Install and Configure WireGuard VPN on Ubuntu 24.04

WireGuard is an open-source virtual private network (VPN) that applies advanced modern cryptography to safeguard communication between servers and clients. It is lightweight, efficient, and has a minimal codebase focusing on essential features, providing superior performance and security compared to other VPNs such as OpenVPN.

This guide details how to install and configure WireGuard VPN on Ubuntu 24.04 to create secure, encrypted network tunnels.

Prerequisites

• Deploy an Ubuntu 24.04 server to use as the WireGuard VPN host.
• Access the server through SSH as a non-root user with sudo privileges.
• Update the server packages to ensure it’s current.

Install WireGuard

WireGuard is included in Ubuntu 24.04’s default APT repositories. Follow the steps below to install the latest version and configure it to launch at system startup.

Install WireGuard

$ sudo apt install wireguard -y

Check Installed Version

$ sudo wg --version

Your output should resemble:

wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Configure WireGuard

WireGuard uses Cryptokey Routing to establish VPN tunnels through validation of public keys tied to specific IPs. A valid setup includes both a private and public key linked to the network interface. Follow these steps to configure your WireGuard interface and create the necessary key pairs.

Generate the Private Key

$ sudo wg genkey | sudo tee /etc/wireguard/server_private.key

Example output:

UOO//MO2GCC+5hHOz91YCP60/Zv/cnSskEH2j4eRPXo=

Adjust File Permissions

$ sudo chmod 600 /etc/wireguard/server_private.key

Generate the Public Key

$ sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

Example output:

W+l7Uapd98bsNhN1g3Hs4iTCfKzcV03KNwhDPFgzqR4=

Check Network Interfaces

$ ip a

Locate the main network interface, e.g., enp1s0 with IP 192.0.2.161. WireGuard uses this interface to route and translate traffic to the Internet.

Create WireGuard Configuration File

$ sudo nano /etc/wireguard/wg0.conf

Insert the following configuration (replace keys and interface as required):

[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PrivateKey = UOO//MO2GCC+5hHOz91YCP60/Zv/cnSskEH2j4eRPXo=
PostUp = ufw route allow in on wg0 out on enp1s0
PostUp = iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp1s0
PreDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
ListenPort = 51820

This configuration assigns a private IP (10.8.0.1), enables NAT routing, defines firewall and iptables rules, and sets the WireGuard listening port.

Generate Client Configurations

Each client must have a public key in the WireGuard configuration to establish a connection. The steps below guide you in creating a new client setup.

Create Client Keys

$ sudo wg genkey | sudo tee /etc/wireguard/client1_private.key

$ sudo cat /etc/wireguard/client1_private.key | wg pubkey | sudo tee /etc/wireguard/client1_public.key

Create Client Configuration

$ sudo nano /etc/wireguard/client1.conf

Insert the following content, replacing placeholders accordingly:

[Interface]
PrivateKey = KBUxCUqNEJqN3DBO5xu2kiBQFT8Gv46Kkqu6OIKZu3Q=
Address = 10.8.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = W+l7Uapd98bsNhN1g3Hs4iTCfKzcV03KNwhDPFgzqR4=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.0.2.161:51820
PersistentKeepalive = 15

This setup allows a client to connect via IP 10.8.0.2, defining the server key, endpoint, and persistent connection interval.

Add Client to Server Configuration

$ sudo nano /etc/wireguard/wg0.conf

Append the following section:

[Peer]
PublicKey = xZB9I6953ebGqWVLCR7L6yJw7YJi0shJ+Sub9gfUFVU=
AllowedIPs = 10.8.0.2/32

Manage the WireGuard Service

Systemd handles WireGuard processes. The wg-quick utility provides management commands for interfaces.

$ sudo systemctl start wg-quick@wg0.service

$ sudo systemctl enable wg-quick@wg0.service

$ sudo systemctl status wg-quick@wg0.service

Use this command to view the current tunnel status:

$ sudo wg show wg0

Set Up Firewall Rules

UFW is typically active by default. Configure it to allow UDP port 51820 and enable IP forwarding for proper routing.

$ sudo ufw allow 22 && sudo ufw enable
$ sudo ufw allow 51820/udp
$ sudo ufw reload

Enable IP Forwarding

$ echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p

Apply NAT Rules

$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
$ sudo iptables-save | sudo tee /etc/iptables/rules.v4

Connect Clients to WireGuard VPN

Use your generated client configuration to connect and test tunnel access using Ping.

$ scp linuxuser@wireguard-server-ip:client1.conf .

Test Connectivity

$ ping -c 4 10.8.0.1

Expected output:

4 packets transmitted, 4 received, 0% packet loss

Conclusion

You have successfully installed and configured WireGuard VPN on an Ubuntu 24.04 server, set up client connections, and established secure tunnels. You can create additional interfaces with separate subnets for different user groups. Refer to the official WireGuard documentation for advanced configuration details.