WireGuard VPN: Setting Up a Secure Server from Scratch

By -
WireGuard VPN: Setting Up a Secure Server from Scratch

Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through them, at no additional cost to you.

WireGuard is a modern, simple, and secure VPN protocol that has rapidly gained popularity for its performance and ease of use. Unlike traditional VPN protocols like OpenVPN and IPSec, WireGuard utilizes state-of-the-art cryptography to provide a lightweight and efficient VPN experience. Setting up a WireGuard VPN server from scratch can enhance security and privacy by providing a dedicated, encrypted tunnel for internet traffic.

Contents show

Prerequisites

Before starting, ensure that you have the following:

  • A server running a supported Linux distribution (e.g., Ubuntu 20.04 or higher).
  • Root or sudo access to the server.
  • Basic knowledge of the Linux command line.
  • A domain name or public IP address to configure remote access.

Installing WireGuard on the Server

The first step in setting up a WireGuard server is installing the WireGuard package. This can be done using the package manager available in your distribution.

1. Update the system package list:
sudo apt update
Install WireGuard:
sudo apt install wireguard
Verify the installation:
wg –version
This will confirm that WireGuard is installed and ready for configuration.

Generating Keys for the Server

WireGuard uses public and private keys for encryption. You need to generate both keys for the server.
Generate the private key:
wg genkey | sudo tee /etc/wireguard/privatekey
Generate the public key from the private key:
sudo cat /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Keep the private key secure and never share it.

Configuring the Server

Now that the keys are generated, you can configure the WireGuard server. The configuration file defines the interface, network settings, and security details.
Create the configuration file:
sudo nano /etc/wireguard/wg0.conf
Add the following content to the configuration file, replacing placeholders with your actual keys and network settings:
ini
[Interface]
PrivateKey =
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true

[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32
Explanation of the configuration:
PrivateKey: The server’s private key.
Address: The internal IP address for the server within the VPN network.
ListenPort: The port on which WireGuard will listen for incoming connections.
SaveConfig: Ensures that changes are automatically saved to the configuration.
PublicKey (under [Peer]): The public key of the client that will connect to the server.
AllowedIPs: Specifies which IPs are allowed to connect to the server.

Enabling IP Forwarding

For the WireGuard server to route traffic between different networks, IP forwarding must be enabled.
Edit the sysctl configuration:
sudo nano /etc/sysctl.conf
Add or uncomment the following line:
ini
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
This ensures that the server can forward IP packets between the client and the internet.

Starting the WireGuard Server

Once the configuration is complete, it’s time to start the WireGuard service.
Start the WireGuard interface:
sudo wg-quick up wg0
To ensure the VPN starts on boot:
sudo systemctl enable wg-quick@wg0
Check the status of the WireGuard interface:
sudo wg show
This will display information about the active connection and peer status.

Configuring Firewall Rules

WireGuard relies on specific firewall rules to allow VPN traffic. It’s important to ensure that the appropriate ports are open.
Allow UDP traffic on the WireGuard port:
sudo ufw allow 51820/udp
Enable NAT for the VPN subnet:
sudo ufw route allow in on wg0 to any
Reload the firewall:
sudo ufw reload

Setting Up the Client

To connect to your WireGuard server, the client also needs to be configured. The client configuration will include the server’s public key and IP address.
Install WireGuard on the client machine:
sudo apt install wireguard
Generate the client keys:
wg genkey | tee privatekey | wg pubkey > publickey
Create the client configuration file:
nano /etc/wireguard/wg0.conf
Add the following content to the client configuration, replacing placeholders:
ini
[Interface]
PrivateKey =
Address = 10.0.0.2/24

[Peer]
PublicKey =
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
PrivateKey: The client’s private key.
Address: The client’s VPN IP address.
PublicKey: The server’s public key.
Endpoint: The server’s IP address or domain name, along with the WireGuard port.
AllowedIPs: Defines which traffic is routed through the VPN.
PersistentKeepalive: Keeps the connection alive, even when idle.

Testing the Connection

Finally, after configuring the server and client, you can test the VPN connection.
Start the WireGuard client interface:
sudo wg-quick up wg0
Check the connection status:
sudo wg show
If the client is connected successfully, the server will display the client as a peer with an active connection.

Securing the WireGuard Server

To enhance security, consider the following:

  • Use strong, unique keys for the server and clients.
  • Limit access by firewall rules to trusted IPs.
  • Keep the server’s operating system and WireGuard installation up to date.

Leave a Comment

Your email address will not be published. Required fields are marked *