WireGuard is a fast and simple virtual private network protocol that utilizes modern cryptography. It's much faster than OpenVPN or IPsec while also having a smaller codebase that is easier to audit and maintain. For more information about WireGuard please refer to our WireGuard Guide.
Working remotely has become common practice and is deemed necessary for most organizations around the world following the COVID-19 pandemic. But remote work also has high-security risks, especially for corporate networks. To provide more secure internet access for colleagues and to make company networks/resources more secure, we advise you to use WireGuard protocol and Zenarmor together.
In this tutorial, we will configure a simple WireGuard vpn connection between a Ubuntu 20.04 TLS server and a client. The client can be either your local computer or a mobile device. First, we will install and configure the WireGuard on Ubuntu 20.04 TLS as a VPN server. Then, we'll configure WireGuard as a client on both a desktop PC and an Android device. The Desktop PC may run a Ubuntu desktop or a Windows 7/10. The client's traffic will be routed through the Ubuntu 20.04 server.
Figure 1. WireGuard P2P VPN Topology (WireGuard Ubuntu Server and Ubuntu/Android/Windows Clients)
This tutorial demonstrates the configuration of WireGuard VPN in a hub-and-spoke topology. If you want a VPN that is both dependable and capable of handling increased demands, you may choose to install and set up a WireGuard Mesh VPN infrastructure.
This setup can provide you protection against Man in the Middle attacks, and anonymity while surfing the web. Also, you can use this WireGuard configuration for accessing your company network remotely from anywhere around the world in a secure way.
tip
Did you try installing the Zenarmor on your WireGuard VPN server to make your network more secure? By configuring the Zenarmor Free Edition and applying web filtering, and application control, you can block security threats coming from your WireGuard tunnel interface.
The WireGuard configuration is very easy. You can set up WireGuard VPN tunnel by just following the 5 main steps given below:
Download and install WireGuard for both server and clients
Generate cryptographic key pairs(Public and private keys) for both server and clients
Configure WireGuard tunnel interfaces on both server and clients
Configure firewall rules on your WireGuard VPN server
Enable WireGuard tunnel interfaces on both server and clients
Installing WireGuard
To follow this WireGuard setup guide, you will need to have the listed devices below:
Ubuntu 20.04 TLSLinux Server which will be configured as a WireGuard VPN server.Ubuntu DesktoporWindowsPC or anAndroiddevice will be configured as WireGuard VPN client.
warning
Privileged access to your Linux system as root or via the sudo command.
All below given commands to be executed with root privileges either directly as a root user or by use of sudo command.
Get Started with Zenarmor Today For Free
WireGuard Setup as a VPN Server on Ubuntu
Before you begin installing WireGuard, make sure your system is up to date and has already installed the required packages.
1. Update your local package index by running the following command:
sudo apt update && sudo apt upgrade -y
2. Install IPTABLES if your system doesn't have it yet
sudo apt install iptables -y
Installation of WireGuard on Ubuntu
Ubuntu 20.04 ships with Linux kernel 5.4, which has a built-in WireGuard module. Therefore, you can easily install WireGuard itself and all of its dependencies by running the following command:
sudo apt install wireguard wireguard-tools
After you've installed WireGuard, follow the steps below to further configure your server.
Generating private and public keys
One of the main pros of the WireGuard is that it is based on state-of-the-art cryptographic primitives. It allows you a secure VPN tunnel by encrypting your connection using a pair of cryptographic keys. Each peer must have their own private and public keys to ensure secure communication both ways.To use WireGuard, each server and client must generate their own key pair and then exchange public keys.
Run the following command on the Ubuntu server to create a public/private key pair, which will be saved under /etc/wireguard/ directory.
$ wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
[sudo] password for alp:
hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
This will save both the private and public keys to the /etc/wireguard directory.
warning
The private key should never be shared with anyone and should always be kept secure.
info
Wireguard also supports a pre-shared key. To increase the level of security in your VPN tunnel, you can use this optional key that must be unique for each peer pair.
You can view the contents of the WireGuard key files with cat or less.
$ sudo cat /etc/wireguard/server_private.key
aIfECLKHoeCHsSr3qYfOgqm9BiNFEqQgYiDJQdUlJV8=
tip
Please note down the key pair which will be used for updating the WireGuard configuration file in the following steps.
$ sudo cat /etc/wireguard/server_public.key
hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
The next step is to configure the tunnel device that will route the VPN traffic.
Generating WireGuard Server Configuration File
You can configure the WireGuard tunnel device in two different ways:
using the
ipandwgcommands on CLIcreating the configuration file with a text editor
In this guide, we will use the last method.
Let's start to configure the WireGuard server by creating a new configuration file called wg0.conf in the /etc/wireguard folder and add the configuration line given below.
Firstly, open wg0.conf file by using nano editor.
sudo nano /etc/wireguard/wg0.conf
tip
You can name the WireGuard interface as you wish. But, it is recommended to use something like wg0.
The configuration below will make your WireGuard server accept connections to 51820 and allow a client with the public key corresponding to the private key we made above.
Secondly, Add the following directives to the configuration file.
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.10.10.1/24
PostUp = iptables -A FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ufw route allow in on wg0 out on ens18; ufw route allow in on ens18 out on wg0; ufw allow proto udp from any to any port 51820
PostDown = iptables -D FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ufw route delete allow in on wg0 out on ens18; ufw route delete allow in on ens18 out on wg0; ufw delete allow proto udp from any to any port 51820
ListenPort = 51820
PrivateKey: The private key of VPN server, which can be found in the/etc/wireguard/server_private.keyfile on the server.Address: defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique IP address.ListenPort: specifies which port WireGuard will use for incoming connections. can be freely selected from the high ports range. If no port is specified, it is 51820/UDP by default.PostUpandPostDown: define steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server's IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.
Then save and close the file.
Install a DNS Resolver on the Server
Since we will specify the VPN server as the DNS server for the clients, we need to run a DNS resolver on the VPN server. We can install the bind9 DNS server.
sudo apt install bind9
Once it's installed, BIND will automatically start. You can check its status with:
systemctl status bind9
Sample output:
? named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-06-28 07:14:24 UTC; 16s ago
Docs: man:named(8)
Main PID: 1568 (named)
Tasks: 5 (limit: 10387)
Memory: 15.1M
CGroup: /system.slice/named.service
??1568 /usr/sbin/named -f -u bind
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Jun 28 07:14:25 myfirsfw named[1568]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Jun 28 07:14:25 myfirsfw named[1568]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is>
Jun 28 07:14:25 myfirsfw named[1568]: resolver priming query complete
If it's not running, you can start it with the following commands:
sudo systemctl start bind9
Edit the BIND DNS server's configuration file.
sudo nano /etc/bind/named.conf.options
Add the following line to allow VPN clients to send recursive DNS queries.
allow-recursion { 127.0.0.1; 10.10.10.0/24; };
Figure 2. Allowing VPN clients to send recursive DNS queries
Save and close the file.
Restart BIND9 for the changes to take effect.
sudo systemctl restart bind9
How To Set Up WireGuard Firewall Rules on Ubuntu Server
You should also configure a firewall to allow WireGuard clients to access your WireGuard server and other services that you wish such as DNS and SSH. Configuring a firewall will block any unwanted connections and keep your server secure. You can follow the next steps given below:
1. Install the ufw, the Uncomplicated Firewall, using the command below.
sudo apt install ufw
2. Add the following rules to allow WireGuard connections.
sudo ufw allow 51820/udp
3. Add the following rules to allow VPN clients to connect DNS service.
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
4. Add the following rules to allow SSH connections. (This step is optional. You may also allow any other connections that you need such as https/443)
sudo ufw allow 22
5. Enable the firewall with the next command.
sudo ufw enable
6. Confirm the command when prompted.
Command may disrupt existing ssh connections. Proceed with operation (y|n)? Y
Firewall is active and enabled on system startup
7. Following that, use the command below to check the active firewall rules.
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
51820/udp ALLOW IN Anywhere
53/tcp ALLOW IN Anywhere
53/udp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
51820/udp (v6) ALLOW IN Anywhere (v6)
53/tcp (v6) ALLOW IN Anywhere (v6)
53/udp (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
Congratulations. The Ubuntu peer that will serve as a server has been configured.
Enabling Clients to Access the Internet/LAN Through WireGuard VPN Server
By allowing clients to access the WireGuard port we have set up and configured peer-to-peer VPN networking for our Ubuntu server and client. However, you may want to give access to the Internet or your company network/LAN for all VPN clients through the WireGuard server. For these purposes, you must configure the firewall rules, including IP forwarding and NAT.
IP forwarding
In order for the VPN server to route packets between VPN clients and the Internet/LAN, you must enable IP forwarding on the WireGuard server. You can follow the given instructions outlined below:
1. Open the system variables file for edit.
sudo nano /etc/sysctl.conf
2. Add or uncomment the following line by removing the # at the beginning of the line.
net.ipv4.ip_forward=1
3. Save the file and exit the editor.
4. Open /etc/ufw/sysctl.conf and uncomment these lines:
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
5. Apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.conf file. This command will keep our changes after a system restart.
sudo sysctl -p
Configure IP Masquerading on the Server
You must set up IP masquerading in the server firewall, so that the server becomes a virtual router for VPN clients. PostUP and PostDown definitions in the WireGuard configuration file given above(/etc/wireguard/wg0.conf) will automatically activate the UFW configuration when you enable the WireGuard interface. So, your VPN clients are hidden from the outside world and any device on the Internet can only see your WireGuard VPN server's WAN IP.
Starting WireGuard Server and Enabling it at Boot
We're ready to start the server now that we've completed the configuration. WireGuard has a handy wrapper called wg-quick that can be used to start new interfaces without having to go into the configuration details. How you can manage the WireGuard interface by using wg-quick tool is shown below:
To start WireGuard service and bring the WireGuard interface (wg0) up run the following command on the server:
sudo wg-quick up wg0
This will load the configuration file /etc/wireguard/wg0.conf and you should see an output like below upon successfully starting the interface:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i ens18 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ufw route allow in on wg0 out on ens18; ufw route allow in on ens18 out on wg0; ufw allow proto udp from any to any port 51820
Rule added
Rule added (v6)
To stop it, run
sudo wg-quick down wg0
You can also use systemd service to start WireGuard.
sudo systemctl start [emailprotected]
You can check WireGuard state and configuration with the following commands. Its status should be active (exited).
sudo wg show wg0
interface: wg0
public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
private key: (hidden)
listening port: 51820
You can also run ip a show wg0 to verify the interface state:
ip a show wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.1/24 scope global wg0
valid_lft forever preferred_lft forever
To enable the WireGuard interface automatically at system boot time, run the following command:
sudo systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service ? /lib/systemd/system/wg-quick@.service.
Now that the WireGuard server is up and running, it is ready to accept client connections.
WireGuard Setup as a VPN Client on Ubuntu Desktop
Once your WireGuard server is up and running, you need to configure your client device. They offer software for most operating systems to connect any of your Windows, Linux or macOS and Android or iOS devices easily.
Before you begin installing WireGuard on your Ubuntu desktop, make sure your system is up to date and has already installed the required packages.
Update your local package index by running the following command:
sudo apt update && sudo apt upgrade -y
Note that you also need to install the openresolv package on the client to configure the DNS server.
sudo apt install openresolv
WireGuard Installation on Ubuntu
The procedure for setting up a WireGuard client on Ubuntu Desktop is nearly identical to that for installing the server.
You can easily install WireGuard itself and all of its dependencies by running the following command:
sudo apt install wireguard wireguard-tools
After you've installed WireGuard, follow the steps below to further configure your server.
Generate Public/Private Keypair for Client
To create a public/private key pair run the following command on the VPN client.
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Generate WireGuard Client Configuration File on Ubuntu
Use a command-line text editor like Nano to create a WireGuard configuration file on your Ubuntu VPN client. wg0 will be the WireGuard network interface name on the client.
sudo nano /etc/wireguard/wg0.conf
Copy the following text and paste it to your configuration file. You need to use your own client private key and server public key.
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = MCzL/mO/L6Ak8HRp16aWPwefXpg+RoukBHG/LwiKcks=
[Peer]
PublicKey = hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
AllowedIPs = 0.0.0.0/0
Endpoint = 22.33.44.55:51820
PersistentKeepalive = 25
Where:
Address: Specify the private IP address of the VPN client.
DNS: specify 10.10.10.1 (VPN server) as the DNS server. It will be configured via the resolvconf command. For redundancy, you can also specify multiple DNS servers such as: DNS = 10.10.10.1 8.8.8.8
PrivateKey: The client's private key, which can be found in the /etc/wireguard/client_private.key file on the client computer.
PublicKey: The server's public key, which can be found in the /etc/wireguard/server_public.key file on the server.
AllowedIPs: 0.0.0.0/0 represents the whole Internet, which means all traffic to the Internet should be routed via the VPN. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.
Endpoint: The public/WAN IP address and port number of VPN server. Replace 22.33.44.55 with your server's real public IP address.
PersistentKeepalive: Send an authenticated empty packet to the peer every 25 seconds to keep the connection alive. If PersistentKeepalive isn't enabled, the VPN server might not be able to ping the VPN client.
Save and close the file.
If you need to configure additional clients, just repeat the same steps using a different private IP address.
Adding the VPN Client Peer to the Server
To add the client's public key and IP address to the server, you can either:
run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.2Or add the following lines to the /etc/wireguard/wg0.conf file
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.10.10.2/32PublicKey: The public key of the VPN client, which can be found in the /etc/wireguard/client_public.key file on the client computer.
AllowedIPs: IP addresses the VPN client is allowed to use. In this example, the client can only use the 10.10.10.2 IP address inside the VPN tunnel.
and the save the file.
Next start the service again, run:
sudo systemctl start wg-quick@wg0
Once done, go back to the client machine and bring up the tunneling interface.
Starting WireGuard Service on Client
We're ready to start the service now that we've completed the configuration. The wg and wg-quick command-line tools allow you to configure and manage the WireGuard interfaces.
Run the following command the bring up the interface and Start the connection:
sudo wg-quick up wg0
You should see the output similar to the given below:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
You can also use the system command to start WireGuard as a service.
sudo systemctl start wg-quick@wg0
You can enable auto-start at system boot time.
sudo systemctl enable [emailprotected]
You can check its status:
systemctl status [emailprotected]
Now you should be connected to the Ubuntu server, and the traffic from your client machine should be routed through it. You can check the connection with:
sudo wg
interface: wg0
public key: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=
private key: (hidden)
listening port: 51229
fwmark: 0xca6c
peer: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
endpoint: Server-WAN-IP:51820
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 16 seconds ago
transfer: 248.02 KiB received, 189.02 KiB sent
persistent keepalive: every 25 seconds
When you want to disconnect, use either of the following commands depending on which method you used to start it.
sudo wg-quick down wg0
or
sudo systemctl stop wg-quick@wg0
WireGuard will then disconnect from the server and remove the related network settings.
Adding more VPN clients
If you want to also use the WireGuard VPN on other devices, you can add more clients to your server. Adding clients is really simple and easy.
First, install WireGuard on your new client devices as before and create a unique private/public key pair for each client.
WireGuard is designed to associate one IP address with one VPN client. To add more VPN clients, you need to create then n the server's config file
Then edit the wg0.conf file on your WireGuard server.
sudo nano /etc/wireguard/wg0.conf
Add the following entry at the end of the file to include client's public keys and set the IP addresses for each client.
[Peer]
PublicKey = <content-of-client2-publickey>
AllowedIPs = 10.10.10.2/32
[Peer]
PublicKey = <content-of-client3-publickey>
AllowedIPs = 10.10.10.3/32
[Peer]
PublicKey = <content-of-client4-publickey>
AllowedIPs = 10.10.10.4/32
Afterwards, save the file and exit the editor.
Then restart the WireGuard server for the changes to take effect.
sudo systemctl restart wg-quick@wg0
Each VPN client will have a static private IP address (10.10.10.2, 10.10.10.3, 10.10.10.4, etc).
Then add WireGuard configuration on each VPN client as usual.
All done! You can then connect with the new clients as you did before.
WireGuard VPN Client Setup on Windows
WireGuard for Windows supports Windows 7, 8, 8.1, 10, 2012, 2016, and 2019 and is available in a 64-bit and a 32-bit version. In this section, we will cover how to install the WireGuard Windows client and connect to a WireGuard Virtual Private Server(VPS) via VPN.
To install and configure WireGuard as a VPN client on a Windows platform, you can follow the instructions below:
Download and install Windows WireGuard Client
Download and install the Windows installer from the WireGuard website. This selects the most recent version for your hardware, downloads, and installs it.
Figure 3. Downloading WireGuard Windows installer
After the installation, you should see the WireGuard icon in the notification area on the taskbar.
Figure 4. WireGuard icon on taskbar
Configuring Windows WireGuard Client
Launch the WireGuard application and click on the down arrow beside the button that says Add Tunnel in Tunnels Tab.
Figure 5. Configuring WireGuard on Windows Client
Click on Add empty tunnel as shown on the image below:
Figure 6. Adding empty tunnel
This will automatically create a public/private key pair and display them on the screen.
Figure 7. Creating new WireGuard tunnel on Windows client
Enter a name with alphanumeric characters only (no spaces or punctuation)for the tunnel and edit the configuration as follows:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.10.10.3/24
DNS = 10.10.10.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0
Explanations of the fields in the interface section are given below:
PrivateKey: Private key of this client
Address: VPN IP address of this client. It must be unique among all clients.
DNS: IP address of a DNS server. In this case, I use the DNS server running on the WireGuard server.
Explanations of the fields in the peer section are given below:
PublicKey: The public key of the Ubuntu WireGuard server (/etc/wireguard/publickey file).
Endpoint: The Public/Real IP address of the Ubuntu server followed by a colon, and WireGuard port (
51820).AllowedIPs:
0.0.0.0/0: Specifies what IP addresses should be routed over the VPN.0.0.0.0/0is a catch-all configuration and routes everything over the VPN.
Block untunneled traffic(kill switch) option
In the Edit tunnel window, there is a Block untunneled traffic option. You can enable this option when your configuration has precisely one [Peer] section and AllowedIPs is set to a catch-all address.
If the option is enabled the WireGuard client adds Windows Firewall rules to block all traffic that is neither to nor from the tunnel interface. So that it prevents accidentally sending IP packets outside the VPN
Figure 8. WireGuard Tunnel configuration on Windows client
Once done, click on the Save button.
Add the Client Peer to the Server
To add the client's public key and IP address to the server, you can either:
- run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.3
- Or add the following lines to the
/etc/wireguard/wg0.conffile:
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.10.10.3/32
Save and close the file. Next start the service again, run:
sudo systemctl start wg-quick@wg0
You can check the status of the wg0 interface:
sudo wg
interface: wg0
public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
private key: (hidden)
listening port: 51820
peer: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=
allowed ips: 10.10.10.2/32
peer: U14mlsR8wV23KO7vxqhiy4gcsqzF6i1nrpba1M4X4iw=
allowed ips: 10.10.10.3/32
Return to the Windows client machine and activate the tunneling interface.
Activating/Deactivating WireGuard Tunnel Interface on Windows Client
After installing and configuring the WireGuard on the Windows client, click on the Activate button. Once the peers are connected, the tunnel status will change to Active:
Figure 9. Activating WireGuard tunnel on Windows client
Figure 10. Deactivating WireGuard tunnel on Windows client
To close the VPN connection click on Deactivate button.
Installing WireGuard as Client on an Android Device
Before installing and configuring the WireGuard client on your Android device, you may generate client key pairs and QR code for the Android in your Ubuntu WireGuard server. So that you can easily configure the WireGuard application on your mobile device to connect the VPN.
Generate QR Code
To generate the QR Code you will need the qrencode package installed on your Ubuntu 20.04 TLS WireGuard server. To install the qrencode package type the following command on your VPN server:
sudo apt install qrencode
Creating Client Private/Public Key Pairs
Unlike Windows and Ubuntu/Linux WireGuard clients, we will generate the key pairs on Ubuntu 20.04 TLS WireGuard Server for our Android device. To create the client private/public key pairs you can follow the following steps:
1. Create a directory called as clients under /etc/wireguard.
sudo mkdir /etc/wireguard/clients
2. Create a keypair called android
wg genkey | sudo tee /etc/wireguard/clients/android_private.key | wg pubkey | sudo tee /etc/wireguard/clients/android_public.key
This will create the client key pairs for your Android in /etc/wireguard/clients directory.
3. You can view the key pairs by using cat.
sudo cat /etc/wireguard/clients/android_private.key
eDUqYVRI0BmCBkAjER2wmgVeqUaGW5Ihnh2meVbKDGg=
sudo cat /etc/wireguard/clients/android_public.key
1O4+y9FsExnNlqbG4qR6Tdf3JQJx9200uF92TWF03gw=
Creating the client configuration file
You will then must create a client configuration file to be encoded into a QR code.
1. Create a client configuration file using nano.
sudo nano /etc/wireguard/clients/android.conf
2. Copy and paste the following lines into the WireGuard client configuration file.
[Interface]
PrivateKey = eDUqYVRI0BmCBkAjER2wmgVeqUaGW5Ihnh2meVbKDGg=
Address = 10.10.10.4/24
DNS = 10.10.10.1, 8.8.8.8
[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = YOUR_SERVER_WAN_IP:51820
Explanations of the fields in the interface section are given below:
PrivateKey: Private key of this client (it is in /etc/wireguard/clients/android_private.key)
Address: IP address of this client. It must be unique among all clients.
DNS: IP address of a DNS server. In this case, I use the DNS server running on the WireGuard server.
Explanations of the fields in the peer section are given below:
PublicKey: The public key of the Ubuntu WireGuard server (/etc/wireguard/publickey file).
Endpoint: The Public/Real IP address of the Ubuntu server followed by a colon, and WireGuard port (51820).
AllowedIPs: 0.0.0.0/0 : Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.
Generate QR Code
You can now generate a QR code with the following command as root:
qrencode -t ansiutf8 < /etc/wireguard/clients/android.conf
It will generate an QR code image like this:
Figure 11. WireGuard QR code for Android VPN Client
You can take a screenshot and securely send it to your android client.
Add the Client Peer to the Server
To add the client's public key and IP address to the server, you can either:
- run the following command on the Ubuntu server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.10.10.4
- Or add the following lines to the /etc/wireguard/wg0.conf file
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.10.10.4/32
Save and close the file.
Next start the service again, run:
sudo systemctl start wg-quick@wg0
You can check the status of the wg interface
sudo wg
interface: wg0
public key: hRhduFU4Jl2VlTNtYN4IXgqnw5DN6c4pKxAIvpr9+Do=
private key: (hidden)
listening port: 51820
peer: LxHDQokGy422z1byrSC6sO7HRo13KudzgE4w/ycxpCc=
allowed ips: 10.10.10.2/32
peer: U14mlsR8wV23KO7vxqhiy4gcsqzF6i1nrpba1M4X4iw=
allowed ips: 10.10.10.3/32
peer: 1O4+y9FsExnNlqbG4qR6Tdf3JQJx9200uF92TWF03gw=
allowed ips: 10.10.10.4/32
Download and install WireGuard Application on Android device
You can get and install the official application from the Google Play Store on your Android device.
Figure 12. Installing WireGuard Android Application from Playstore
Configuring WireGuard Client on Android
Once the WireGuard application is installed, we need to add a new configuration file for the VPN tunnel. Click on the blue button with + icon.
Figure 13. Adding WireGuard tunnel for Android client
This will open a new view on your device to configure the tunnel. Tab on the Scan From QR Code.
Figure 14. Importing tunnel configuration by scanning QR code
After giving permission for the camera, you can scan your QR code.
Figure 15. Giving permission to WireGuard
Enter the name of the VPN tunnel and click on the Create Tunnel button. This will import the WireGuard client configuration from the QR Code.
Figure 16. Naming WireGuard tunnel on Android client
You'll be prompted to confirm the connection request, tab on OK.
Figure 17. WireGuard connection request on Android client
Connecting/Disconnecting WireGuard Android Client
You can easily connect your Android device to the VPN server by just launching the WireGuard application and turning it on.
Figure 18. Activating/deactivating WireGuard tunnel on Android client
To disconnect from the WireGuard VPN tunnel, turn off the toggle button next to the VPN connection.
Testing WireGuard Connection
You can test your WireGuard connection by following the instructions given below:
1. Ping Test
You should ping your WireGuard server from the client and vice versa successfuly:
ping 10.10.10.1
sudo wg
The last two lines of the output from running the wg command should be similar to:
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent
This indicates that you now have a private connection between the server and client. You can also ping the client from the server to verify that the connection works both ways.
2. IP Control
On your client machine go to this website https://www.whatismyip.com to check your public IP address. If your WireGuard tunnel works well, you should see your VPN server's public IP address instead of your client computer's public IP address in the browser
3. Traceroute Test
You should see the WireGuard Server VPN IP address in the traceroute command output:
traceroute 8.8.8.8
1 10.10.10.1 (10.10.10.1) 0.391 ms 0.348 ms 0.349 ms
2 _gateway (192.168.0.1) 0.641 ms 0.606 ms 0.625 ms
3 * * *
15 * * *
16 142.250.212.20 (142.250.212.20) 27.320 ms 74.125.37.238 (74.125.37.238) 29.852 ms 216.239.49.198 (216.239.49.198) 30.107 ms
17 142.251.52.83 (142.251.52.83) 34.252 ms 34.216 ms 38.622 ms
18 sof02s44-in-f4.1e100.net (142.250.187.100) 38.637 ms 38.542 ms 38.593 ms
4. DNS service Test
Your DNS queries should be answered by your WireGuard VPN server.
dig -p 53 www.google.com 10.10.10.1
; <<>> DiG 9.16.1-Ubuntu <<>> -p 53 www.google.com 10.10.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 77
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 216 IN A 142.250.187.100
;; Query time: 24 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jun 28 10:52:12 UTC 2021
;; MSG SIZE rcvd: 59
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35631
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;10.10.10.1. IN A
;; Query time: 44 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jun 28 10:52:12 UTC 2021
;; MSG SIZE rcvd: 39
