WireGuard: A Simple, High-Performance VPN

Why use WireGuard?

• Simplicity: The configuration is similar to SSH: you simply exchange public keys.
• Performance: Being integrated into the Linux kernel, it is much faster than VPN solutions that run in user space such as OpenVPN.
• Security: Uses modern, reputable algorithms (ChaCha20, Poly1305, Curve25519).
• Stability: Ideal for mobile connections, it handles network changes very well (e.g. switching from Wi-Fi to 4G).

Prerequisites

• A Linux server (Ubuntu 20.04+ or Debian 10+ are perfect since WireGuard is included in their kernel).
• Root access or sudo privileges.
• A static public IP address on the server.

Installation

On recent distributions, installation is very simple.

sudo apt-get update
sudo apt-get install -y wireguard

Server Configuration

Step 1: Generate the keys

Each peer (the server and each client) needs a key pair (private and public).

# Move into the configuration directory
cd /etc/wireguard/

# Generate the server private key, and make it readable only by root
umask 077
wg genkey | sudo tee server_private.key

# Derive the public key from the private key
sudo cat server_private.key | wg pubkey | sudo tee server_public.key

Do the same for each client you want to connect. For this example, we create one for `client1`:

wg genkey | sudo tee client1_private.key
sudo cat client1_private.key | wg pubkey | sudo tee client1_public.key

Step 2: Create the server configuration file

Create the file /etc/wireguard/wg0.conf. The name `wg0` corresponds to the virtual network interface that will be created.

sudo nano /etc/wireguard/wg0.conf

Paste the following configuration, adapting it to your needs:

[Interface]
# Private IP address of the server on the VPN network
Address = 10.0.0.1/24
# Listening port for incoming connections
ListenPort = 51820
# Server private key (paste it here)
PrivateKey = PASTE_THE_CONTENT_OF_server_private.key

# These lines enable NAT so that clients can access the Internet through the server
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# This is the configuration for client1
# client1 public key
PublicKey = PASTE_THE_CONTENT_OF_client1_public.key
# Private IP that will be assigned to this client on the VPN network
AllowedIPs = 10.0.0.2/32

Step 3: Enable IP forwarding

For the server to be able to route client traffic to the Internet, you need to enable IP forwarding.

sudo nano /etc/sysctl.conf

Uncomment the line net.ipv4.ip_forward=1. Then apply the change:

sudo sysctl -p

Starting the VPN

The `wg-quick` tool makes it easy to manage WireGuard interfaces.

# Start the wg0 interface
sudo wg-quick up wg0

# Enable automatic startup at server boot
sudo systemctl enable [email protected]

Client Configuration

On the client machine, install WireGuard, then create a configuration file /etc/wireguard/wg0.conf.

[Interface]
# Private IP address of the client
Address = 10.0.0.2/24
# Client private key
PrivateKey = PASTE_THE_CONTENT_OF_client1_private.key

[Peer]
# Server public key
PublicKey = PASTE_THE_CONTENT_OF_server_public.key
# Public IP and port of the server
Endpoint = SERVER_PUBLIC_IP:51820
# AllowedIPs = 0.0.0.0/0 routes ALL of the client traffic through the VPN
AllowedIPs = 0.0.0.0/0
# Keeps the connection alive
PersistentKeepalive = 25

Start the interface on the client with sudo wg-quick up wg0. You are connected!

Conclusion

WireGuard has revolutionized the VPN world with its simplicity and performance. Its configuration method, based on exchanging public keys, is both intuitive and highly secure. For point-to-point connections or for secure remote access, it is today one of the best solutions available, and its integration into the Linux kernel makes it a de facto standard.