This guide assumes you're setting up a WireGuard VPN server on a virtual private server (VPS) running Ubuntu 20.04 or higher (the most common OS for VPS). If you're using a different OS (e.g., Debian or CentOS), the commands may differ slightly, but the principles are the same.

Important warnings:

  • You must have root access to the VPS (via SSH).
  • After setup, check your firewall (UFW or iptables) to open the port for WireGuard (default UDP 51820).
  • This is a basic setup for a simple VPN. For production, add security (for example, restrict access by IP).
  • Run commands as root or with sudo.

Step 1: Update the system and install WireGuard

First, update your packages and install WireGuard. WireGuard is available in the default Ubuntu repositories.

sudo apt updatesudo apt upgrade -ysudo apt install wireguard -y

If WireGuard is not found (on older Ubuntu versions), add the repository:

sudo add-apt-repository ppa:wireguard/wireguardsudo apt updatesudo apt install wireguard -y

Step 2: Generate keys

WireGuard uses private and public key pairs. The private key remains on the device, and the public key is exchanged.

We will generate 4 keys:

  • Pair for the server (private_server.key and public_server.key).
  • Pair for the client (private_client.key and public_client.key).

Go to the directory for keys (I recommend /etc/wireguard for convenience):

cd /etc/wireguardsudo mkdir keys # Создаем поддиректорию для ключей (опционально)cd keys

Generating keys for the server:

wg genkey | tee private_server.key | wg pubkey > public_server.keychmod 600 private_server.key # Защищаем приватный ключ

Generating keys for the client:

wg genkey | tee private_client.key | wg pubkey > public_client.keychmod 600 private_client.key # Защищаем приватный ключ

Check the keys:

ls -l # Увидите 4 файла: private_server.key, public_server.key, private_client.key, public_client.keycat public_server.key # Пример: покажет публичный ключ сервера

If more clients are needed (for example, 2 more keys for the second client), repeat:

wg genkey | tee private_client2.key | wg pubkey > public_client2.keychmod 600 private_client2.key

Step 3: Setting up the server configuration

Create a configuration file for the WireGuard interface (usually wg0.conf).

sudo nano /etc/wireguard/wg0.conf

Paste the following template (replace values with your keys and IP):

[Interface]Address = 10.0.0.1/24 # Внутренний IP сервера в VPN-сети (выберите свою подсеть, например, 10.0.0.0/24)PrivateKey = <Содержимое private_server.key> # Вставьте приватный ключ сервераListenPort = 51820 # Порт UDP для прослушки (можно изменить)PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Включаем форвардинг (eth0 - ваш сетевой интерфейс, проверьте ifconfig)PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Отключаем при остановке[Peer]PublicKey = <Содержимое public_client.key> # Публичный ключ клиентаAllowedIPs = 10.0.0.2/32 # IP клиента в VPN-сети (для одного клиента; для нескольких добавьте больше [Peer])
  • Address: IP of the server in the VPN.
  • PrivateKey: Copy from cat private_server.key.
  • ListenPort: Standard port.
  • PostUp/PostDown: For NAT and traffic forwarding (allows clients to access the Internet through the server).
  • [Peer]: Section for the client. If there are multiple clients, add additional [Peer] blocks.

Save the file (Ctrl+O, Enter, Ctrl+X in nano).

Protect the config:

sudo chmod 600 /etc/wireguard/wg0.conf

Step 4: Enabling IP Forwarding

To enable the server to route client traffic:

sudo sysctl -w net.ipv4.ip_forward=1

Make this permanent: edit /etc/sysctl.conf

sudo nano /etc/sysctl.conf

Add the line:

net.ipv4.ip_forward = 1

Apply:

sudo sysctl -p

Step 5: Starting WireGuard on the Server

Launch the interface:

sudo wg-quick up wg0

Check the status:

sudo wg show

You should see the wg0 interface, private key and peers (empty for now, until the client connects).

Make it autostart at boot:

sudo systemctl enable wg-quick@wg0

Step 6: Configure the firewall

If you use UFW (Uncomplicated Firewall):

sudo ufw allow 51820/udpsudo ufw reload

If iptables:

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

Step 7: Client Setup

The client can be on any device (Linux, Windows, Android, iOS). Here's an example for Linux.

Install WireGuard on the client (similar to step 1).

Create a config on the client (/etc/wireguard/wg0.conf):

[Interface]Address = 10.0.0.2/24 # IP клиента (должен совпадать с AllowedIPs на сервере)PrivateKey = <Содержимое private_client.key> # Приватный ключ клиентаDNS = 8.8.8.8 # Опционально, DNS для VPN[Peer]PublicKey = <Содержимое public_server.key> # Публичный ключ сервераEndpoint =<IP_ВАШЕГО_VPS> :51820 # Внешний IP сервера и портAllowedIPs = 0.0.0.0/0 # Все трафик через VPN (или 10.0.0.0/24 для только внутренней сети)PersistentKeepalive = 25 # Опционально, для NAT

Run on the client:

sudo wg-quick up wg0

Check:

And test ping 10.0.0.1 (server IP) or external internet.

Step 8: Adding Multiple Clients

If you need more clients (e.g. for 4 keys as 2 pairs), generate additional keys (as in step 2), add [Peer] to the server wg0.conf:

[Peer]PublicKey = AllowedIPs = 10.0.0.3/32

Restart the server: sudo wg-quick down wg0 && sudo wg-quick up wg0.

Step 9: Debug and Stop

  • Stop: sudo wg-quick down wg0
  • Logs: sudo journalctl -u wg-quick@wg0 (if systemd)
  • Common problems: Check ports, keys (without extra spaces), IP conflicts.