Setup Your Own VPN With Wireguard VPN

Wireguard is a modern VPN that employs cutting-edge cryptography. It was originally designed for Linux, but it is now a cross-platform tool that works flawlessly on all major operating systems, including Windows, MacOS, BSD, iOS, and Android.

Wireguard is simple to set up and use. It is faster than OpenVPN and other VPN tools because it is built into the Linux kernel. Unlike other VPN tools, the codebase of Wireguard is so small that it can be easily audited by a single person.

It employs cutting-edge cryptographic techniques such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. The modern design of wireguard makes the codebase unusually small, resulting in faster communication between server and clients.

In this article, I will show you how to install and configure Wireguard VPN on Linux. I’m going to use Ubuntu with 8GB of RAM and 4 vCPU for the demonstration. It is more than adequate for home users or small businesses with a few employees.

Before we continue, we’d like to tell you about Contabo. We host LinuxAndUbuntu on Contabo VPS. Check them out if you need web hosting. Prices start at $6.99 per month for an 8GB RAM and 4 Core CPU VPS.

contabo vps

Now without any further adieu, let’s start the installation.

How to install Wireguard

Install Wireguard on Debian, Ubuntu, and Derivatives

sudo apt install wireguard

Wireguard on Fedora

sudo dnf install wireguard-tools

Install Wireguard on RHEL

sudo yum install
sudo yum install kmod-wireguard wireguard-tools

Install Wireguard on Arch Linux

sudo pacman -S wireguard-tools

If you are using another Linux distribution, please visit the wireguard official installation page for the most up-to-date information.

Packet forwarding

Once wireguard is installed, the next step is to enable packet forwarding on Wireguard server. To enable packet forwarding, open and edit /etc/sysctl.conf file.

sudo nano /etc/sysctl.conf

Now uncomment the following line to enable the setting –

Wireguard packet forwarding
Wireguard packet forwarding

Press Ctrl+X and save the changes.

Now enable the new settings using the following command –

sudo sysctl -p
Enable packet forwarding configuration
Enable packet forwarding configuration

Configure Firewall to allow Wireguard

It is strongly advised to install and configure a firewall on the Wireguard server. A firewall will block all unnecessary ports, and we will only allow access the wireguard communication port, 51820.

Install Firewall

For the demonstration purpose, I’m using UFW firewall. You can use any other firewall and open the port 51820.

sudo apt install ufw

Allow necessary ports –

sudo ufw allow ssh
sudo ufw allow 51820/udp

And that’s it. We can now enable the firewall to reflect the above settings –

sudo ufw enable
UFW rules
UFW rules

Generate Private Keys and Public Keys

Similar to SSH, Wireguard VPN requires a pair of cryptographic keys to securely communicate between server and clients. Each client has to generate a pair of cryptographic key to connect to the server.

Each client shares its public key with the server and each client has server’s public key. The data encrypted on the server using the client public key can only be decrypted by the client private key. It means never share your private key with anyone.

To generate the private and public keys, cd into the wireguard directory on the server, i.e. /etc/wireguard.

cd /etc/wireguard
umask 077

Generate keys –

wg genkey | tee privatekey | wg pubkey > publickey

Once keys have been generated, next we need to create wireguard config that’ll store all required data to connect to the wireguard clients.

Create Wireguard configuration

Each clients to successfully conntect to the wireguard server has to share its public key with the wireguard server. Wireguard configuration stores each client’s information.

We need to create wireguard config in /etc/wireguard directory.

sudo nano /etc/wireguard/wg.conf

Now paste the following in the wg.conf file.

PrivateKey = server-private-key
Address =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

PublicKey = client-public-key
AllowedIPs =

We are almost done with the server-side configuration. It’s time to start wireguard and set it to run on server start.

wg-quick up wg
start wireguard on server
start wireguard on server

Set wireguard to start automatically on server startup –

sudo systemctl enable [email protected]

Configure Wireguard client

I’m assuming you have Wireguard installed on your client. Please visit the official installation page with the most up-to-date information for installation instructions specific to your device.

Once you’ve installed Wireguard on the client, we need to generate keys and create config just as we did during the server’s configuration.

Inside /etc/wireguard/ generate the keys using the following command –

cd /etc/wireguard
umask 077

Generate private and public keys –

wg genkey | tee privatekey | wg pubkey > publickey

Create wireguard config on client –

sudo nano /etc/wireguard/wg.conf

Now paste the following in the wg.conf –

Address =
PrivateKey = client-privatekey

PublicKey = server-publickey
Endpoint = server-public-ip:51820
AllowedIPs =, ::/0
client configuration
client configuration

Copy the public key content from the client and paste it in the server’s wg.conf file.

Start Wireguard on client and set it to run on system startup –

wg-quick up wg

Automatically run on system startup –

sudo systemctl enable [email protected]

Adding more Wireguard clients to the server

In the above server configuration, we added one wireguard client. We can add as many clients as we want by including the following line in the Wireguard configuration file /etc/wireguard/wg.conf.

Open the wg.conf file –

nano /etc/wireguard/wg.conf

Add the following variables in the configuration –

PublicKey = client-pulickkey
AllowedIPs =


That’s the end of it. You can ssh out of the server after starting and enabling the wireguard to run on system startup. Check the server frequently for any available updates.

Wireguard is the best VPN. You set it up on your own server, ensuring that no one ever has access to your data. No matter how popular a VPN service is or how much it brags about protecting its users’ privacy, it may share its customers’ data if authorities or a court request it. So it’s best to run your own VPN server to protect your information.


Mohd Sohail is a web developer and a Linux sysAdmin. He also loves to write how-to articles, applications reviews and loves to use new Linux distributions.

Articles: 853

Leave a Reply

Your email address will not be published. Required fields are marked *