Link Search Menu Expand Document

WireGuard VPN Setup on Server and Client

Table of contents

1 - Prerequisites

Server setup

apt update && apt upgrade -y 
apt install iptables net-tools -y 
    # to install iptables, net-tools

Enabling IP Forwarding

  • vim /etc/sysctl.conf, add below 2 lines at the bottom, or take off # if you see the 2 lines in the file.
  • Run sysctl -p to check forward is enabled
  • ifconfig, you will see network interface name is eth0 and public IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet  netmask  broadcast

2 - WireGuard installation & key pair

apt install wireguard -y 
  • cd /etc/wiregaurd/
  • Generate key pair wg genkey | tee server-privateKey | wg pubkey > server-publicKey

    tee means to write privatekey
    run ls , you’ll see 2 files in the directory

  • cat server-privateKey -> 3Ab************Xk=
  • cat server-publicKey -> y6Qjx*********s=
  • chmod 600 /etc/wireguard/server-privateKey
chmod go= /etc/wireguard/server-privateKey
    # this command removes any permissions, only root can access

3 - Create server config file

vim /etc/wireguard/wg0.conf
    # you need to create the `config` file with content below: 
  • Put below content to wg0.conf file
# Server config 
PrivateKey = server-private-key # used private key generated on server side
Address =, fd7b:6185:74b5::/64  
    # private IP address, see how to generate IPv6 below 
SaveConfig = true
ListenPort = 55555
    # standard WireGuard port is 51820

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# PostUp=iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; 
    # Post up rule, receive and accept every packets into the tunnel, going outward tunnel interface with masked the public IP of the server 
# PostDown=iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; 
    # Post down rule

PublicKey = client-public-key
AllowedIPs = client-private-ip-range # eg:
1. systemctl enable [email protected]
2. systemctl start [email protected]
3. systemctl status [email protected]
  • Run wg to check wg0 is up
  • Run ip link to check tunnel interfaces
  • Run ip route list default to check public interface

4 - UFW (Optional)

ufw status 
ufw allow 55555/udp
    # firewall to allow port 55555 
ufw allow 22
ufw enable 
ufw disable 

5 - Wireguard on client

  • If installed on ubuntu as client, same process as how you would setup on a server.

Using pre-configured vpn router that supports Wireguard

  • Generate another set of key pair for client, that will interact with server key pair.
wg genkey | tee client-privatekey | wg pubkey | tee client-publickey 
cat client-privatekey
cat client-publickey
  • Put the above key in the client side configuration file, file name can be [client-config.conf]
# config on client
Address = # client private IP range 
ListenPort = 51234
PrivateKey = [client-privatekey]
MTU = 1420

AllowedIPs =, ::/0
Endpoint = [server-public-IP]:55555
PersistentKeepalive = 25 #specify second 
PublicKey = [Server-public-key]