Here, we will learn today how to configure WireGuard VPN with Ubuntu 20.04. Wireguard® is an amazingly straightforward yet quick and present-day VPN that uses cutting edge cryptography. It expects to be quicker and more straightforward. It means to be significantly more performant than OpenVPN. At first, was released for the Linux part, WireGuard VPN is currently cross-stage (Windows, macOS, BSD, iOS, Android) and broadly deployable.
Key Features
- Easy to use: With the help of a simple key exchange, a VPN connection made here.
- Trusted Cryptography: It uses state of the art cryptography like-Curve25519, HKDF, or Blake2.
- Performance: Suitable for both low and high configuration devices.
- Quick deployment: Can be setup quickly, with very few commnads.
Server Settings for WireGuard VPN
Let’s deploy WireGuard VPN with Ubuntu 20.04 LTS. The client machine (Ubuntu 20.04) is required as well.
Update server.
# apt-get update
Install package.
# apt-get install wireguard
Have a look if ip forwarding enabled or not.
# nono /etc/sysctl.conf
WireGuard work on port 51820, allow that.
#ufw allow 51820/udp Rules updated Rules updated (v6)
Both client and server require to generate their own private and public keys, let’s do that for the server first.
# cd /etc/wireguard/
Change permissions.
# umask 077
Generate private and public keys.
#wg genkey | tee privatekey | wg pubkey > publickey
Have a look, if keys are generated.
Amend WireGuard configuration file, create file /etc/wiregurard.
#touch wg0.conf
Edit wg0.conf.
# nano wg0.conf
You can copy configuration file from here:
[Interface] PrivateKey = CA1l0/AkJRoE9HXkjOECJySGD+8D14nwwoRO3HVVCls= Address = 192.168.1.239/24 SaveConfig=true PostUp=iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown=iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820
Where,
PrivateKey= Copy private key.
Address= Server IP address.
Copy IP tables rule from here.
ListenPort= WireGuard VPN default port.
Make network interface up for WireGuard
# wg-quick up wg0 **Command Output*** [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.1.0/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Check WireGuard service status
# wg
Output
Client Settings for WireGuard VPN
Let’s login to client. Here we have another Ubuntu machine. Install WireGuard VPN client with apt install WireGuard command as we did for server.
Generate keys
#wg genkey | tee privatekey | wg pubkey > publickey
Create and edit wg0.conf file for client. Where
[Interface]
PrivateKey= The key generated for client.
ListenPort=The Default port for WireGuard VPN.
Address= IP address of that client machine.
[Peer]
PublicKey= copy public key from server.
EndPoint= Ip address of the server.
AllowedIPs = all all traffic via WireGuard VPN.
Make WireGuard up
#wg-quick up wg0
Check services
# wg
Add client to the server, copy client key and paste in server wg conf file, run following command, and paste copied key.
wg set wg0 peer 21aCR8N0sUDuqUlVVm/Y7r5OKVV8FT9cZZr0YcEagUg= allowed-ips 192.168.1.0/24
You can add as many clients are required by adding private keys, and ip ddresses of the clients.
Stop and start back wg service and check, if any update in the conf file. Yes, we can see the changes.
# wg-quick down wg0 && wg-quick up wg0
Here all your WireGuard VPN is set to go. Though WireGuard is getting popular day by day, but still so many changes are going on. WireGuard should be avoided for any critical live environment.
