Set up WireGuard VPN server

René Wittenberg
René Wittenberg · Chief Technology Officer
Bijgewerkt op March 7, 2025

WireGuard is a modern, fast and secure VPN protocol that is easier to configure than OpenVPN or IPsec. In this tutorial, we will show you how to install and configure a WireGuard server under Linux.


Prerequisites


  • A server with a public IP address (e.g. Rootserver - Small)
  • A Linux-based operating system (Debian, Ubuntu, CentOS)
  • Root access or a user with sudo rights
  • A client (PC or smartphone) that is to connect to the VPN


WireGuard installation


Debian/Ubuntu

sudo apt update && sudo apt install wireguard

CentOS/RHEL

sudo yum install epel-release elrepo-release -y
sudo yum install kmod-wireguard wireguard-tools -y

After the installation, we can start setting up the server.


Generate key pairs


WireGuard uses public/private key pairs for authentication.


mkdir -p /etc/wireguard && cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
  • privatekey: Is required later for the server configuration.
  • publickey: s required by the clients to authenticate the server


Configuration of the WireGuard server


Create the configuration file for the interface:

nano /etc/wireguard/wg0.conf

Add the following configuration (replace <SERVER_PRIVATE_KEY> and <SERVER_PUBLIC_IP> accordingly):

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


  • Address: The internal VPN IP address of the server.
  • ListenPort: The port on which WireGuard is listening.
  • PrivateKey: The previously generated private key.
  • PostUp & PostDown: Rules for NAT so that clients can access the Internet via the server.


Activate IP forwarding:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p


Start WireGuard service


systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0


Check the status:

systemctl status wg-quick@wg0


If errors occur, the logs can be viewed:

journalctl -xe -u wg-quick@wg0

Client-Configuration


Each client requires its own key pair.


Generate key

On the client:

wg genkey | tee privatekey | wg pubkey > publickey


Add the client to the server:

wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.0.0.2/32


Save the changes:

wg show


Create client configration file:

Create the file wg-client.conf on the client:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25


Load the configuration with:

wg-quick up wg-client.conf

Check the connection:

ping 10.0.0.1


Firewall rules for WireGuardFirewall rules for WireGuard


If ufw is used:

ufw allow 51820/udp

For iptables:

iptables -A INPUT -p udp --dport 51820 -j ACCEPT
iptables -A FORWARD -i wg0 -j ACCEPT


To save these permanently:

iptables-save > /etc/iptables/rules.v4


Automatic start on boot


So that WireGuard starts automatically on reboot:

systemctl enable wg-quick@wg0


Conclusion



Your WireGuard server is now set up and ready for use. Clients can connect and communicate securely via the VPN tunnel. If problems occur, a look at the logs (wg show or journalctl -xe -u wg-quick@wg0) will help.

Van René Wittenberg | March 7, 2025 | Tags: VPNOpenVPN

Heb je een oplossing gevonden? Perfect!

Als u op zoek bent naar meer: Wij bieden krachtige rootservers, gameservers, webhosting, TeamSpeak-servers en reselleropties.

Meer informatie over onze producten



Inhoudsopgave

Artikelen in deze categorie
Onze laatste blog hoogtepunten