WireGuard is a modern VPN that uses peer-to-peer kind of connectivity to establish the connection. It is a simple and lightweight VPN compared to other VPNs e.g Ipsec. This is both in terms of configuration and how the general connectivity happens.

WireGuard was initially built for linux kernel but has soon gained popularity among other operating systems including Windows and MacOS.

This guide will highlight how to setup WireGuard VPN server and how to connect to is using WireGuard client. We shall setup WireGuard server on Ubuntu 20.04 LTS.

Setup WireGuard Server on Ubuntu 20.04

  • Update your system
sudo apt update
sudo apt upgrade -y
  • Install IPTABLES if your system doesn’t have it yet
sudo apt-get install iptables -y
  • Install Wireguard server
sudo apt-get install wireguard -y
  • Enable IP forwarding

Uncomment the net.ipv4.ip_forward=1 line in the /etc/sysctl.conf file.

$ sudo vim /etc/sysctl.conf
  • Apply changes:
sudo sysctl -p

Configure WireGuard Server

Wireguard uses the public key authentication method between the client and server. We therefore need to create a private and public key on the server.

WireGuard has a command-line tool that can be used to create the private and public keys.

sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

The keys are created and stored in /etc/wireguard directory.

The next step is to create a Wireguard network interface and configure the tunnel network subnet that will be used between the client and the server.

You will need to copy the private key and use it in the network interface setup.

$ cat /etc/wireguard/privatekey

Create the network configuration:

$ sudo vim /etc/wireguard/wg0.conf

Address =
SaveConfig = true
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace <SERVER-PRIVATE-KEY> with the servers private key values.

Set proper permissions to the wireguard configuration files.

sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Next, start wireguard interface by running the command below:

sudo wg-quick up wg0

Sample output:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

You can check status by :

systemctl status [email protected]

See below screenshot.


Enable wireguard service to run at boot by:

sudo systemctl enable [email protected]

To check the status of the wireguard interface:

$ wg show wg0

interface: wg0
  public key: mYB9uF5D5tUgMSXrBLUaaYA3zocgYD7CB8AFthwrHlM=
  private key: (hidden)
  listening port: 51820

Setup WireGuard Client

Install Wireguard packages on the client machine:

sudo apt install wireguard -y

After successful installation, setup the public and private keys for the client server.

sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

Next, create a configuration file in /etc/wireguard

sudo vim /etc/wireguard/wg0.conf

Add the following content, replacing <Client-private-Key> with the values of /etc/wireguard/privatekey of the client computer and <server-public-key> with the values of /etc/wireguard/publickey of the WireGuard Server. Also use the VPN server’s IP at the ‘Endpoint’ value.

PrivateKey = <Client-private-key>
Address =

PublicKey = <server-public-key>
Endpoint = <server-ip-address>:51820
AllowedIPs =

Alloc client connection using the following command on the server. Replace the <client-public-keys> value with the real value of the client’s public key.

sudo wg set wg0 peer <client-public-key> allowed-ips

On the client computer, bring up the VPN interface:

sudo wg-quick up wg0

You will get an output similar to:

$ sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Your connection to the VPN server will hence be established. This means that traffic from the client computer will be routed through the VPN server. Cheers!

Other articles to check out:

Monitor Nginx Web Server using NGINX Amplify Agent

Best Books To Learn Kotlin Programming

Best Grafana and Prometheus Monitoring books


Please enter your comment!
Please enter your name here