How To Install Wireguard VPN on Ubuntu 22.04 LTS

Install Wireguard VPN on Ubuntu 22.04

In this tutorial, we will show you how to install Wireguard VPN on Ubuntu 22.04 LTS. For those of you who didn’t know, WireGuard is a free and open-source virtual private network (VPN) software that uses state-of-the-art cryptography to secure and encrypt internet connections. It is designed to be simple, fast, and easy to use, and it has a small codebase that is easy to review and audit.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Wireguard on Ubuntu 22.04 (Jammy Jellyfish). You can follow the same instructions for Ubuntu 22.04 and any other Debian-based distribution like Linux Mint, Elementary OS, Pop!_OS, and more as well.

Prerequisites

  • A server running one of the following operating systems: Ubuntu 22.04, 20.04, and any other Debian-based distribution like Linux Mint.
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • A non-root sudo useror access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install Wireguard VPN on Ubuntu 22.04 LTS Jammy Jellyfish

Step 1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.

sudo apt update
sudo apt upgrade

Step 2. Installing Wireguard on Ubuntu 22.04.

By default, Wireguard is available on Ubuntu 22.04 base repository. Now run the following command below to install the latest version of Wireguard to your Ubuntu system:

sudo apt install wireguard

Next, generate a private and public keypair for the server:

wg genkey | sudo tee /etc/wireguard/private.key

Then, give the permissions to protect the private key:

sudo chmod go= /etc/wireguard/private.key

After that, generate the corresponding public key derived from the private key:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Step 3. Configure IPv4 and IPv6 Addresses.

After installing WireGuard and generate key pairs that will be used to encrypt traffic from and to the server. We can proceed to the next step which is configuring the IPv4 and IPv6 addresses that will be used for communication between the Server and peers wanting to connect to it:

  • Choosing an IPv4 Range
10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
  • Choosing an IPv6 Range

If you want to use WireGuard with IPv6, you will have to generate a unique IPv6 prefix based on the RFC algorithm.

date +%s%N

It will generate an output similar to the following which is the number of seconds elapsed since the Unix Epoch time (00:00 UTC 1 January 1970).

1659342559092041940

Next, copy the machine id for your server as this value is unique for every server. Run the below command to get the machine-id:

cat /var/lib/dbus/machine-id

Output:

e46e195db6584d63aeedg0detzc83c7f

Next, combine the timestamp with the machine-id and hash the string using the SHA-1 algorithm:

printf <timestamp><machine-id> | sha1sum

Replace the <timestamp> and the <machine-id> values in the above command from before:

printf e469342559092041940d97e46e195db6584d63aeedg0detzc83c7f | sha1sum
d789c02d9d8faef806d40ec15b307d4d9c8ec4bc  -

Then, run the following command to trim the printf output in accordance with the RFC algorithm:

printf d789c02d9d8faef806d40ec15b307d4d9c8ec4bc | cut -c 31-

Output:

4d9c8ec4bc

Step 4. Configure Wireguard.

You can configure WireGuard by editing the /etc/wireguard/wg0.conf file and running the wg-quick command to bring up the VPN connection.

Create a new configuration file using the nano text editor:

sudo nano /etc/wireguard/wg0.conf

Now paste the following lines in the file while putting in your respective private key and IP address values:

[Interface]
PrivateKey = server_private_key
Address = 10.8.0.1/24, fd4d:9c8e:c4bc::/64
ListenPort = 51820
SaveConfig = true

Step 5. Configure Wireguard Network.

Now we configure IP forwarding. Open the file /etc/sysctl.conf for editing:

sudo nano /etc/sysctl.conf

Uncomment the following lines by removing the # sign:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1

Now to confirm that the changes have been made you can execute the below command which will read the file and load new values for the current terminal session:

sudo sysctl -p

Output:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Step 6. Configure Wireguard Firewall.

In this steps you will edit the WireGuard Server’s configuration to add firewall rules that will ensure traffic to and from the server and clients is routed correctly:

ip route list default

Output:

default via 172.22.33.21 dev eth0

Next, we add the Firewall rules to the server by editing the WireGuard configuration file:

sudo nano /etc/wireguard/wg0.conf

Add the following lines at the bottom of this file:

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Save and close the file, then check the status of the firewall:

sudo ufw status

Now open the SSH port when following the prerequisite tutorial, add it here too:

sudo ufw allow 51820/udp
sudo ufw allow OpenSSH

Step 7. Starting the WireGuard Server.

Wireguard can be configured to run as a service using the wg-quick script. Enable the Wireguard service:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Step 8. Installing and Configuring a Wireguard Peer.

First, we need to install WireGuard on the client machine by executing the below lines:

sudo apt update
sudo apt install wireguard

Next, you’ll need to generate the key pair on the peer using the same steps you used on the server:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

Now execute the below command to generate a public key:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

After that, create the Peer configuration file:

sudo nano /etc/wireguard/wg0.conf

Paste the following lines:

[Interface]
PrivateKey = private_key of peer
Address = 10.8.0.3/24
Address = fdd5:a3ac:a4fd::3/64

[Peer]
PublicKey = JySX9hMJFyAqZA+mNvJsArKW7yY8I7ROsQKTZZR/RH8=
AllowedIPs = 10.8.0.0/24, fdd5:a3ac:a4fd::/64
Endpoint = 209.23.10.202:51820

Next, add the public key of the Peer to the server:

sudo cat /etc/wireguard/public.key

Output:

5EyjWrD3EuPputqrX0+B5Kepeoe46uJ1RGEI1w2+VM=

Now login to the server and execute the below command:

sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= allowed-ips 10.8.0.2,fdd5:a3ac:a4fd::2

Run the below command to check the status of the tunnel:

sudo wg

Step 9. Connecting the Peer to the Tunnel.

Run the below command to start the tunnel on the peer:

sudo wg-quick up wg0

You will receive a similar output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.3/24 dev wg0
[#] ip -6 address addfdd5:a3ac:a4fd::3/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x

You can run the below command to confirm the status of the tunnel on the peer:

sudo wg

Congratulations! You have successfully installed Wireguard. Thanks for using this tutorial for installing Wireguard VPN on Ubuntu 22.04 LTS Jammy Jellyfish system. For additional help or useful information, we recommend you check the official Wireguard website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!