Setting Up a WireGuard VPN Server

WireGuard is a modern, fast, and secure VPN protocol. It is simpler to configure than OpenVPN and generally faster.

Step 1 — Install WireGuard

apt update
apt install wireguard -y

Step 2 — Generate Server Keys

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Step 3 — Create Server Config

nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = $(cat /etc/wireguard/server_private.key)
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Step 4 — Enable IP Forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Step 5 — Add a Client

Generate client keys on the server (or on the client device):

wg genkey | tee client_private.key | wg pubkey > client_public.key

Add to /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Step 6 — Start WireGuard

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
ufw allow 51820/udp

Client Config (on the client device)

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0