s start with a quick introduction to VPNs and WireGuard if this is your first project of this kind.

VPN Basics: Exploring Structure and Functionality

A VPN is a Virtual Private Network that creates a secure, encrypted connection between your device and the internet. Additionally, it enables remote access for local testing, allowing you to securely access and test network resources from anywhere in the world.

A simple way of getting the idea is to imagine your internet connection traveling through a secret tunnel. This tunnel acts like a shield around your data, encrypting the information and send it through a distant server before reaching its destination.

vpn network openvpn

VPNs are usually used in organizations or companies that require privacy and confidentiality of data, since the transmission of the data will be done through a VPN, it will act as a tunnel between the devices and the main server.

Normally, a VPN is made up of two types of devices:

  • The server, contains the network configuration, security and all the details necessary for work. Usually, the server is located in the server connected to a network we are interested in (for connecting to a local app or in the same network).
  • The clients are all the devices that will connect to the VPN through the server, using it as a tunnel to transmit the data. All the clients have a direct connection between the server and other devices connected to the VPN.

Note: Keep in mind that when using a VPN, all data will be transmitted from the server. Therefore, when transmitting data, the IP displayed will be that of the server. VPNs are often used to bypass blocks as they allow you to “disguise” your IP with that of the VPN.

WireGuard: An Open-Source VPN Solution

WireGuard is an open-source networking software that allows you to create a VPN easily, quickly and with security. It was created in 2016 by Jason A. Donenfeld with the concept of making a VPN that could be as simple as setting up an SSH connection.

The process of using WireGuard is quite simple and uses the same concepts of VPNs in general, in which you will use a device that will act as a VPN server and other devices will connect as clients.

There is an extra security layer integrated in WireGuard called “asymmetric cryptography“, that helps in the security of the VPN, meaning that both server and client have a public and private key that they must share with each other to gain access to the network.

Server Side: Installation, Setup & Configuration

Now that everything is clear, let’s move to the technical setup of this VPN solution.

Requirements & Environment Setup

Before installing WireGuard, you need to prepare the environment to handle using a VPN, especially to be used as WireGuard Server.

Setting up UFW (Uncomplicated Firewall)

The first thing you need to prepare for is the use of a firewall. The idea is to open ports only to the services we want to allow on this server.

In this case, we can use UFW. By default, when adding an allow rule, all other connections that are not specified will be forbidden. Therefore, we will add the following rules in this way:
sudo ufw allow 22
sudo ufw allow 51820

In this case, we will enable port 22 since it is the SSH port, and port 51820 since it is the port that WireGuard will work with.

Then you will need to enable the firewall using:
sudo ufw enable

You can check the enabled rules as well:
sudo ufw status

This is the minimum configuration. You can, of course, open access to other ports as needed, and restrict access to specific IP addresses depending on your setup.

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!
Download now

Note: if the server is remotely located, it is important to enable port 22, otherwise, you could leave the server without remote access.

IP Forwarding

After configuring the firewall, it is necessary to fix the system’s network configuration, specifically the IP redirection, which will allow the server to redirect packets to other devices.

This is an absolutely necessary practice if you have a firewall, NAT or if the server acts as a router (which is our case when using the VPN).

To do this, it is necessary to modify the file /etc/sysctl.conf by adding this text into the file net.ipv4.ip_forward=1. A simple way to do this is by using the following command for editing the file:
sudo nano /etc/sysctl.conf

After all this, you can apply these changes by executing the following command:
sudo sysctl -p

Port-Forwarding

Port-forwarding is about redirecting ports from a local network to a public network so that they can be accessed with the external IP address.

The process of port-forwarding varies depending on the brand and model of router you have. There are different brands in the market such as, TP-Link, Cisco, ASUS, Tenda, etc. In my case, I will use a Mercusys MR50G, so the procedures will be done like this:

The first step is to enter the router configuration, this can be done by entering the IP address and the data supplied by the router. You can see a more detailed tutorial here.

In the router’s main menu, we must look for the related Forwarding option, in our case NAT Forwarding, and in the drop-down menu, choose the Port Forwarding option. There we must click on the add button.

Join Our Community!

Connect, learn, and grow with other Raspberry Pi enthusiasts. Support RaspberryTips and enjoy an ad-free reading experience. Get exclusive monthly video tutorials and many other benefits.

Learn more

In this window, you will find the following fields that you will have to fill in:

  • Service Name: This is simply the name of the service, you can enter any name.
  • Device IP Address: Here you must enter the IP address of the device that has the Wireguard Server installed.
  • External Port: This is the external port that clients outside your network will use to connect to WireGuard, ideally use the same internal port to avoid confusion.
  • Internal Port: This is the internal port that is being used on the device for the service you want. In our case, the same port used for Wireguard.
  • Protocol: Here you can choose if you want to forward only TCP or UDP, in our case both.

After adding this entry, all incoming connections outside port 51820 will be forwarded to port 51820 of the local network. So when you are going to connect devices, you will need to add the public IP (which you can see here) to the client configuration.

Installing WireGuard

The first step to using WireGuard is to install it along with all its packages.

Installation is fairly straightforward and uncomplicated, as it’s done with APT, the package manager:
sudo apt install wireguard

If you have another Linux distribution, you can check the official WireGuard website here for more information on installing it.

If you’re new to the Linux command line, this article will give you the most important Linux commands to know, plus a free downloadable cheat sheet to keep handy.

Generating the Public and Private keys

After you have installed WireGuard, the next step is to generate the public and private keys for the server.

First, to generate a private key, you will need to run the following command:
wg genkey | sudo tee /etc/wireguard/private.key > private.txt

This will generate the private key and allow you to save the key in a TXT file in your current directory, as you will use it in the next steps.

In the same way, you can do the same with the public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key > public.txt

Once you have both, you can proceed with the next steps.

Choosing the VPN Server Network

Before configuring the WireGuard network, we need to take into account the characteristics of the network you are going to use (the network address range, the prefix, and the IP address).

First of all, we must consider which IP we can use for the VPN. At a networking level, it can be complicated, but for practicality, the advanced details will be omitted or summarized. Returning to the topic, keep in mind this list with the following IP addresses:

  • 10.0.0.0 – 10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.168.0.0 – 192.168.255.255

You can find more information about private networks in this official Cisco article.

From this list, we can choose a network IP address from the above mentioned ranges. You must take into account the following characteristics of a network:

  • Network Address: This will allow us to choose the network we are going to use, and must be in the range of private addresses.
  • Prefix: The prefix indicates how many devices the network can have.
  • Port: This will let us know which port to use, which is important because we will know which rule to add to the firewall.

In my case, I will choose the IP 10.8.0.1 with the prefix /24, which allows up to 255 clients to be connected simultaneously.

Note: The most common prefix is /24, but if you want to prepare something specific, I recommend you use an IP calculator. They are useful and simple tools to make the calculations. Here you have one, for example (It also includes a list of all prefixes).

Setting up the Configuration File

With the network you are going to configure in mind, we can now move on to the WireGuard configuration. We can edit the configuration file found in /etc/wireguard/wg0.conf:
sudo nano /etc/wireguard/wg0.conf

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!
Download now

The first time you open the file, you will find it empty, so you will have to fill it. You can use the following mockup as an example to be able to make your configuration:

[Interface]
PrivateKey = PRIVATE_KEY
Address = IP_ADDRESS/PREFIX
ListenPort = PORT
SaveConfig = TRUE OR FALSE
  • PrivateKey: Here you must put the server’s private key.
  • Address: This section has your chosen network address and the prefix.
  • ListenPort: Here you can indicate which port you want the clients to connect to.
  • SaveConfig: By choosing TRUE, you can indicate that the configuration will be saved when the network interface is turned off

In my case, the configuration of my server will look like this, considering the encrypted keys, the network address and the port to use

Starting the VPN Server

After all the configuration is done, it is time to start the WireGuard service. You can do it using the following command:
sudo systemctl start wg-quick@wg0.service

To stop the service, you can also do it like this:
sudo systemctl stop wg-quick@wg0.service

There are other commands such as starting an interface or stopping it that are useful to keep in mind:
Turning off the network interface: sudo wg-quick down wg0
Turning on the network interface: sudo wg-quick up wg0

After doing everything, you can check the status of your current connection using:

Client Side: Installation & Connecting into the Server

Now that the server setup is complete, we can begin installing WireGuard on the clients and testing remote access.

Installing WireGuard

Linux

Like we did previously, you must install WireGuard and generate the public and private keys with the same procedure, i.e. by doing the following:
sudo apt install wireguard
wg genkey | sudo tee /etc/wireguard/private.key > private.txt
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key > public.txt

After generating the public and private keys as previously, you will use in the next steps.

Windows

On Windows, the installation is simple and straightforward.
You can download the installer from the official site here and just hit next until the installation is complete.

Connecting into the VPN Server

Linux (GUI)

In most Linux distributions, you will have integrated the “NetworkManager” component into your system, which is compatible with WireGuard, so you will not have to install anything additional. If you don’t have it, you can use the CLI option in the next section.

We can identify the Network Manager panel usually in the window panel in the right corner, it is usually represented by a network icon, in the case of xUbuntu 22.04 it is like this:

When you click on the icon, you will notice several options. In our case, the one we are interested in is the Edit Connections option.

Then a window will open with the existing network types, you can click on the + symbol to create a new network, and in that window we can choose the WireGuard option.

The next step is to configure the WireGuard network by filling in the following fields:

  • Connection name: You can put any name, it is simply to identify the network.
  • Interface Name: Ideally you should put a short name to represent the network interface, by default, you can call it wg0.
  • Private Key: Here will be the client’s private key, in other words, of your device that you have already generated previously.

The other fields can be left as default. The next step will be to add the VPN server data, you can do this using the option “Add” in the peer section.

When adding the WireGuard Server information, you have to take into consideration the following fields:

  • Public Key: Here you must enter the public key address of the VPN server, the one you generated at the beginning of the article.
  • Allowed IPs: This field is to indicate which IPs you want to be allowed in the routes, in our case we will use 0.0.0.0.0/0 to enable any IP.
  • Endpoint: This is the IP address of the server and the port you chose to use for the server’s VPN.

These are the most important fields to fill in, after that you need to apply the information and it will be added into the main window. After that, we will move to the IPv4 Setting section.

In the IPv4 section, we must add the IP address that we want our devices to have in the VPN. You must use the same network address that you chose in the server configuration.

It is advisable to assign a /32 netmask as it allows us to better control the IP addresses of each device by assigning a single IP for the device.

Once you have added all this, save the changes, and you can connect to the VPN from the Network Manager in the VPN Connections section.

Linux (CLI)

If you don’t have a desktop environment or network manager on your Linux client, you can follow these steps to manually configure the connection.

In the same way, as you did in the VPN server, you must also modify the WireGuard configuration (/etc/wireguard/wg0.conf) to be able to connect to the VPN Server. The process is similar, but the configuration will be different. Here is an example syntax that you can use:

[Interface]
PrivateKey = PRIVATE_KEY_CLIENT
Address = IP_ADDRESS/PREFIX

[Peer]
PublicKey = PUBLIC_KEY_SERVER
AllowedIPs = 0.0.0.0/24
Endpoint = IP_ADDRESS:LISTEN_PORT
PersistentKeepalive = 60
  • PrivateKey: Here you will have to put the private key of your client.
  • Address: Here you will have to put the network address that your client will have. It is best to use the /32 prefix for clients.
  • PublicKey: The server’s public key will go here.
  • AllowedIPs: This indicates from which IP address you allow the traffic, for simplicity of the tutorial you can add 0.0.0.0.0/0 to allow all of them.
  • Endpoint: Here will be the accessible IP of the VPN server. This is the public IP address of the server.
  • PersistentKeepalive: This indicates the interval at which packets will be sent to the client to let it know if it is still active.

In our case, based on the VPN server configuration, I decided to use these two configurations:

In the case of my first client that we called “SYSADMIN”:

And for the other client called “DEV”:

After doing all the configuration, you can check the status of the client connection using:
sudo wg

Windows

In Windows, the use of WireGuard is more intuitive and uncomplicated. When you open the application, the first thing you will see is this window:

There are two options we can do, which are: Import the configuration from a file or create the file from 0. In our case, we are going to do it from 0 so you will have to select the option “Add empty tunnel” inside “Add Tunnel” drop-menu button.

When you open it, you will notice this window, the first private key line of the interface will be created automatically together with the Public Key. The configuration structure is the same as on Linux, so you can use the same structure as in the previous sections.

Please note that when activating the VPN, it is possible that some application connections may be interrupted during the process, especially if you activate the Block untunneled traffic (kill-switch) option.

After configuring the VPN in your Windows client, you only have to click “Activated” to make the VPN work. Now you only need to add your client on the server side to fully access the private network.

Server Side: Adding new clients to the server

Regardless of the operating system you use on your clients, the final step is to register them with the server by adding their public key and IP address to the server configuration.

Adding new clients

For each client or peer to be connected to the VPN server, it is necessary to add it to the configuration /etc/wireguard/wg0.conf in the following way:

[Peer]
PublicKey = PUBLIC_KEY_CLIENT
AllowedIPs = IP_ADDRESS

Note that the IP address must match the one you put or are going to put in the client configuration. In this example, we will add two clients that we set it to previously on the Linux CLI section.

After adding the desired clients in the configuration, and start Wireguard again. You can verify that they are added using the sudo wg command.

Finally, you should verify the connection on both sides of each client by performing simple tests such as a ping.

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!
Download now

Related Questions

How can I add/remove clients manually in my WireGuard VPN Server?

Normally, clients are usually added in the WireGuard server configuration, but in some cases where the clients are totally variable and constantly changing, it is necessary to add and remove them manually.

To add them, you can use this command inside the VPN server:
wg set wg0 peer <PUBLIC_KEY> allowed-ips <CLIENT_IP>

Note that when you restart the service or shut down the interface, the clients that you added manually will be saved into the configuration file in the server, so in case of deleting or making any change it will be necessary to delete the entry in your /etc/wireguard/wg0.config file.

What’s the difference between WireGuard and others VPN?

One of the biggest features that sets WireGuard apart from other VPNs is its speed. WireGuard offers much faster speeds than its main alternatives, such as OpenVPN. It also offers faster and easier connectivity for clients connecting to the server.

WireGuard’s structure is made with minimalist code, which could be considered another advantage, as it allows for simplified troubleshooting when encountering bugs.

But just as there are distinct features that are considered advantages, there are also disadvantages, since WireGuard does not offer obfuscation and its setup can be more complicated compared to other VPNs that come ready-made.

What are the main benefits of using WireGuard in home or office networks?

Using a VPN in your home or work office can be beneficial in case you need the privacy of using your private network remotely in another location. Because of the encryption offered by WireGuard, the data is protected during transmission.

On the other hand, in some work or home environments, some applications may be configured to accept LAN or local connections, and in those cases, using WireGuard makes it easier to connect even if you are remote.

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!
Download now

🛠 This tutorial doesn't work anymore? Report the issue here, so that I can update it!

If you are looking for exclusive tutorials, I post a new course each month, available for premium members only. Join the community to get access to all of them right now!

Additional Resources

Overwhelmed with Linux commands?
My e-book, “Master Linux Commands”, is your essential guide to mastering the terminal. Get practical tips, real-world examples, and a bonus cheat sheet to keep by your side.
Grab your copy now.

VIP Community
If you just want to hang out with me and other Linux fans, you can also join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.
More details here.

Need help building something with Python?
Python is a great language to get started with programming on any Linux computer.
Learn the essentials, step-by-step, without losing time understanding useless concepts.
Get the e-book now.

Similar Posts