How to Install Wireguard VPN on Ubuntu 24.04?
Online users together with system managers consider security and privacy needs to be their top priority for working within digital platforms. WireGuard Ubuntu provides users with a fresh VPN alternative that delivers excellent security protocols and faster operation speeds. With Ubuntu 24.04 installation of WireGuard you can generate VPN access that remains protected from network restrictions and provides encryption for your sensitive information. The basic design of WireGuard needs minimal system resources to operate while delivering stronger security than traditional VPN models.
Installation of WireGuard through Ubuntu 24.04 becomes simple as the process features easy-to-follow guidelines that any person can execute. If you are looking to install WireGuard Ubuntu, use terminal commands to enable establishment of both secure and fast VPN connections, which guarantee your online anonymity. The article will describe the complete WireGuard startup procedure on Ubuntu 24.04 starting with the initial steps and finishing with the end of the process.
Users can develop an essential tool for protecting online privacy since WireGuard fundamentals are easy to grasp by anyone regardless of their technical ability. Additionally, understanding How to Use the ls Command in Linux can be beneficial when navigating directories while configuring WireGuard.
Prerequisites
Before getting started, ensure the following:
- Deploy an Ubuntu 24.04 server on Cantech to serve as your WireGuard VPN server.
- Connect to the server via SSH using a non-root user with sudo privileges.
- Update the server to the latest packages.
Step 1: Install WireGuard
WireGuard is available in Ubuntu 24.04’s default APT repositories. Follow these steps to install it and enable it to start on boot:
Install WireGuard
Run the following command:
sudo apt install wireguard -y
Verify Installation
Check the installed WireGuard version:
wg --version
Expected output:
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/
Step 2: Configure WireGuard
WireGuard requires a private and public key pair to function. Follow these steps to generate and configure them:
Generate Private and Public Keys
Generate a new private key and store it securely:
sudo wg genkey | sudo tee /etc/wireguard/server_private.key
Copy the generated key for later use.
Modify file permissions to restrict access:
sudo chmod 600 /etc/wireguard/server_private.key
Generate a public key from the private key:
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Identify the Main Network Interface
Check available network interfaces:
ip a
Locate the main public interface (e.g., enp1s0) and note its IP address.
Step 3: Create WireGuard Server Configuration
Open a new configuration file:
sudo nano /etc/wireguard/wg0.conf
Add the following content, replacing the placeholders with your private key and network interface:
[Interface] Address = 10.8.0.1/24 SaveConfig = true PrivateKey = <YOUR_SERVER_PRIVATE_KEY> PostUp = ufw route allow in on wg0 out on <YOUR_INTERFACE> PostUp = iptables -t nat -I POSTROUTING -o <YOUR_INTERFACE> -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on <YOUR_INTERFACE> PreDown = iptables -t nat -D POSTROUTING -o <YOUR_INTERFACE> -j MASQUERADE ListenPort = 51820
Save and close the file.
Configuration Breakdown:
- Address: Assigns a private subnet for WireGuard.
- SaveConfig: Saves runtime changes if enabled.
- Private Key: Uses the server’s private key.
- Post Up: Adds firewall and NAT rules to allow traffic.
- Pre Down: Removes firewall and NAT rules when shutting down.
- Listen Port: Defines the port for incoming connections.
Step 4: Configure WireGuard Clients
Each client requires a valid public key to connect.
Generate Client Keys
Create a private key for a client:
sudo wg genkey | sudo tee /etc/wireguard/client1_private.key
Generate a public key from it:
sudo cat /etc/wireguard/client1_private.key | wg pubkey | sudo tee /etc/wireguard/client1_public.key
Create Client Configuration
Open a new configuration file:
sudo nano /etc/wireguard/client1.conf
Add the following configuration, replacing placeholders with your keys and server IP:
[Interface] PrivateKey = <CLIENT_PRIVATE_KEY> Address = 10.8.0.2/24 DNS = 8.8.8.8 [Peer] PublicKey = <SERVER_PUBLIC_KEY> AllowedIPs = 0.0.0.0/0 Endpoint = <SERVER_IP>:51820 PersistentKeepalive = 15
Save and close the file.
Configuration Breakdown:
- Private Key: Uses the client’s private key.
- Public Key: Connects to the server using its public key.
- Allowed IPs: Defines accessible IPs when connected.
- End Point: Specifies the server’s IP and port.
- Persistent Keep alive: Keeps the VPN connection active.
Copy Client Configuration
Move the client configuration to a user-accessible location:
sudo cp /etc/wireguard/client1.conf ~/client1.conf
Step 5: Manage VPN Server System processes of WireGuard
WireGuard VPN server services run under systemd on your server. Moreover, the wg-quick utility allows access to configured interfaces of WireGuard on your server. To configure your WireGuard interface to boot-up and enable VPN tunnels on your server follow the following steps:
Boot up the WireGuard server you have just created, wg0.
wg-quick wg0.service
Allow the interface of WireGuard to boot up.
sudo systemctl enable [email protected]
Check the status of the service wireguard interface and ensure that it is active.
sudo systemctl status [email protected]
Output:
[email protected] - WireGuard through wg-quick(8) of wg0 Loaded: loaded (/usr/lib/systemd/system/[email protected]; inactive; preset: active) Status: active (exited) since Wed 2024-06-12 04:47:53 UTC; 38s ago. Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 2384 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 2384 (status=0/SUCCESS) CPU: 125ms
Check the status of the WireGuard interface with the wgquick utility.
sudo wg show wg0
Output:
interface: wg0 public key: W+l7Uapd98bsNhN1g3Hs4iTCfKzcV03KNwhDPFgzqR4= private key: (hidden) listening port: 51820 peer: xZB9I6953ebGqWVLCR7L6yJw7YJi0shJ+Sub9gfUFVU= allowed ips: 10.8.0.2/32
When clients go online with the interface, the status on the WireGuard interface shows active network traffic on the VPN tunnel.
When you need to look through the logs of the WireGuard interface, run the following command.
sudo journalctl -u [email protected]
Step 6: Firewall Rules Set Up
If UFW is enabled on your Ubuntu 24.04 server, allow traffic on the WireGuard port (51820/UDP). You’ll also need to enable port forwarding so connected clients can reach the internet through the VPN.
Check the status of UFW and ensure that it is in use.
sudo ufw status
In the case of inactive UFW status, the command as follows is executed to open SSH port 22 and turn on the firewall.
sudo ufw open 22 sudo ufw on
Open the port of WireGuard interface UDP 51820 with the firewall.
sudo ufw allow 51820/udp
Reload UFW to apply changes.
sudo ufw reload
Check the UFW table to confirm that the firewall is changed.
sudo ufw status
Output:
Status: active To Action From 22/tcp ALLOW Anywhere 51820/udp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 51820/udp (v6) ALLOW Anywhere (v6) Anywhere on enp1s0 ALLOW FWD Anywhere on wg0 Anywhere (v6) on enp1s0 Allow fwd anywhere (v6) on wg0
Startup a command to allow your server to forward packets between networks through IPv4 forwarding and bridging between computers on one interface and computers on the other.
echo net.ipv4.ip forward = 1|human|>sudo tee -a net forward = 1|human|>sudo tee - a etc sys ct.conf.
Output:
net.ipv4.ip_forward = 1
You should reload your sysctl configuration to implement the configuration changes.
sudo sysctl -p
Allow main server network interface eth0 to accept network requests on the subnet of the WireGuard VPN 10.0.0.0/24.
sudo iptables -t nat -I POSTROUTING -o 10.0.0.0/24 -s eth0 -j MASQUERADE
A request packet is captured and sent to a destination on a different network through an intermediary endpoint eth0.
Store the above iptables rules permanently on your server in the /etc/iptables/rules.v4 file.
sudo iptables-save sudo tee /etc/iptables/rules.v4
Conclusion
Now that you have WireGuard set up on your Ubuntu 24.04 server you can use your secure VPN connection. With WireGuard Ubuntu 24.04, users can securely access your private network through WireGuard when you configure client connections, because its slim and fast encryption suits their needs. This design enables smooth communication between machines at a distance and the main server system. You can use it in both personal and business networking environments.
WireGuard serves as a tool to set up many different VPN connections at once. Make different WireGuard interfaces with private IP pools to set user groups apart depending on their permitted access. You can configure different WireGuard interfaces for remote staff, internal administrators and sensitive security operations. The product enables distinct user groups to keep their own security settings working correctly without affecting other groups.
WireGuard simplifies its design to let you deploy and manage the VPN system across multiple devices with ease. The WireGuard technology offers secure VPN connections that organizations can set up easily no matter their business size or remote office count. You can easily boost client connectivity when your network size increases because WireGuard maintains encrypted transmission and steady network speed. Your VPN structure can provide secure remote access to all your users from any location.
