How To Install Wireguard VPN on Ubuntu 22.04 LTS
In this tutorial, we will show you how to install Wireguard VPN on Ubuntu 22.04 LTS. For those of you who didn’t know, WireGuard is a free and open-source virtual private network (VPN) software that uses state-of-the-art cryptography to secure and encrypt internet connections. It is designed to be simple, fast, and easy to use, and it has a small codebase that is easy to review and audit.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Wireguard on Ubuntu 22.04 (Jammy Jellyfish). You can follow the same instructions for Ubuntu 22.04 and any other Debian-based distribution like Linux Mint, Elementary OS, Pop!_OS, and more as well.
Prerequisites
- A server running one of the following operating systems: Ubuntu 22.04, 20.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install Wireguard VPN on Ubuntu 22.04 LTS Jammy Jellyfish
Step 1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.
sudo apt update sudo apt upgrade
Step 2. Installing Wireguard on Ubuntu 22.04.
By default, Wireguard is available on Ubuntu 22.04 base repository. Now run the following command below to install the latest version of Wireguard to your Ubuntu system:
sudo apt install wireguard
Next, generate a private and public keypair for the server:
wg genkey | sudo tee /etc/wireguard/private.key
Then, give the permissions to protect the private key:
sudo chmod go= /etc/wireguard/private.key
After that, generate the corresponding public key derived from the private key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Step 3. Configure IPv4 and IPv6 Addresses.
After installing WireGuard and generate key pairs that will be used to encrypt traffic from and to the server. We can proceed to the next step which is configuring the IPv4 and IPv6 addresses that will be used for communication between the Server and peers wanting to connect to it:
- Choosing an IPv4 Range
10.0.0.0 to 10.255.255.255 (10/8 prefix) 172.16.0.0 to 172.31.255.255 (172.16/12 prefix) 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
- Choosing an IPv6 Range
If you want to use WireGuard with IPv6, you will have to generate a unique IPv6 prefix based on the RFC algorithm.
date +%s%N
It will generate an output similar to the following which is the number of seconds elapsed since the Unix Epoch time (00:00 UTC 1 January 1970).
1659342559092041940
Next, copy the machine id for your server as this value is unique for every server. Run the below command to get the machine-id:
cat /var/lib/dbus/machine-id
Output:
e46e195db6584d63aeedg0detzc83c7f
Next, combine the timestamp with the machine-id and hash the string using the SHA-1 algorithm:
printf <timestamp><machine-id> | sha1sum
Replace the <timestamp> and the <machine-id> values in the above command from before:
printf e469342559092041940d97e46e195db6584d63aeedg0detzc83c7f | sha1sum d789c02d9d8faef806d40ec15b307d4d9c8ec4bc -
Then, run the following command to trim the printf output in accordance with the RFC algorithm:
printf d789c02d9d8faef806d40ec15b307d4d9c8ec4bc | cut -c 31-
Output:
4d9c8ec4bc
Step 4. Configure Wireguard.
You can configure WireGuard by editing the /etc/wireguard/wg0.conf file and running the wg-quick command to bring up the VPN connection.
Create a new configuration file using the nano text editor:
sudo nano /etc/wireguard/wg0.conf
Now paste the following lines in the file while putting in your respective private key and IP address values:
[Interface] PrivateKey = server_private_key Address = 10.8.0.1/24, fd4d:9c8e:c4bc::/64 ListenPort = 51820 SaveConfig = true
Step 5. Configure Wireguard Network.
Now we configure IP forwarding. Open the file /etc/sysctl.conf for editing:
sudo nano /etc/sysctl.conf
Uncomment the following lines by removing the # sign:
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1
Now to confirm that the changes have been made you can execute the below command which will read the file and load new values for the current terminal session:
sudo sysctl -p
Output:
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1
Step 6. Configure Wireguard Firewall.
In this steps you will edit the WireGuard Server’s configuration to add firewall rules that will ensure traffic to and from the server and clients is routed correctly:
ip route list default
Output:
default via 172.22.33.21 dev eth0
Next, we add the Firewall rules to the server by editing the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.conf
Add the following lines at the bottom of this file:
PostUp = ufw route allow in on wg0 out on eth0 PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on eth0 PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Save and close the file, then check the status of the firewall:
sudo ufw status
Now open the SSH port when following the prerequisite tutorial, add it here too:
sudo ufw allow 51820/udp sudo ufw allow OpenSSH
Step 7. Starting the WireGuard Server.
Wireguard can be configured to run as a service using the wg-quick script. Enable the Wireguard service:
sudo systemctl enable wg-quick@wg0.service sudo systemctl start wg-quick@wg0.service
Step 8. Installing and Configuring a Wireguard Peer.
First, we need to install WireGuard on the client machine by executing the below lines:
sudo apt update sudo apt install wireguard
Next, you’ll need to generate the key pair on the peer using the same steps you used on the server:
wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key
Now execute the below command to generate a public key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
After that, create the Peer configuration file:
sudo nano /etc/wireguard/wg0.conf
Paste the following lines:
[Interface] PrivateKey = private_key of peer Address = 10.8.0.3/24 Address = fdd5:a3ac:a4fd::3/64 [Peer] PublicKey = JySX9hMJFyAqZA+mNvJsArKW7yY8I7ROsQKTZZR/RH8= AllowedIPs = 10.8.0.0/24, fdd5:a3ac:a4fd::/64 Endpoint = 209.23.10.202:51820
Next, add the public key of the Peer to the server:
sudo cat /etc/wireguard/public.key
Output:
5EyjWrD3EuPputqrX0+B5Kepeoe46uJ1RGEI1w2+VM=
Now login to the server and execute the below command:
sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= allowed-ips 10.8.0.2,fdd5:a3ac:a4fd::2
Run the below command to check the status of the tunnel:
sudo wg
Step 9. Connecting the Peer to the Tunnel.
Run the below command to start the tunnel on the peer:
sudo wg-quick up wg0
You will receive a similar output:
[#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.8.0.3/24 dev wg0 [#] ip -6 address addfdd5:a3ac:a4fd::3/64 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a tun.wg0 -m 0 -x
You can run the below command to confirm the status of the tunnel on the peer:
sudo wg
Congratulations! You have successfully installed Wireguard. Thanks for using this tutorial for installing Wireguard VPN on Ubuntu 22.04 LTS Jammy Jellyfish system. For additional help or useful information, we recommend you check the official Wireguard website.
