Skip to main content

Set Up Your Own WireGuard VPN Server

A step-by-step guide to creating a secure, high-performance VPN server using WireGuard

Enhanced Security

State-of-the-art encryption and secure key exchange

High Performance

Minimal overhead and fast connection speeds

Cross-Platform

Works on all major operating systems and devices

Prerequisites

To follow this tutorial, you will need:

  • An Ubuntu 22.04 server, VPS plans offering unbeatable value configured with a non-root user having sudo privileges and an enabled firewall is required. To set this up, you can follow our Initial Server Setup with Ubuntu 22.04 tutorial.
    • Experience incredible performance and unbeatable value with IONOS VPS plans! Launch your Ubuntu 22.04 server effortlessly on a budget. For just running a Wireguard VPN, our streamlined VPS S delivers all the power you need without excess performance overhead. Plus, with unlimited network traffic, you're free to connect every device to your secure VPN worry-free. And if you're planning to multitask by hosting additional applications alongside your VPN, step up to the versatile VPS L plan. Elevate your hosting experience with IONOS today!
  • You will need a client device to connect to your WireGuard Server, which we'll call the "WireGuard Peer" throughout this tutorial. We recommend using your local machine as the WireGuard Peer, but you can also use remote servers or mobile phones if you prefer. If you're using a remote system, make sure to follow all the optional sections in this tutorial to avoid locking yourself out of the system.

VPS S

  • 2 vCores CPU
  • 2 GB RAM
  • 80 GB NVMe
Get Started

VPS L

  • 4 vCores CPU
  • 8 GB RAM
  • 240 GB NVMe
Get Started

1. Update Your System

First, make sure your server's package list and installed packages are up-to-date. Run the following commands:

copy
sudo apt update && sudo apt upgrade -y

2. Install WireGuard

Install the WireGuard package on your server with the following command:

copy
sudo apt install wireguard -y

3. Generate Keys

You need to generate a private key and a public key for the WireGuard server. Use the following commands:

copy
# Generate private key
sudo wg genkey | sudo tee /etc/wireguard/privatekey
# Set appropriate permissions to private key
sudo chmod go= /etc/wireguard/privatekey
# Generate public key
sudo cat /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

4. Configure the Server

Find the interface named

copy
ip route list default

The public interface is the string found within this command's output that follows the word "dev". For example, this result shows the interface named eth0, which is highlighted below:

copy
#output: default via 203.0.113.1 dev eth0 proto static

Create and edit the WireGuard configuration file:

copy
sudo nano /etc/wireguard/wg0.conf

Write the following lines to the file and save it:

copy
[Interface]
PrivateKey = base64_encoded_private_key_goes_here
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The PostUp lines will run when the WireGuard Server starts the virtual VPN tunnel. In the example here, it will add three ufw and iptables rules:

  • ufw route allow in on wg0 out on eth0 - This rule will allow forwarding IPv4 and IPv6 traffic that comes in on the wg0 VPN interface to the eth0 network interface on the server. It works in conjunction with the net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl values that you configured in the previous section.
  • iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE - This rule configures masquerading, and rewrites IPv4 traffic that comes in on the wg0 VPN interface to make it appear like it originates directly from the WireGuard Server's public IPv4 address.
  • ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE - This rule configures masquerading, and rewrites IPv6 traffic that comes in on the wg0 VPN interface to make it appear like it originates directly from the WireGuard Server's public IPv6 address.

Enable IP forwarding

copy
sudo nano /etc/sysctl.conf

Write the following to the file and save it:

copy
net.ipv4.ip_forward=1

Verify the changes

copy
sudo sysctl -p

Firewall rules

copy
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

systemd service

copy
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Peer -- Wireguard VPN client configuration

Install wireguard

You can install the GUI version of wireguard (https://www.wireguard.com/install/) or install the CLI version just like you did for the server.

Generate private and public keys

From GUI, you can generate a new config by selecting "Add empty tunnel". This will automatically generate both private and public keys. If you're using a CLI, follow the same method as you did for the server

Wireguard client configuration

Edit the configuration file and add the following lines

copy
[Interface]
PrivateKey = base64_encoded_peer_private_key_goes_here
Address = 10.8.0.2/24
DNS = dns_server_address

[Peer]
PublicKey = base64_encoded_server_public_key_goes_here
AllowedIPs = 0.0.0.0/0
Endpoint = <Server public IP address>:51820

Add the peer on the server

Log back into the server and add the peer

copy
sudo wg set wg0 peer base64_encoded_peer_public_key_goes_here allowed-ips 10.8.0.2

Server Maintenance

Reboot your server periodically automatically to make sure your connections are good.

copy
crontab -e

we are leveraging cron job to reboot the server automatically.

you can set up whatever schedule to reboot your server.

Example: To reboot every day at 12:00 PM, add the following line:

copy
0 1 * * * /sbin/shutdown -r now

Here is the online tool to figure cron job: Cronitor