Published on
28 March 2019
- compute
- mediaserver
- vpn
- WireGuard
- WireGuard-server
- Linux
- android
WireGuard® is a modern VPN (Virtual Private Network) software. It is designed to be run almost anywhere and to be cross-platform. Compared to other similar software, it is faster, more secure and simpler.
Identity and Access Management (IAM):
If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:
- You have an account and are logged into the Scaleway Console
- You have configured your SSH key
- You have created an Instance configured with local boot and running on a Linux kernel ≥ 3.10.
Important:
WireGuard® is currently under development.
Installing and Configuring WireGuard on the server
The installation process is based on Ubuntu. Documentation regarding other platforms is available on the WireGuard website.
Note:
WireGuard needs kernel modules that are not yet implemented in the kernel. The installation process will install new kernel modules via DKMS.
- Connect to your Instance via SSH.
- Install Linux kernel headers and WireGuard.
sudo apt update && apt upgrade -y
sudo apt install linux-headers-$(uname --kernel-release) # installs the right kernel headers for your version
sudo apt install wireguard
Once WireGuard is installed, you can check that the installation succeeded by running: wg, if you get no output it’s all good. In order to check that the WireGuard kernel module has loaded you can run sudo modprobe wireguard.
Generating public and private keys on the server
WireGuard relies on a public/private key authentication (asymmetric cryptography;; thus you need to create those keys. They are easily created with the wg genkey and wg pubkey subcommands.
- Create a directory to store the keys.
mkdir -p /etc/wireguard/keys
- Create the public and private key. The creation of the private key is done with
wg genkey and the public key is generated by piping it into wg pubkey. umask tells the system to set the permissions of the new files to 600.cd /etc/wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Configuring WireGuard server
The first step is to choose an IP range which will be used by the server. The private IP ranges defined by the RFC 19198 are the following:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
For this tutorial we will use 192.168.66.0/24 which is inside the 192.168.0.0/16 range. The server will have the following IP address: 192.168.66.1.It is also required to choose a port, which will be exposed publicly, for the server to listen on. Here it will be 8999. Note that the standard documentation port is usually 51820.
Create the file /etc/wireguard/wg0.conf with the following content:
[Interface]
PrivateKey = <private key of the server>
Address = 192.168.66.1/32
ListenPort = 8999
Configuring the Linux, MacOS or Windows WireGuard client
Install Wireguard. On Linux you can install WireGuard the same way you did for the server. To install WireGuard on MacOS just run: brew install wireguard-tools. You can also use the Mac App Store application. To install WireGuard on Windows you can find the executable on the WireGuard installation page but this guide will not cover the Windows use case.
Create the key pair.
mkdir -p /etc/wireguard/keys
cd /etc/wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Create the configuration file /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <private key of the client>
Address = 192.168.66.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = <public key of the server>
Endpoint = <public ip of the server>:8999
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
It is quite similar to the server configuration. The DNS line specifies the DNS resolver for the client. The Endpoint tells WireGuard where to connect. AllowedIPs configures which IP range will be forwarded to the VPN server.
In this case, 0.0.0.0/0 means that all the traffic from the client will go through the VPN. If you only want to communicate within the VPN network, you can set 192.168.66.0/24. PersistentKeepalive tells WireGuard to send a UDP packet every 25 seconds, this is useful if you are behind a NAT and you want to keep the connection alive.
Important:
If you decide to route all your traffic to the VPN server be sure to do the following on the server:
- Add the following lines in the
[Interface] section of the server (Replace ens2 by your main network interface if it is not ens2):PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADEPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE
Add the peer configuration to the server. Just add the following to your /etc/wireguard/wg0.conf on the server:
[Peer]
PublicKey = <public key of the client>
AllowedIPs = 192.168.66.2/32 # the ip address in the VPN network of the client you just created
Configuring the Android or iOS WireGuard client
You can download the official WireGuard Android client from the PlayStore and the official WireGuard iOS Client from the iOS App store (this guide will only cover Android but the steps are the same).
There are two ways to configure the Android or iOS client. The easiest one is to follow the previous part and once the configuration file is done, export it with qrencode like this: qrencode -t ansiutf8 < path/to/phone.conf. Finally scan the generated QR code with the WireGuard application.
For the second way, follow these steps:
- Download and open the application and click the + icon and select Create from scratch.
- Click GENERATE to generate the key pair (copy the public key in order to use in on the server). The rest is like the Linux client configuration, fill in the addresses, DNS servers and name. Now you will need to add the server as a peer.
- Click ADD PEER and add the public key of the server, the public IP of the server and the port on which it is listening. If you decide to route all the traffic through the VPN, please read the Important section above.
- Add the following to the server’s
/etc/wireguard/wg0.conf:[Peer]
PublicKey = <public key of the android client>
AllowedIPs = 192.168.66.3/32 # the ip address in the VPN network of the client you just created
Launching WireGuard server
Now that everything is configured, you can launch the WireGuard server with:
And start the client with the same command:
You can also enable the start of WireGuard at boot time with the following command:
systemctl enable wg-quick@wg0.service
You can check the connection with the wg command (client or server):
# wg # on the client
interface: wg0
public key: <public key of the client>
private key: (hidden)
listening port: 57576
fwmark: 0xca6c
peer: <public key of the server>
endpoint: <public IP of the server>:8999
allowed ips: 0.0.0.0/0
latest handshake: 50 seconds ago
transfer: 8.35 KiB received, 18.00 KiB sent
persistent keepalive: every 25 seconds
# ping 192.168.66.1
PING 192.168.66.1 (192.168.66.1) 56(84) bytes of data.
64 bytes from 192.168.66.1: icmp_seq=1 ttl=64 time=3.50 ms
64 bytes from 192.168.66.1: icmp_seq=2 ttl=64 time=4.53 ms
--- 192.168.66.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 3.499/4.015/4.532/0.520 ms
# curl ifconfig.co
<public IP of the server>
As you can see, you can ping the VPN server through the VPN and all your traffic is being routed through the VPN server.
For more information you can check the WireGuard website.
“WireGuard” is a registered trademark of Jason A. Donenfeld.
FAQs
WireGuard is a VPN protocol —the way that a client (like your computer or phone) communicates with a VPN server. You might also hear “WireGuard” refer to the app you can run on your devices as well. It only supports UDP, which uses no handshake protocols. That's one of the reasons why it's so fast.
How do I create a WireGuard VPN server? ›
How to get started with WireGuard VPN
- Sign up with UpCloud. ...
- Deploy a new cloud server. ...
- Installing WireGuard. ...
- IP forwarding. ...
- Configuring firewall rules. ...
- Generating private and public keys. ...
- Generate server config. ...
- Starting WireGuard and enabling it at boot.
Procedure: Ubuntu 20.04 set up WireGuard VPN server ↑
- Step 1 – Update your system ↑ ...
- Step 2 – Installing a WireGuard VPN server on Ubuntu 20.04 LTS ↑ ...
- Step 3 – Configuring WireGuard server ↑ ...
- Step 4 – Set up UFW firewall rules to open required ports ↑ ...
- Step 5 – Enable and start WireGuard service ↑
Configure a WireGuard Tunnel
- Navigate to VPN > WireGuard > Tunnels.
- Click. ...
- Fill in the WireGuard Tunnel settings as described in WireGuard Package Settings.
- Click Save Tunnel.
- Add firewall rules on Firewall > Rules, WAN tab to allow UDP traffic to the port for this WireGuard tunnel (WireGuard and Rules / NAT)
- Step 1 — Installing WireGuard and Generating a Key Pair.
- Step 2 — Choosing IPv4 and IPv6 Addresses.
- Step 3 — Creating a WireGuard Server Configuration.
- Step 4 — Adjusting the WireGuard Server's Network Configuration.
- Step 5 — Configuring the WireGuard Server's Firewall.
- Step 6 — Starting the WireGuard Server.
How to Make Your Own VPN in Linux in 12 Steps
- 01 Get a Remote Server that Runs Ubuntu.
- 02 Install OpenVPN.
- 03 Configure the Certificate Authority Directory.
- 04 Configure the Certificate Authority.
- 05 Build the Certificate Authority.
- 06 Creating the Server's Encryption Files.
- 07 Creating the Client's Certificate.
WireGuard is a VPN protocol —the way that a client (like your computer or phone) communicates with a VPN server. You might also hear “WireGuard” refer to the app you can run on your devices as well. It only supports UDP, which uses no handshake protocols. That's one of the reasons why it's so fast.
How to setup WireGuard in Linux? ›
Configuring the WireGuard VPN Server
- Create a new file named wg0. conf with your favorite text editor, and populate the wg0. ...
- Populate the wg0. conf file with the following contents. ...
- Run the command below to turn on the wg0 interface. wg-quick up wg0. ...
- Lastly, run the below command to check your wg0 interface status.
Autostart WireGuard in systemd
- Generate a valid and working WireGuard configuration file /etc/wireguard/wg0. ...
- Add the WireGuard service to systemd: sudo systemctl enable wg-quick@wg0.service sudo systemctl daemon-reload.
- Start the new service immediately: sudo systemctl start wg-quick@wg0.
The OS recommends as a min a 1ghz cpu, 1gb of ram and 1.5gb of storage (Source).
The Peer – or server – configuration requires the server's public key, which is added here. The Endpoint is where you tell WireGuard where to find the server. Nothing will work without this one! That would require the server's public IP – or it's domain name – followed by the port you've chosen.
What tunneling protocol does WireGuard use? ›
The WireGuard VPN protocol establishes an encrypted tunnel for all your internet traffic. While most VPN protocols use AES-256 encryption, WireGuard uses newer, ChaCha20 authenticated encryption. Both methods are symmetrical forms of encryption, but ChaCha20 has a shorter key.
Is WireGuard VPN TCP or UDP? ›
UDP: WireGuard uses UDP as its transport protocol.
How to setup VPN on Linux terminal? ›
How to set up a VPN on Linux with Network Manager
- Download our OpenVPN configuration files.
- Update your system and the Network manager.
- Import OpenVPN configuration files in the VPN settings.
- Connect to the VPN server, which settings you've just imported.
- Install wireguard. $ sudo apt install wireguard.
- Create a Cryptographic Key Pair. ...
- Add Client Public Key to WireGuard VPN Server. ...
- Create a Network Connection with NetworkManager's Connection Editor GUI Heading.
Conclusion. Both OpenVPN and WireGuard are really secure open-source VPN protocols, if properly implemented. However, WireGuard is newer and faster than OpenVPN, because it was designed with modern devices and processors in mind. It is also easier to maintain.
What is the easiest VPN server for Linux? ›
ExpressVPN is a reliable Linux VPN solution. Excellent performance and easy configuration make ExpressVPN one of the top choices for Linux OS users. The provider boasts more than 3000 servers in 94 countries. On top of that, ExpressVPN delivers solid speed, security features, and a reliable privacy policy.
How do I deploy my own VPN server? ›
Create a VPN on Your Router
- Download custom firmware. Confirm compatibility between your router and preferred firmware, and then download it.
- Connect your computer to your router. Do this via a wired connection. ...
- Log into your router. ...
- Install the firmware. ...
- Reboot the router. ...
- Set up your VPN. ...
- Check if your VPN works.
WireGuard is a free and open-source VPN protocol that's faster and more simplistic than its commercially available counterparts.
What is the default port for WireGuard server? ›
The default port is 51820 , additional tunnels must use a different port. The GUI will automatically suggest the next highest available port.
The client configuration contains an initial endpoint of its single peer (the server), so that it knows where to send encrypted data before it has received encrypted data. The server configuration doesn't have any initial endpoints of its peers (the clients).
How do I know if WireGuard is installed on Linux? ›
Once WireGuard is installed, you can check that the installation succeeded by running: wg , if you get no output it's all good. In order to check that the WireGuard kernel module has loaded you can run sudo modprobe wireguard .
What are the firewall rules for WireGuard? ›
Firewall rules must pass traffic on WAN to the WireGuard Listen Port for a tunnel if remote WireGuard peers will initiate connections to this firewall. The protocol is always UDP, and the default port is 51820 .
How to setup WireGuard VPN server on CentOS? ›
In other words, you need to copy and paste command after my shell prompt.
- Step 1 – Update your system. ...
- Step 2 – Enable and install EPEL repo. ...
- Step 3 – Set up wireguard repo. ...
- Step 4 – Installing a WireGuard VPN server on CentOS 8. ...
- Step 5 – Configuring WireGuard server. ...
- Step 5 – Enable and start WireGuard service.
WireGuard definition
WireGuard is a security-focused virtual private network (VPN) known for its simplicity and ease of use. It uses proven cryptography protocols and algorithms to protect data. Originally developed for the Linux kernel, it is now deployable on Windows, macOS, BSD, iOS and Android.
How much RAM do I need for WireGuard server? ›
WireGuard requires base64-encoded public and private keys. The OS recommends as a min a 1ghz cpu, 1gb of ram and 1.5gb of storage (Source).
What are the minimum requirements for WireGuard Linux? ›
WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages.
Does WireGuard require root? ›
wg-quick requires root access because it's using wg and ip to make changes to network interfaces. Do not add wg-quick to sudoers, it will give unrestricted root access.
Does WireGuard hide your IP address? ›
When you connect to our VPN server via WireGuard, your device can only see the IP address 10.2. 0.2, and the website you visit can only see the public IP address of our VPN server. Your true IP address remains secure and private, just as it would with OpenVPN.
What is the IP address of the WireGuard host? ›
WireGuard Configuration
90.1/24 IP address for the WireGuard interface. This can be any private IP address, as long as it doesn't conflict with the network you are on, so double check that. If it needs changing, don't forget to also change the IP for the WireGuard interface on the gateway server.
This means that for any traffic routed to the interface within an IP address in the range of 192.168. 200.0 to 192.168. 200.255, WireGuard will encrypt and reroute the traffic over a “real” network interface to the “real” remote address of 203.0.
What is the most secure VPN tunneling protocol? ›
What is the most secure VPN protocol? Many VPN experts recommend OpenVPN as the most secure protocol. It uses 256-bit encryption as a default but also offers other ciphers such as 3DES (triple data encryption standard), Blowfish, CAST-128, and AES (Advanced Encryption Standard).
What is the difference between WireGuard split tunnel and full tunnel? ›
Full tunnel means using your VPN for all your traffic, whereas split tunneling means sending part of your traffic through a VPN and part of it through the open network. This means that full tunneling is more secure than split tunneling because it encrypts all your traffic rather than just some of it.
Which is better IPsec or WireGuard site to site VPN? ›
Which one is right for you? WireGuard is a more modern, simpler VPN protocol than IPsec, as well as being more secure by default. As of 2021, most operating systems support WireGuard through a kernel-based implementation.
What VPN providers support WireGuard? ›
List of VPNs with WireGuard
- Surfshark.
- NordVPN (NordLynx)
- ProtonVPN (Oct 2021)
- StrongVPN.
- VyprVPN.
- CyberGhost.
- TorGuard.
- Windscribe.
Quick Comparison Table: Best WireGuard VPN Features
| Lowest Price | WireGuard Speed |
|---|
| 🥇ExpressVPN | $6.67/month | Very fast (Lightway) |
| 🥈CyberGhost | $2.11/month | Very fast |
| 🥉PIA | $2.03/month | Fast |
| Surfshark | $2.30/month | Fast |
1 more rowJun 6, 2023
WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP.
What is the command to OpenVPN in Linux? ›
Type the following command into the Terminal: curl -fsSL https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/openvpn-repo-pkg-keyring.gpg . This will install the OpenVPN repository key used by the OpenVPN 3 Linux packages.
Is there any VPN for Linux? ›
To connect to a VPN server on Linux, OpenVPN, OpenConnect, AnyConnect, and Network Manager are all popular VPN clients. But even better is a provider that makes a plug-and-play native VPN client. They require far less configuration and tend to come with more features and perks than their generic peers.
How do I find my VPN IP address Linux? ›
From terminal
- Search the Terminal icon on your Linux device and open it.
- Type the command /sbin/ifconfig. If you get an error message that mentions your lack of administrative privileges, enter sudo /sbin/ifconfig.
- This displays a large block of network information. You can find the IP address listed after "inet addr".
Wire GUI. Wire GUI is a cross-platform graphical user interface for wireguard.
Can WireGuard be hacked? ›
VPN services can be hacked, but it's extremely difficult to do so. Most premium VPNs use OpenVPN or WireGuard protocols in combination with AES or ChaCha encryption – a combination almost impossible to decrypt using brute force attacks.
What is the bandwidth limit for WireGuard? ›
Its upper limit is set to 10 MBbs via the ul rate 10mbit part of the command.
Can you run WireGuard and OpenVPN at the same time? ›
To enable the WireGuard and OpenVPN networks to talk to each other, we just need to do these four things: Add Routes to WireGuard Clients. Add Routes to OpenVPN Clients. Allow Connections Between Networks.
How do I create a WireGuard server in Windows? ›
Generate and import configuration file
- In a browser, navigate to our WireGuard configuration generator.
- Log in by entering your Mullvad account number.
- Under Platform, select Windows.
- Generate a new key. ...
- From the Server drop-down menu, select All.
- Click Download to save the file. ...
- Open the WireGuard app.
The OS recommends as a min a 1ghz cpu, 1gb of ram and 1.5gb of storage (Source).
How do I create a self hosted VPN server? ›
To setup your home router as a VPN server:
- Open up your preferred browser.
- Enter your router's LAN (internal) IP address into the search bar. ...
- Enter the router's username and password. ...
- Go into Settings (or Advanced Settings) > VPN Service.
- Enable the VPN Service.
Table of Contents
- Step 1: Enable IP Forwarding on the Server.
- Step 2: Install WireGuard on Ubuntu.
- Step 3: Configure WireGuard VPN Server on Ubuntu. ...
- Step 4: Enable and Start WireGuard VPN Service.
- Step 5: Install and Configure WireGuard Client.
- Step 6: Connecting the WireGuard Client to the Server.
- Conclusion.
Installing WireGuard
- apt update -y. Copy.
- apt install wireguard -y. Copy.
- 077. Copy.
- wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey. ...
- /etc/wireguard/privatekey. ...
- # Defines your WireGuard interface name Interface] # Sets the server's Public IP Address. ...
- wg-quick up wg0. ...
- wg show wg0.
WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages.
So it was that Wireguard was merged into the Linux 5.6 kernel in March 2020. It's also available as a backport to the stable Linux 5.4 kernel. In short, if you want to run your own WireGuard server today on a modern Linux distribution you're ready to go. Today, WireGuard is a layer 3 secure VPN.
Does WireGuard need TCP or UDP? ›
TCP, UDP, and WireGuard
By default, WireGuard uses UDP only. However, Proton VPN has adapted the protocol so that it can now run over TCP in our Android app (with support on more apps to follow). WireGuard TCP is more resistant to censorship than WireGuard UDP, but is not as effective as our custom Stealth protocol.
What is the server speed limit for WireGuard? ›
Its upper limit is set to 10 MBbs via the ul rate 10mbit part of the command.
Can I run my own VPN server? ›
Certainly. You can buy a router with built-in VPN capability or flash one with a custom firmware. You can then set it up as a VPN or connect it to a subscription service like CyberGhost VPN. You can also set up a server on your Windows computer or host it in a cloud provider like Google Cloud for Windows or Mac.
How much does it cost to build a VPN server? ›
How much does it cost to build your own VPN? At most, it's going to cost you around $5-$10 to build your own VPN. This includes the costs of renting a cloud server primarily.
