There are several ways to install WireGuard on linux-based server. Two of them are:
We are going to learn both approaches in this post.
1. WireGuard in a nutshell
WireGuard is an open-source communication protocol that implements encrypted virtual private networks (VPNs) over UDP. It is very easy to use and secure. WireGuard aims to have better performance compared to IPSec and OpenVPN.
2. Client application
WireGuard supports many operating systems. Download the installer via the following link:
3. WireGuard server setup
The easiest way to install WireGuard server is via wireguard-install. They provide an executable shell script to automate the installation on some Linux Distro, such as:
- Arch Linux system
Ok, let us get to the point. To start the installation, run the following command:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
You will be asked to confirm several configurations key. The pre-defined value for each prompt should be sufficient, except for the
IPv4 or IPv6 public address, for that specific prompt, ensure to have correct public IP address entered.
If you are using AWS or another cloud provider, there is a chance that the default IP address value is not the public IP, but the private IP. So please keep in mind, always use the public IP there.
Then the response below will appear:
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install
I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.
IPv4 or IPv6 public address: 184.108.40.206
Public interface: eth0
WireGuard interface name: wg0
Server WireGuard IPv4: 10.66.66.1
Server WireGuard IPv6: fd42:42:42::1
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 220.127.116.11
Second DNS resolver to use for the clients (optional): 18.104.22.168
Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Press enter or any key to continue the installation process. Next, you will be prompted to enter the several configuration for the client.
Feel free to pick any name for
Client name and let the other fields be filled with the predefined value.
The client name must consist of alphanumeric character(s).
It may also include underscores or dashes and can't exceed 15 chars.
Client name: noval
Client WireGuard IPv4: 10.66.66.2
Client WireGuard IPv6: fd42:42:42::2
Keep pressing enter until you see the output below. At this point, the setup is pretty much completed.
Here is your client config file as a QR Code:
Your client config file is in /home/ubuntu/wg0-client-noval.conf
If you want to add more clients, you simply need to run this script another time!
WireGuard is running.
You can check the status of WireGuard with: systemctl status wg-quick@wg0
If you don't have internet connectivity from your client, try to reboot the server.
From that output you can tell where the client config file is located, it is in
/home/ubuntu/wg0-client-noval.conf. Save the content on that file somewhere, it will be used on the client side to connect to the WireGuard server.
For more details, see https://github.com/angristan/wireguard-install
◉ Using Docker
The first step is to install Docker engine. Then create the VPN server by starting a new container using
linuxserver/wireguard:latest using the following command:
For plain Docker:
docker run -d \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Asia/Jakarta \
-e SERVERURL=123.456.78.9 \
-e SERVERPORT=51820 \
-e PEERS=1 \
-e PEERDNS=22.214.171.124 \
-e INTERNAL_SUBNET=10.13.13.0 \
-e ALLOWEDIPS=0.0.0.0/0,::/0 \
-e PERSISTENTKEEPALIVE_PEERS=all \
-e LOG_CONFS=true \
-p 51820:51820/udp \
-v /home/ec2-user/workspace/wireguard/config:/config \
-v /lib/modules:/lib/modules \
--restart unless-stopped \
Ensure to adjust the value of
env var below:
PGID→ use command
id <your-linux-username>to get the correct number
TZ→ specify the timezone of your location. example:
SERVERURL→ public IP of your linux instance
Not to forget, map the
/config path within container to the correct path in host. In the example I use
Create the container, wait for a few seconds, then check the container logs to see the result. Then go to the path where it's pointing to the
/config. Go to the
Save the content on that
peer1.conf file somewhere, it will be used on the client side to connect to the WireGuard server.
For more details, see https://github.com/linuxserver/docker-wireguard
◉ Whitelist the UDP port
If you are using cloud provider such as AWS where by default not all ports are public, an additional is required, which is whitelisting the inbound traffic directed to the WireGuard port (in this example, it is
51820). Ensure to select the
UDP protocol because WireGuard uses
4. Connect to WireGuard
The content of the
.conf file is something like this:
PrivateKey = YDqQfiR6+VdaS3xqgSWW5CHAxhH0=
Address = 10.66.66.1/32,fd42:42:42::1/128
DNS = 126.96.36.199,188.8.131.52
PublicKey = ByhoL4uTt2QzQb3dsadwereQzQbufXw=
PresharedKey = aJDPFsuKvrE8TQM3RaQykrNP9os3ms=
Endpoint = 123.456.78.9:50194
AllowedIPs = 0.0.0.0/0,::/0
Now open up the WireGuard client application, click
Add tunnel, then locate the
.conf file. Next, click
activate to start the VPN peering connection.
5. Set Up WireGuard UI
WireGuard UI is useful tools to manage your WireGuard server via friendly user interface. Such as adding user, adding new client, and other type of actions can be done in interactive manner via WireGuard UI.
If you use
linuxserver/wireguard Docker image on your end, add the
ngoduykhanh/wireguard-ui image to
docker-compose.yml, so the content of that file would be like this:
- 5000:5000 # ← whitelist port 5000 for WireGuard UI
docker-compose up -d command, and then access the UI via
http://yourip:5000. You also need to whitelist the inbound access for port
By default, both username and password is set to
admin. Right after you logged in to the dashboard, do immediately change the password for safety reason. To do that, click
User Settings → Edit → Enter your new password → Save.
To create a new client/tunnel access, click the
Wireguard Clients → New Client → Fill the info → Submit.