How to set up a WireGuard VPN server on Linux

    Introduction

    WireGuard is a modern, high-performance VPN protocol that is simpler to configure than OpenVPN or IPSec. This guide covers setting up a WireGuard server on Ubuntu/Debian and connecting a client.

    Prerequisites

    • A Linux VPS with a public IP address
    • Root or sudo access
    • UDP port 51820 open in your firewall

    Step 1: Install WireGuard

    sudo apt update
sudo apt install wireguard -y

    For AlmaLinux/RHEL:

    sudo yum install epel-release -y
sudo yum install wireguard-tools -y

    Step 2: Generate server keys

    wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

    View the keys:

    cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key

    Step 3: Generate client keys

    wg genkey | tee /etc/wireguard/client1_private.key | wg pubkey > /etc/wireguard/client1_public.key

    Step 4: Configure the server

    Create the server configuration file:

    sudo nano /etc/wireguard/wg0.conf
    [Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

    Replace:

    • SERVER_PRIVATE_KEY with the content of server_private.key
    • CLIENT1_PUBLIC_KEY with the content of client1_public.key
    • eth0 with your server's main network interface name

    Step 5: Enable IP forwarding

    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

    Step 6: Start WireGuard

    sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

    Verify the interface is up:

    sudo wg show

    Step 7: Open the firewall port

    sudo ufw allow 51820/udp

    Step 8: Configure the client

    Create a configuration file for the client (on the client machine or to import into the WireGuard app):

    [Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT1_PRIVATE_KEY
DNS = 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

    Replace:

    • CLIENT1_PRIVATE_KEY with the content of client1_private.key
    • SERVER_PUBLIC_KEY with the content of server_public.key
    • YOUR_SERVER_IP with your server's public IP address

    AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. To only route traffic to the VPN subnet, use AllowedIPs = 10.0.0.0/24.

    Adding more clients

    For each additional client:

    1. Generate a new key pair.
    2. Add a new [Peer] section to /etc/wireguard/wg0.conf with a unique AllowedIPs (e.g., 10.0.0.3/32).
    3. Reload the configuration: sudo wg syncconf wg0 <(wg-quick strip wg0)

    Useful commands

    Command Description
    sudo wg show Show WireGuard interface status and connected peers
    sudo wg-quick up wg0 Start the WireGuard interface
    sudo wg-quick down wg0 Stop the WireGuard interface
    sudo systemctl status wg-quick@wg0 Check the service status
    Published