Wireguard is a powerful open source virtual private network (VPN) daemon that can run on both desktop and mobile devices. It provides a fast and lightweight alternative to traditional VPN solutions such as IPsec and OpenVPN. Here, we show you how to install Wireguard and create a simple VPN set up using three Linux machines.
Why Use Wireguard as a VPN Solution?
One of the biggest selling points of Wireguard is that it’s a fast and lightweight VPN daemon. Unlike traditional solutions, Wireguard doesn’t add a lot of overhead to your network. This results in lower latency and a high overall throughput rate across your nodes.
Another key feature of Wireguard is that it’s a module inside the Linux kernel. This allows it to run without taking up any additional system resources from your computer, making it an ideal choice for deploying on low-end and SOC devices.
Lastly, Wireguard also takes advantage of modern cryptographic standards and development practices. It also had multiple formal verifications, which confirm Wireguard’s code correctness, security guarantees, and ability to resist attacks.
On a side note: still not convinced with Wireguard? Learn how Wireguard stacks against OpenVPN.
Obtaining Wireguard
The first step to set up Wireguard on Linux is to download its core tools from your distro’s repository. This allows you to control the built-in Wireguard kernel module using userspace commands.
To install the core tools in Ubuntu and Debian, run the following command:
sudo apt install wireguard wireguard-tools
In Fedora, you can use the dnf package manager:
sudo dnf install wireguard-tools
For Arch Linux, you can run pacman to obtain the Wireguard core tools:
sudo pacman -S wireguard-tools
Confirm that you’ve properly installed the Wireguard tools by loading its help screen:
wg -h
Setting Up the Wireguard Server
Assumption: This article assumes that you’re installing the Wireguard server on a Linux system with a publicly accessible IPv4 address. The instructions will still work on a server behind a NAT, but it won’t find nodes outside its subnet.
With the Wireguard core toolkit on your Linux machines, you can now set up your VPN’s server node. This will serve as the internet gateway for your client nodes in the network.
Start by navigating to your Wireguard config directory and set its default permissions to “root only:”
cd /etc/wireguard sudo umask 077
Note: some systems might prevent you from going inside the “/etc/wireguard” folder as a regular user. To fix that, switch to the root user using sudo -s.
Generate the public and private key for your Wireguard server:
sudo sh -c 'wg genkey | tee /etc/wireguard/server-private-key | wg pubkey > /etc/wireguard/server-public-key'
Create your server’s configuration file using your favorite text editor:
sudo nano /etc/wireguard/wg0.conf
Paste the following block of code inside your server config file:
[Interface] PrivateKey = PASTE-YOUR-SERVER-PRIVATE-KEY-HERE Address = 10.0.0.1/32 ListenPort = 60101 PostUp = iptables -t nat -I POSTROUTING -o NETWORK-INTERFACE-HERE -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o NETWORK-INTERFACE-HERE -j MASQUERADE
Open a new terminal session, then print your server’s Wireguard private key:
sudo cat /etc/wireguard/server-private-key
Copy your server’s private key to your clipboard.
Replace the value of the PrivateKey variable with the key on your clipboard.
Find the network interface that has access to the internet using the ip command:
ip route get 8.8.8.8
Set the value of the -o flag on both PostUp and PostDown variables to the interface with internet access, then save your config file.
Open the server’s “/etc/sysctl.conf” file using your favorite text editor:
sudo nano /etc/sysctl.conf
Scroll down to the line that contains net.ipv4.ip_forward=1, then remove the pound (#) sign in front of it.
Reload your new sysctl config by running: sudo sysctl -p.
FYI: Wireguard is not the only VPN solution that you can run on Linux. Learn how to create your own VPN using OpenVPN.
Setting Up and Connecting the Wireguard Client
At this point, you now have a properly configured Wireguard server without any peers. To use it, you need to set up and connect your first Wireguard client.
Navigate to your client system’s Wireguard config directory and set its default permissions:
cd /etc/wireguard sudo umask 077
Generate your client’s Wireguard keypair using the following command:
sudo sh -c 'wg genkey | tee /etc/wireguard/client1-private-key | wg pubkey > /etc/wireguard/client1-public-key'
Create the client’s Wireguard config file using your favorite text editor:
sudo nano /etc/wireguard/wg0.conf
Paste the following block of code inside your client config file:
[Interface] PrivateKey = PASTE-YOUR-CLIENT1-PRIVATE-KEY-HERE Address = 10.0.0.2/32 ListenPort = 60101 [Peer] PublicKey = PASTE-YOUR-SERVER-PUBLIC-KEY-HERE AllowedIPs = 0.0.0.0/0 Endpoint = PASTE-YOUR-SERVER-IP-ADDRESS-HERE:60101 PersistentKeepalive = 25
Replace the PrivateKey variable with your client’s private key.
Open your Wireguard server’s terminal session, then print its public key:
sudo cat /etc/wireguard/server-public-key
Set the value of the PublicKey variable to your server’s public key.
Change the Endpoint variable to the IP address of your Wireguard server.
Save your config file, then use the wg-quick command to start the Wireguard client:
sudo wg-quick up wg0
Note: this command will disable your client’s network connectivity until you start your Wireguard server. To go back to your original network, run sudo wg-quick down wg0.
Linking the Wireguard Server to the Client
Go to your Wireguard server’s terminal session, then open its config file:
sudo nano /etc/wireguard/wg0.conf
Paste the following block of code after the [Interface] section:
[Peer] PublicKey = PASTE-YOUR-CLIENT1-PUBLIC-KEY-HERE AllowedIPs = 10.0.0.2/32 PersistentKeepalive = 25
Set the PublicKey variable to the public key of your Wireguard client.
![A terminal showing the location of the [Peer] block and highlighting the client's public key.](https://www.maketecheasier.com/assets/uploads/2024/07/set-up-wireguard-linux-vpn-13-highlight-client1-public-key.png)
Note: you can get the public key by running sudo cat /etc/wireguard/client1-public-key on your client machine.
Save the config file, then run the following command to start the Wireguard service on your server:
sudo wg-quick up wg0Adding a Second Client to the Server
One key feature of every VPN service is that it can link together multiple machines from different networks. This is useful if you have computers on different locations or want to host a private game server for your friends.
To do this in Wireguard, you need to create a config file for a new VPN interface on your server. The easiest way to do this is to copy your current server config and giving the copy a new name:
sudo cp /etc/wireguard/wg0.conf /etc/wireguard/wg1.conf
Open your new config file using your favorite text editor:
sudo nano /etc/wireguard/wg1.conf
Set the ListenPort variable to 60102. Doing this will prevent any port collisions between the wg0 and wg1 VPN interfaces.
Go to the [Peer] section and change the AllowedIPs variable from “10.0.0.2/32” to “10.0.0.3/32,” then save your config file.
Configuring the Second Wireguard Client
Log in to your second machine, then prepare your Wireguard config directory:
cd /etc/wireguard sudo umask 077
Generate a new Wireguard keypair using the following command:
sudo sh -c 'wg genkey | tee /etc/wireguard/client2-private-key | wg pubkey > /etc/wireguard/client2-public-key'
Create a new config file using your favorite text editor:
sudo nano /etc/wireguard/wg0.conf
Paste the following block of code inside your new config file:
[Interface] PrivateKey = PASTE-YOUR-CLIENT2-PRIVATE-KEY-HERE Address = 10.0.0.3/32 ListenPort = 60102 [Peer] PublicKey = PASTE-YOUR-SERVER-PUBLIC-KEY-HERE AllowedIPs = 0.0.0.0/0 Endpoint = PASTE-YOUR-SERVER-IP-ADDRESS-HERE:60102 PersistentKeepalive = 25
Set the PrivateKey variable to your second machine’s private key, then change the PublicKey variable to the public key of your server.
Replace the Endpoint variable with the IP address of your server, followed by “:60102.”
Save your config file, then start the second machine’s Wireguard client:
sudo wg-quick up wg0Linking the Second Client to the Wireguard Server
Log back in to your Wireguard server, then open the VPN interface config for your second client:
sudo nano /etc/wireguard/wg1.conf
Scroll down to the [Peer] section, then replace the PublicKey variable with your second client’s public key.
Save your config file, then start the second VPN interface using the wg-quick command:
sudo wg-quick up wg1Confirm that your first and second Wireguard clients are showing up correctly on your server by running wg.
Testing the Wireguard Network
With both your server and clients on the Wireguard network, you can now test the connectivity and latency between your nodes. To do this, make sure that you have network diagnostics tools installed on your system:
sudo apt install net-tools curl
In Fedora, you only need to install curl since it already comes with networking tools right out of the box:
sudo dnf install curl
For Arch Linux, you can use pacman to install the network tools and curl:
sudo pacman -S traceroute curl
Start by tracking the route of a packet between two clients. The following will show how an IP packet goes from “10.0.0.2” to “10.0.0.3:”
traceroute 10.0.0.3
Check whether any of your nodes can access the public internet by pinging a common IP address:
ping -c 5 8.8.8.8
Lastly, confirm that your nodes share the same public IP address to your Wireguard server:
curl ipinfo.io/ip
Learning to set up a Wireguard network on Linux is the first step in exploring the fascinating world of VPNs. Take a deep dive and look at our picks for the best security-focused VPN providers you can get today.
Image credit: Kari Shea via Unsplash and Wikimedia Commons. All alterations and screenshots by Ramces Red.
Our latest tutorials delivered straight to your inbox
