How To Set Up WireGuard on Ubuntu 20.04

Install Wireguard

sudo apt update
sudo apt install wireguard

Now that you have WireGuard installed, the next step is to generate a private and public keypair for the server.

Use the following umask command to ensure new directories and files (in your current terminal session only) get created with limited read and write permissions:

umask 077

Now you can proceed and create the private key for WireGuard using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

The next step is to create the corresponding public key, which is derived from the private key. Use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

When you run the command you will again receive a single line of base64 enpred output, which is the public key for your WireGuard Server. Copy it somewhere for reference, since you will need to distribute the public key to any peer that connects to the server.

Choosing an IPv4 Range

You can choose any range of IP addresses from the following reserved blocks of addresses:

10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

For the purposes of this tutorial we’ll use 10.8.0.0/24 as a block of IP addresses from the first range of reserved IPs.

Creating a WireGuard Server Configuration

Once you have the required private key and IP address(es), create a new configuration file using nano or your preferred editor by running the following command:

sudo nano /etc/wireguard/wg0.conf

Add the following lines to the file, substituting your private key in place of the highlighted base64_enpred_private_key_goes_here value, and the IP address(es) on the Address line. You can also change the ListenPort line if you would like WireGuard to be available on a different port:

nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = base64_enpred_private_key_goes_here
Address = 10.8.0.1/24, fd0d:86fa:c3bc::1/64
ListenPort = 51820
SaveConfig = true

Starting the WireGuard Server

sudo systemctl enable wg-quick@wg0.service

Now start the service:

sudo systemctl start wg-quick@wg0.service

Double check that the WireGuard service is active with the following command. You should see active (running) in the output:

sudo systemctl status wg-quick@wg0.service

Configuring a WireGuard Peer

You can add as many peers as you like to your VPN by generating a key pair and configuration using the following steps. If you add multiple peers to the VPN be sure to keep track of their private IP addresses to prevent collisions.

To configure the WireGuard Peer, ensure that you have the WireGuard package installed using the following apt commands. On the WireGuard peer run:

sudo apt update
sudo apt install wireguard

Creating the WireGuard Peer’s Key Pair

umask 077

create the private key for the peer using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

Next use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.

Creating the WireGuard Peer’s Configuration File

sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = base64_enpred_peer_private_key_goes_here
Address = 10.8.0.2/24
[Peer]
PublicKey = The base64 enpred public key from the WireGuard Server.
AllowedIPs = 10.8.0.0/24
Endpoint = 159.65.164.142:51820

Adding the Peer’s Public Key to the WireGuard Server

Ensure that you have a copy of the base64 enpred public key for the WireGuard Peer by running:

sudo cat /etc/wireguard/public.key
7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=

Now log into the WireGuard server, and run the following command:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2

If you would like to update the allowed-ips for an existing peer, you can run the same command again, but change the IP addresses. Multiple IP addresses are supported. For example, to change the WireGuard Peer that you just added to add an IP like 10.8.0.100 to the existing 10.8.0.2, you would run the following:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2,10.8.0.100

Once you have run the command to add the peer, check the status of the tunnel on the server using the wg command:

sudo wg
interface: wg0
public key: 2KOvl8HbUz1rxTJ/l46o/Yz4G34Q6rfFsmvOROu9HAY=
private key: (hidden)
listening port: 51820

peer: 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=
endpoint: 70.112.179.47:49999
allowed ips: 10.8.0.2/32
latest handshake: 10 minutes, 58 seconds ago
transfer: 20.80 KiB received, 25.17 KiB sent

Connecting the WireGuard Peer to the Tunnel

To start the tunnel, run the following on the WireGuard Peer:

sudo wg-quick up wg0

You will receive output like the following:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

You can check the status of the tunnel on the peer using the wg command:

sudo wg

You can also check the status on the server again, and you will receive similar output.

Verify that your peer is using the VPN by using the ip route command.

ip route get 10.8.0.1
10.8.0.1 via 167.99.48.1 dev eth0 src 167.99.62.37 uid 0
cache

If your peer has a browser installed, you can also visit ipleak.net and ipv6-test.com to confirm that your peer is routing its traffic over the VPN.

Once you are ready to disconnect from the VPN on the peer, use the wg-quick command:

sudo wg-quick down wg0

Re:
https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.wireguard.com/install/
https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-debian-10/