Today we are going setup WireGuard VPN on Linux. Let us see how we can do that. I will break things down for you so that it is easier for you to follow.
There are a bunch of installation instructions out there. But they are much more involved. And for most part it is really good.
But here is a more simple tutorial that has much less fuss.
Quick Navigation
Before we begin
Let us see what do we need before we dive into setting up our very own WireGuard VPN.
Here are a list of things that are necessary for this tutorial.
- Internet connection ( Duh! )
- SSH access to your Ubuntu machine
- root user ( or user with sudo privileges )
- Patience ( and some time )
- Familiarity with linux
Installing the WireGuard VPN on Linux
Login to your linux machine via SSH or any other method. We must have a terminal open for this to work.
We will be using this script to automate the WireGuard installation.
To move to your home directory enter the command below
cd ~Code language: Bash (bash)Now that we are on the home directory run the command below to download the script.
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
Code language: Bash (bash)There should be a file by name wireguard-install.sh in your home directory. Next we need to make this file executable.
Execute the command below to make the file executable.
chmod +x wireguard-install.shCode language: Bash (bash)Now that we have an executable script all that there’s left is to execute it.
Run the command below to execute the script.
./wireguard-install.shCode language: Bash (bash)The command above will ask you to enter few details to complete the installation. Let us look at it bit by bit.
Providing static IP
It will ask you for the machine’s static IP address. If you are on a VPS it’s already static. But if you are setting up this on a home network.
Then you might want to bind a static IP from your home router. Though you can setup static IP from machine itself, it is not recommended. A quick google search might help you out.
And remember we will need this IP address later when we try to connect from the client. So make sure you can reach this IP address from client.
Public Interface
After you enter your IP address. The script will ask you for the interface. The interface here is the one connected to the internet.
In my case it is br0 because I’m using my Raspberry Pi as a bridge. Normally it will be wlan0 if you are connected via Wi-Fi. Or, if you are connected using Ethernet, it will be eth0.
Regardless, you can always find the interfaces using ifconfig command.
Setup WireGuard Interface
After that we will be asked to provide an interface name for WireGuard. Leave it as it is or if you see blank just put in wg0. Though you can name it as you wish but it is the convention.
This interface is for VPN tunnel and not for the internet.
Setup IP for VPN ( client identification )
Then you need to enter an IP address for WireGuard server. You will need this when setting up client. Or connecting to this VPN server.
Now, be careful here. You should not put in the IP address that falls on the same subnet as your home network.
Why ? Because it will confuse the kernel to forward packets. And also it is an open invitation to IP collision.
Enough with the tech talk, just leave it as it is if you are not much experienced with linux.
Then you will be prompted to input IPv6 address. Leave it as it is, you’re probably not going to need it.
Port setup
We have successfully setup IPv4 and IPv6.
Now it’s time to setup a port for VPN. Leave it as it is it’s not that important to pick one. But later you will need to allow traffic from that port in your firewall.
If you have no firewall setup you need to allow the traffic through that port. But if you are at home, you might not have firewall in place, so it is not necessary.
It is necessary only if you are on a VPS or public facing network. Or, as per the network design of network. Here I have accepted the default port for me 49713.
Hope everything is going well up-to this point. Bear with me a little more, setup is almost complete.
Setting up DNS
Enter the DNS provider twice of your choice or leave it as it is. You can later change it too if you wish.
But for this tutorial I’m going to accept the default DNS provider.
That is it, we are all set to use our VPN. Setup is almost complete now. Read the message and press enter to continue.
Configuring first client
After the successful installation of WireGuard. A name of the client must be provided to the input.
This will generate a configuration file for the client side setting. You will also be provided with a QR code.
If you are on mobile device you can scan it to complete client setup.
Verifying installation
Now that we have successfully installed the WireGuard VPN. It’s time to verify if it’s actually running.
Run the command below to check WireGuard status.
wg showCode language: Bash (bash)If you see something like below everything is setup correctly. Else you need to troubleshoot.
Setting up Client
To setup a new client you have to follow the exact same steps as above on another linux machine.
This is because the installation will act as server and client both. It acts as how you configure it to behave.
If you want to connect another linux machine to this machine. Run the command below:
cd ~ && ./wireguard-install.sh # assuming you have the script in your home directoryCode language: Bash (bash)You must generate client configuration on the VPN server. And copy it over to the VPN client. This way much less work needs to be done.
Creating WireGuard configuration
The script will show you a new prompt. You have to enter 1 to select Add a new user
After you press enter. A new prompt will ask you for some details. You can provide a name for the client and accept the default for everything else and press enter.
But note the Client’s IPv4 portion. You have to pass in the IP range from 10.66.66.2 - 10.66.66.255. As 10.66.66.1 is already taken by our VPN server.
Setting up client
Look at the configuration file created by command above. You will find configuration similar to below.
[Interface]
PrivateKey = yIZvolzaAUJ0VPdms4fHtgZGqud7fEYlia6i2CBcvVs=
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 94.140.14.14,94.140.15.15
[Peer]
PublicKey = uP/4b2MHMwjDEYhYZqP1zHsxdD2M7BsvcilRG9EZE2E=
PresharedKey = qmQ50EerexQ0+JDGUA7jHX2J0VfKzQitXHbPeHaYrIM=
Endpoint = 192.168.1.143:61411
AllowedIPs = 0.0.0.0/0,::/0You have to put this into the client’s /etc/wireguard/wg0.conf file. And run the following command to activate the new changes.
Stop the WireGuard instance running currently.
wg-quick down wg0 # will stop the wireguard instance Code language: PHP (php)Restart the WireGuard instance
wg-quick up wg0 # will start the wireguard instance with new config uration at /etc/wireguard/wg0.confCode language: PHP (php)Or you could also simply do a service restart by doing
systemctl restart wg-quick@wg0 # @wg0 is the interface name for wireguardCode language: PHP (php)You’re all set for using a VPN.
Testing the WireGuard connection
You can test the connection if everything was setup correctly. You can simply send ICMP ( ping ) packets to the client / server.
ping 10.66.66.3Code language: CSS (css)The ping command above should send and receive some packets. If the destination is unreachable or host is unknown simply look at the troubleshooting section below.
Troubleshooting
Here are some basic issues that you might encounter while setting up WireGuard VPN.
wg command not found
If for some reason you get wg not found error. You should install the WireGuard manually and then use this script later.
Install the WireGuard by executing the following command.
apt install wireguard -yCode language: Bash (bash)No internet connection
This is yet another issue that is quite serious. This will arise because we have two different interfaces wg0 for VPN and eth0 / wlan0 for internet access.
We need to do something known as packet forwarding to enable internet access.
That is it for setting up WireGuard VPN on Linux.
Suggested
Packet forwarding between interfaces | Linux IPtables
Install RaspberryPi Selenium ChromeDriver
