How to setup a WireGuard server on Ubuntu for remote login

In this article, we will show you how to set up a WireGuard server on Ubuntu in order to use it for remote login.

Introduction to WireGuard

First of all, let’s first understand, what is WireGuard? WireGuard is a very simple and fast VPN tool with state-of-the-art encryption. Its goal is to be faster, simpler, more streamlined, and easy to use than IPsec, while avoiding the hassle of large-scale configuration. WireGuard is designed as a general-purpose VPN to run on embedded interfaces and supercomputers in many different environments. Originally released for the Linux kernel, WireGuard is now widely deployed and supported across platforms (Windows, macOS, BSD, iOS, Android). WireGuard is growing rapidly and is already considered the most secure, easiest-to-use, and simplest VPN solution in the industry.

Basic Concepts of WireGuard

Several basic concepts are involved in WireGuard:

  • Peer: A node in WireGuard.
  • Private key: Each node has its own private key, which can be generated using wg genkey.
  • Public key: Each node has its own public key, which is also generated using wg pubkey.
  • AllowedIPs: Define the IP address segments that each node is allowed to pass through.

WireGuard Server Network Topology

Here are the main configuration steps for WireGuard:

  1. Create a virtual network card eth0
  2. Use the private key and the public key of the peer to configure it and establish a connection
  3. Start exchanging data packets through the interface

The above is the process of establishing a WireGuard VPN link. After the establishment, device A and device B need to ensure that the IP of the virtual network card is in the same network segment, and this network segment is allowed by the configuration file AllowedIPs of WireGuard. Finally, al data packets are sent through UDP in WireGuard.

WireGuard server installation in Ubuntu

The testbed includes a cloud server running Ubuntu Server 18.04.1 LTS 64-bit, one PC with networking running Windows 11. The Ubuntu server can be accessed via the IP address 42.192.113.207, the WireGuard master virtual IP address is 172.16.1.11, and the PC WireGuard peer virtual address: is 172.16.1.14.

Installing the server

We can install the WireGuard package easily through apt:


Then we can go to the wireguard directory to generate a pair of public and private keys:


For this guide, the PublicKey generated for WireGuard is:

WireGuard Peer/Client configuration

VPN client configuration

We’ll need to install the Wireguard client for Windows, and set up a new tunnel using the IP addresses defined in the introductions and the private and public key we’ve just generated.

VPN Tunnel Configuration

We’ll also need the peer PublicKey generated on the client:


The configuration file then looks like that:

WireGuard master file configuration

Create the server configuration file wg0.conf as follows:


Then create a network card configuration file named wg0:


wg0 wireguard

Create a private key for WireGuard and configure permissions to prevent others from accessing the server:


wireguard wg0 config

Start the network interface


wireguard ubuntu link up

At this point, we have created the local node, and we need to configure which nodes are our peers to establish a network connection.

Connecting a Windows 11 WireGuard client to the Ubuntu WireGuard server

Wireguard Client Windows 11

Open the WireGuard client and click on the Activate (A) button:

Wireguard Client Connection

We can check the connection status with wg tool on the Ubuntu server:

wg VPN client connection status

The connection is successful.

Appendix – Useful commands & details

Start the WireGuard server:


Stop the WireGuard server:


Check WireGuard operational status


WireGuard configuration instructions


On the basis of the above, you need to pay extra attention to the following:

  1. If you have more than one [Peer], add a new [Peer] section directly below
  2. If multiple Peers have different IPs, please do not allow AllowedIPs to have overlapping IP address segments (such as configuring multiple identical /24s as only one takes effect)
  3. Endpoint supports both domain name access and IP access
  4. If the VPM connection is up, dynamic IP address changes will not affect the stability of the VPN
  5. If ListenPort is not added, a high-order port will be automatically generated for peer, and under the master-slave structure, the slave will not fill in the listenport
  6. The Table parameter can use auto and off, which respectively correspond to “automatically inject routing” and “prohibit injection”. Auto is not configured
  7. If you have a master-slave structure, you need to let the slave end add a content of 0.0.0.0/0,::0 to the “AllowedIPs =” of the slave end in the configuration to allow all traffic
  8. PreUp, PostUp, PreDown, PostDown – These four command parameters are executed by bash before/after wg-quick quick setting/deleting interface, and are often used to configure custom DNS or firewall rules. The special string %i is used as variable substitution to control the INTERFACE configuration name. Each command parameter supports multiple commands, and the multiple commands in the parameter will be executed sequentially, and the separator is “;” (semicolon).

Translated from the original tutorial on CNX Software China.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

Radxa Orion O6 Armv9 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
10 Comments
oldest
newest
tkaiser
tkaiser
1 year ago

> The testbed includes a cloud server running Ubuntu Server 18.04.1 LTS

Great choice in April 2023 when an up-to-date Ubuntu 18.04 release is called ‘18.04.6 LTS’ and will not receive any further security updates any more from next month on 🙂

tkaiser
tkaiser
1 year ago

> or with methods from the other commenters below

One of the methods is more of an advertisement and there’s https://github.com/Nyr/wireguard-install as well 🙂

Jan
Jan
1 year ago

As far as I know you can use pivpn to set up wireguard under ubuntu. Why would you want to do it by hand?

megous
1 year ago

The point of wireguard is that it’s trivial to setup even by hand. So why introduce extra software on top if not needed?

Jason
Jason
1 year ago

Tailscale. Takes about 5 seconds.

Marek
Marek
1 year ago

Or ZeroTier.

Lieven
Lieven
1 year ago

+1

Neorej
Neorej
1 year ago

Or Headscale.

bluepuma77
bluepuma77
1 year ago

Or wg-easy with Docker

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...