{"id":20060,"date":"2024-02-07T07:36:05","date_gmt":"2024-02-07T04:36:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=20060"},"modified":"2024-03-10T16:03:43","modified_gmt":"2024-03-10T13:03:43","slug":"install-wireguard-vpn-server-on-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-wireguard-vpn-server-on-ubuntu-24-04\/","title":{"rendered":"Install WireGuard VPN Server on Ubuntu 24.04"},"content":{"rendered":"\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/install-wireguard-vpn-on-linux.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20054&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1043,&quot;targetHeight&quot;:585,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: install WireGuard VPN server on Ubuntu 24.04&quot;,&quot;alt&quot;:&quot;install WireGuard VPN server on Ubuntu 24.04&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1043\" height=\"585\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/install-wireguard-vpn-on-linux.png\" alt=\"install WireGuard VPN server on Ubuntu 24.04\" class=\"wp-image-20054\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/install-wireguard-vpn-on-linux.png?v=1707237999 1043w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/02\/install-wireguard-vpn-on-linux-768x431.png?v=1707237999 768w\" sizes=\"(max-width: 1043px) 100vw, 1043px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: install WireGuard VPN server on Ubuntu 24.04\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Follow through this tutorial to learn how to install WireGuard VPN server on Ubuntu 24.04. According <a href=\"https:\/\/www.wireguard.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">wireguard.com<\/a>, <em>WireGuard\u00ae is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry<\/em>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-wire-guard-vpn-server-on-ubuntu-24-04\">Installing WireGuard VPN Server on Ubuntu 24.04<\/a><ul><li><a href=\"#run-system-update\">Run system update<\/a><\/li><li><a href=\"#install-wire-guard-vpn-server\">Install WireGuard VPN Server<\/a><\/li><li><a href=\"#install-i-ptables\">Install IPtables<\/a><\/li><li><a href=\"#configuring-wire-guard-vpn-server-on-ubuntu-24-04\">Configuring WireGuard VPN Server on Ubuntu 24.04<\/a><ul><li><a href=\"#generate-wire-guard-private-public-keys\">Generate WireGuard Private\/Public Keys<\/a><\/li><li><a href=\"#generate-wire-guard-public-keys\">Generate WireGuard Public Keys<\/a><\/li><li><a href=\"#generate-both-private-and-public-key-at-once\">Generate Both Private and Public Key at Once<\/a><\/li><\/ul><\/li><li><a href=\"#generate-wire-guard-server-configuration-file\">Generate WireGuard Server Configuration File<\/a><\/li><li><a href=\"#enable-ip-forwarding-on-wire-guard-vpn-server\">Enable IP Forwarding on WireGuard VPN Server<\/a><\/li><li><a href=\"#running-wire-guard-vpn-server\">Running WireGuard VPN Server<\/a><ul><li><a href=\"#use-wg-quick-to-manage-wire-guard-vpn-tunnel-interface\">Use wg-quick to Manage WireGuard VPN Tunnel Interface<\/a><\/li><li><a href=\"#use-systemd-to-manage-wire-guard-vpn-tunnel-interface\">Use Systemd to Manage WireGuard VPN Tunnel Interface<\/a><\/li><\/ul><\/li><li><a href=\"#stopping-wire-guard-vpn\">Stopping WireGuard VPN<\/a><\/li><\/ul><\/li><li><a href=\"#configure-wire-guard-vpn-clients\">Configure WireGuard VPN Clients<\/a><ul><li><a href=\"#generate-wire-guard-vpn-clients-private-public-keys\">Generate WireGuard VPN Clients Private\/Public Keys<\/a><\/li><li><a href=\"#add-client-peer-settings-in-wire-guard-vpn-server-configuration\">Add Client Peer Settings in WireGuard VPN Server configuration<\/a><\/li><li><a href=\"#reload-wire-guard\">Reload WireGuard;<\/a><ul><li><a href=\"#reload-wire-guard-vpn-using-systemctl\">Reload WireGuard VPN using Systemctl<\/a><\/li><li><a href=\"#reload-wire-guard-vpn-using-wg-quick-command\">Reload WireGuard VPN using wg-quick command<\/a><\/li><\/ul><\/li><li><a href=\"#install-and-setup-wire-guard-vpn-client-on-ubuntu-24-04\">Install and Setup WireGuard VPN Client on Ubuntu 24.04<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-wire-guard-vpn-server-on-ubuntu-24-04\">Installing WireGuard VPN Server on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run system update<\/h3>\n\n\n\n<p>Before you can proceed, ensure that the system package cache is up-to-date;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt update<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wire-guard-vpn-server\">Install WireGuard VPN Server<\/h3>\n\n\n\n<p>To install WireGuard and the required modules, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install wireguard-tools<\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Reading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following NEW packages will be installed:\n  wireguard-tools\n0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.\nNeed to get 88.8 kB of archives.\nAfter this operation, 326 kB of additional disk space will be used.\nGet:1 http:\/\/de.archive.ubuntu.com\/ubuntu noble\/main amd64 wireguard-tools amd64 1.0.20210914-1ubuntu3 [88.8 kB]\nFetched 88.8 kB in 0s (1,051 kB\/s)         \nSelecting previously unselected package wireguard-tools.\n(Reading database ... 156325 files and directories currently installed.)\nPreparing to unpack ...\/wireguard-tools_1.0.20210914-1ubuntu3_amd64.deb ...\nUnpacking wireguard-tools (1.0.20210914-1ubuntu3) ...\nSetting up wireguard-tools (1.0.20210914-1ubuntu3) ...\nwg-quick.target is a disabled or a static unit, not starting it.\nProcessing triggers for man-db (2.12.0-3) ...\n<\/code><\/pre>\n\n\n\n<p>The command installs two WireGuard VPN utilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>wg<\/strong>: the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces.<\/li>\n\n\n\n<li><code><strong>wg-quick<\/strong><\/code>: Use to set up a WireGuard interface. Refer to <strong><code>man wg-quick<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-i-ptables\">Install IPtables<\/h3>\n\n\n\n<p>Iptables will be required to set the firewall rules.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install iptables<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-wire-guard-vpn-server-on-ubuntu-24-04\">Configuring WireGuard VPN Server on Ubuntu 24.04<\/h3>\n\n\n\n<p>Once the installation is done, you can now proceed to configure WireGuard VPN server on Ubuntu 24.04.<\/p>\n\n\n\n<p>WireGuard creates an empty configuration directory, <strong><code>\/etc\/wireguard<\/code><\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-wire-guard-private-public-keys\">Generate WireGuard Private\/Public Keys<\/h4>\n\n\n\n<p>Next, you  need to generate WireGuard based64-encoded private and public keys.<\/p>\n\n\n\n<p>Private keys can be generated using <strong><code>wg genkey<\/code><\/strong> command as follows.<\/p>\n\n\n\n<p>To begin with, update the files\/directories permissions using umask. By default,&nbsp;the&nbsp;<code class=\"\">umask<\/code>&nbsp;for most users is&nbsp;<code class=\"\">002<\/code>.&nbsp;This means,&nbsp;when creating files,&nbsp;the default permissions are&nbsp;<code class=\"\">664<\/code>&nbsp;for files (read\/write for owner,&nbsp;read for group and others) and&nbsp;<code class=\"\">775<\/code>&nbsp;for directories (read\/write\/execute for owner,&nbsp;read\/execute for group,&nbsp;and read\/execute for others).<\/p>\n\n\n\n<p>For WireGuard private keys,&nbsp;these default permissions would allow anyone on the system to read the key,&nbsp;which poses a security risk.&nbsp;An attacker with access to the key could potentially impersonate your device and compromise your VPN connection.<\/p>\n\n\n\n<p>Thus, ensure that you remove read,&nbsp;write,&nbsp;and execute permissions for everyone except the owner of the WireGuard configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">umask 077<\/pre>\n\n\n\n<p>Next, generate the keys;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wg genkey<\/pre>\n\n\n\n<p>The command will print the private key to stdout. To write to a file, simply run;<\/p>\n\n\n\n<pre id=\"block-d41492a7-b691-41ff-8fa9-ce85825bd2ff\" class=\"wp-block-preformatted\">wg genkey | sudo tee \/etc\/wireguard\/wireguard.key<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-wire-guard-public-keys\">Generate WireGuard Public Keys<\/h4>\n\n\n\n<p>Public keys can be generated from the privates using <strong><code>wg pubkey<\/code><\/strong> command. The command similarly prints the key to standard output;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/wireguard.key | wg pubkey<\/pre>\n\n\n\n<p>To write to a file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/wireguard.key | wg pubkey | sudo tee \/etc\/wireguard\/wireguard.pub.key<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generate-both-private-and-public-key-at-once\">Generate Both Private and Public Key at Once<\/h4>\n\n\n\n<p>You can run the command below to genereate WireGuard private key and public key at the same time;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wg genkey | sudo tee \/etc\/wireguard\/wireguard.key | wg pubkey | sudo tee \/etc\/wireguard\/wireguard.pub.key<\/pre>\n\n\n\n<p>Below are the contents of my private and public keys;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/wireguard.key<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>uFgD3dDfMBP+SwPS+CTY5DY7U9+25laoleDsvXSJOmg=<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/wireguard.pub.key<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU=<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-wire-guard-server-configuration-file\">Generate WireGuard Server Configuration File<\/h3>\n\n\n\n<p>Once you have the keys in place, you can now generate WireGuard configuration file, <strong><code>\/etc\/wireguard\/INTERFACE.conf<\/code><\/strong>.<\/p>\n\n\n\n<p><em>Recommended <strong>INTERFACE<\/strong> names include &#8216;wg0&#8217; or &#8216;wgvpn0&#8217; or even &#8216;wgmgmtlan0&#8217;. However, the number at the end is in fact optional, and really any free-form string [a-zA-Z0-9_=+.-]{1,15} will work. So even interface names corresponding to geographic locations would suffice, such as &#8216;cincinnati&#8217;, &#8216;nyc&#8217;, or &#8216;paris&#8217;, if that&#8217;s somehow desirable.<\/em><\/p>\n\n\n\n<p>First of all, let&#8217;s list our current interfaces;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip -br a<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>lo               UNKNOWN        127.0.0.1\/8 ::1\/128 \nenp0s3           UP             10.0.2.15\/24 fe80::a00:27ff:feee:d66c\/64 \nenp0s8           UP             192.168.56.104\/24 fe80::a00:27ff:fe5e:3b83\/64\n<\/code><\/pre>\n\n\n\n<p>Confirm the routes, to get the default route interface;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip route list default<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100 \n<\/code><\/pre>\n\n\n\n<p>You can then simply run the command below to create a config file, named, <strong><code>\/etc\/wireguard\/wg0.conf<\/code><\/strong>.<\/p>\n\n\n\n<p><strong>Be sure to update the file as per your environment setup!<\/strong><\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo tee \/etc\/wireguard\/wg0.conf &lt;&lt; 'EOL'\n[Interface]\nAddress = 10.8.0.1\/24\nSaveConfig = true\nListenPort = 51820\nDNS\t   = 8.8.8.8,10.8.0.1\nPrivateKey = uFgD3dDfMBP+SwPS+CTY5DY7U9+25laoleDsvXSJOmg=\nPostUp = echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPT\nPostDown = echo 0 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPT\nEOL\n<\/code><\/pre>\n\n\n\n<p>You can get explanation of the configuration options from <strong><code>man wg-quick<\/code><\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Address<\/strong>: a comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. May be specified multiple<br>times.<\/li>\n\n\n\n<li><strong>ListenPort<\/strong>: WireGuard starts at <strong>51820\/UDP<\/strong> by default. However, you can choose any free higher range port.<\/li>\n\n\n\n<li><strong>DNS<\/strong> : a comma-separated list of IP (v4 or v6) addresses to be set as the interface&#8217;s DNS servers, or non-IP hostnames to be set as the interface&#8217;s DNS search domains. May be specified multiple times.<\/li>\n\n\n\n<li><strong>PrivateKey<\/strong>: The key extracted from the Private key file created above, \/etc\/wireguard\/wireguard.key<\/li>\n\n\n\n<li><strong>PostUp, PostDown<\/strong>: script snippets which will be executed before\/after setting up\/tearing down the interface, most commonly used to configure custom DNS options or firewall rules.\n<ul class=\"wp-block-list\">\n<li>Enable IP forwarding<\/li>\n\n\n\n<li>Open port 51820\/udp on firewall<\/li>\n\n\n\n<li>Masquerade traffic through the default route interface<\/li>\n\n\n\n<li>Allow forwarding of VPN traffic to the default route interface<\/li>\n\n\n\n<li>And opposite is true for all the above for PostDown configuration.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>SaveConfig<\/strong>: if set to &#8216;true&#8217;, the configuration is saved from the current state of the interface upon shutdown. Any changes made to the configuration file before the interface is removed will therefore be overwritten.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-ip-forwarding-on-wire-guard-vpn-server\">Enable IP Forwarding on WireGuard VPN Server<\/h3>\n\n\n\n<p>To route packets between VPN clients, you need to enable Kernel IP forwarding by simply running the command below.<\/p>\n\n\n\n<p>However, we have already enabled this on the WireGuard interface configuration above (<strong><code>echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/code><\/strong>).<\/p>\n\n\n\n<p>Similarly, you would also enable as follows (if you want to use this approach, remove the above lines from the configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"net.ipv4.ip_forward = 1\" &gt;&gt; \/etc\/sysctl.conf<\/pre>\n\n\n\n<p>Reload sysctl settings<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sysctl -p<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-wire-guard-vpn-server\">Running WireGuard VPN Server<\/h3>\n\n\n\n<p>You can run WireGuard by bringing up the WireGuard VPN server interface using the <strong><code>wg-quick<\/code><\/strong> command or by using <strong><code>systemd<\/code><\/strong> service.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-wg-quick-to-manage-wire-guard-vpn-tunnel-interface\">Use wg-quick to Manage WireGuard VPN Tunnel Interface<\/h4>\n\n\n\n<p>To use <strong><code>wg-quick <\/code><\/strong>command to bring up the interface.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo wg-quick up wg0<\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>[#] ip link add wg0 type wireguard\n[#] wg setconf wg0 \/dev\/fd\/63\n[#] ip -4 address add 10.8.0.1\/24 dev wg0\n[#] ip link set mtu 1420 up dev wg0\n[#] resolvconf -a wg0 -m 0 -x\n[#] echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPT\n<\/code><\/pre>\n\n\n\n<p>Show WireGuard VPN interface configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo wg<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>interface: wg0\n  public key: T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU=\n  private key: (hidden)\n  listening port: 51820\n<\/code><\/pre>\n\n\n\n<p>Checking the wg0 interface details:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip add show wg0<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/none \n    inet 10.8.0.1\/24 scope global wg0\n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Listing Firewall rules on an active interface;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -L -nv<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 ACCEPT     17   --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:51820\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 ACCEPT     0    --  wg0    enp0s3  0.0.0.0\/0            0.0.0.0\/0           \n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo iptables -L -nv -t nat<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    3   218 MASQUERADE  0    --  *      enp0s3  0.0.0.0\/0            0.0.0.0\/0\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-systemd-to-manage-wire-guard-vpn-tunnel-interface\">Use Systemd to Manage WireGuard VPN Tunnel Interface<\/h4>\n\n\n\n<p>If you had already brought up the WireGuard tunnel interface using wg-quick command, take the interface down;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo wg-quick down wg0<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[#] wg showconf wg0\n[#] ip link delete dev wg0\n[#] resolvconf -d wg0 -f\n[#] echo 0 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPT\n<\/code><\/pre>\n\n\n\n<p>After that, you can use systemd service to manage WireGuard, by simply running the command below to start it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl start wg-quick@wg0<\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status wg-quick@wg0<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0\n     Loaded: loaded (\/lib\/systemd\/system\/wg-quick@.service; disabled; preset: enabled)\n     Active: active (exited) since Tue 2024-02-06 18:57:33 CET; 7s ago\n       Docs: man:wg-quick(8)\n             man:wg(8)\n             https:\/\/www.wireguard.com\/\n             https:\/\/www.wireguard.com\/quickstart\/\n             https:\/\/git.zx2c4.com\/wireguard-tools\/about\/src\/man\/wg-quick.8\n             https:\/\/git.zx2c4.com\/wireguard-tools\/about\/src\/man\/wg.8\n    Process: 41652 ExecStart=\/usr\/bin\/wg-quick up wg0 (code=exited, status=0\/SUCCESS)\n   Main PID: 41652 (code=exited, status=0\/SUCCESS)\n        CPU: 44ms\n\nFeb 06 18:57:33 noble-numbat systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...\nFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip link add wg0 type wireguard\nFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] wg setconf wg0 \/dev\/fd\/63\nFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip -4 address add 10.8.0.1\/24 dev wg0\nFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] ip link set mtu 1420 up dev wg0\nFeb 06 18:57:33 noble-numbat wg-quick[41652]: [#] echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t n>\nFeb 06 18:57:33 noble-numbat systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.\n<\/code><\/pre>\n\n\n\n<p>To enable it to run on boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl enable wg-quick@wg0<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"stopping-wire-guard-vpn\">Stopping WireGuard VPN<\/h3>\n\n\n\n<p>To stop the WireGuard VPN, run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo wg-quick down wg0<\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl stop wg-quick@wg0<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-wire-guard-vpn-clients\">Configure WireGuard VPN Clients<\/h2>\n\n\n\n<p>Once the server is setup, you can now proceed to configure WireGuard VPN clients.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-wire-guard-vpn-clients-private-public-keys\">Generate WireGuard VPN Clients Private\/Public Keys<\/h3>\n\n\n\n<p>To begin with, you need to generate the clients keys. You can use the same command as used above while generating the keys for the server.<\/p>\n\n\n\n<p>The command below generates keys for our three test servers.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for i in ubuntu debian rocky8; do wg genkey | sudo tee \/etc\/wireguard\/$i.key | wg pubkey | sudo tee \/etc\/wireguard\/$i.pub.key; done<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ls -1 \/etc\/wireguard<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>debian.key\ndebian.pub.key\nrocky8.key\nrocky8.pub.key\nubuntu.key\nubuntu.pub.key\nwg0.conf\nwireguard.key\nwireguard.pub.key\n<\/code><\/pre>\n\n\n\n<p>Checking the contents of each keys;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/debian.key \/etc\/wireguard\/debian.pub.key<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>0INvLkZU64dJd\/41r1RuCEW0\/mpHGycXOQvvuEWd7ks=\nc9rhdbHHY1EVXThhTnzYkE0lto+5UK4\/raGEhVnTLRQ=\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/ubuntu.key \/etc\/wireguard\/ubuntu.pub.key<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>GODF2MimY+nATXMbjJUdCo19Q7edYEOg3PuegNSad1o=\nucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp\/iKIjc=\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/rocky8.key \/etc\/wireguard\/rocky8.pub.key<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>YCEfv6oDxjEVxqnTI1caPsAm+efapiKYkcfLtn6gp1A=\nBlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-client-peer-settings-in-wire-guard-vpn-server-configuration\">Add Client Peer Settings in WireGuard VPN Server configuration<\/h3>\n\n\n\n<p>Next, you need to add the client peer settings in the WireGuard VPN Server configuration file as shown below.<\/p>\n\n\n\n<p>Be sure to replace the Public Keys and IP addresses for the respective clients accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo tee -a \/etc\/wireguard\/wg0.conf &lt;&lt; 'EOF'\n\n[Peer]\nPublicKey = c9rhdbHHY1EVXThhTnzYkE0lto+5UK4\/raGEhVnTLRQ=\nAllowedIPs = 10.8.0.10\n\n[Peer]\nPublicKey = ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp\/iKIjc=\nAllowedIPs = 10.8.0.20\n\n[Peer]\nPublicKey = BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=\nAllowedIPs = 10.8.0.30\nEOF\n<\/code><\/pre>\n\n\n\n<p>Our WireGuard VPN server configuration file now looks like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cat \/etc\/wireguard\/wg0.conf<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[Interface]\nAddress = 10.8.0.1\/24\nSaveConfig = true\nPostUp = echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -A INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE;iptables -A FORWARD -i wg0 -o enp0s3 -j ACCEPT\nPostDown = echo 0 > \/proc\/sys\/net\/ipv4\/ip_forward;iptables -D INPUT -p udp --dport 51820 -j ACCEPT;iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE;iptables -D FORWARD -i wg0 -o enp0s3 -j ACCEPT\nListenPort = 51820\nPrivateKey = KCDg87QMVzrw7IXtIT9A\/E7vmuOCQAXsIxIiPcsPGVg=\n\n[Peer]\nPublicKey = c9rhdbHHY1EVXThhTnzYkE0lto+5UK4\/raGEhVnTLRQ=\nAllowedIPs = 10.8.0.10\n\n[Peer]\nPublicKey = ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp\/iKIjc=\nAllowedIPs = 10.8.0.20\n\n[Peer]\nPublicKey = BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=\nAllowedIPs = 10.8.0.30\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reload-wire-guard\">Reload WireGuard;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"reload-wire-guard-vpn-using-systemctl\">Reload WireGuard VPN using Systemctl<\/h4>\n\n\n\n<p>You can reload WireGuard VPN setting;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl reload wg-quick@wg0<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status wg-quick@wg0<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"reload-wire-guard-vpn-using-wg-quick-command\">Reload WireGuard VPN using wg-quick command<\/h4>\n\n\n\n<p>If you started WireGuard using wg-quick command, then you can reload as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo bash -c  wg syncconf wg0 &lt;(sudo wg-quick strip wg0)<\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>interface: wg0\n  public key: 60UScq0EQ7ZHXIdHcOnjFYK6N\/TLtmtPGTBqLwLd0WY=\n  private key: (hidden)\n  listening port: 51820\n\npeer: c9rhdbHHY1EVXThhTnzYkE0lto+5UK4\/raGEhVnTLRQ=\n  allowed ips: 10.8.0.10\/32\n\npeer: ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp\/iKIjc=\n  allowed ips: 10.8.0.20\/32\n\npeer: BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=\n  allowed ips: 10.8.0.30\/32\n<\/code><\/pre>\n\n\n\n<p>Show current WireGuard configuration and runtime information of specified interface;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo wg show<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>interface: wg0\n  public key: T6gaFyJEWRucHFzpJJFYPpFv6EH3r2lnXxLHMP8eshU=\n  private key: (hidden)\n  listening port: 51820\n\npeer: ucQSU4bqZn0Pll+hgfLNZC8JNDMymOGifyiwp\/iKIjc=\n  endpoint: 192.168.56.103:40122\n  allowed ips: 10.8.0.20\/32\n  latest handshake: 1 minute, 6 seconds ago\n  transfer: 648 B received, 184 B sent\n\npeer: c9rhdbHHY1EVXThhTnzYkE0lto+5UK4\/raGEhVnTLRQ=\n  allowed ips: 10.8.0.10\/32\n\npeer: BlO7WMxOjRqeEzi4VYLThpeksZQ8Wijig9Wa2v2U4mg=\n  allowed ips: 10.8.0.30\/32\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-setup-wire-guard-vpn-client-on-ubuntu-24-04\">Install and Setup WireGuard VPN Client on Ubuntu 24.04<\/h3>\n\n\n\n<p>Follow the link below to learn how to install and setup WireGuard VPN client on Ubuntu 24.04.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wireguard-vpn-client-ubuntu-24-04\/(opens in a new tab)\" target=\"_blank\" rel=\"noreferrer noopener\">Install WireGuard VPN client on Ubuntu 24.04<\/a><\/p>\n\n\n\n<p>That concludes our guide on how to install WireGuard VPN server.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to install WireGuard VPN server on Ubuntu 24.04. According wireguard.com, WireGuard\u00ae is an extremely simple yet fast and<\/p>\n","protected":false},"author":10,"featured_media":20054,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,321],"tags":[7384,7385,7386],"class_list":["post-20060","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-vpn","tag-install-wireguard-on-ubuntu-24-04","tag-ubuntu-24-04-wireguard","tag-wireguard-vpn-ubuntu-24-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20060"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=20060"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20060\/revisions"}],"predecessor-version":[{"id":20931,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/20060\/revisions\/20931"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/20054"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=20060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=20060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=20060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}