Build a VPN Tunnel with WireGuard
Tunneled
After completing the setup, the laptop, which acts as a server in our case, will take responsibility for transporting the network packets and will reside between the client and, for example, any websites it visits, accepting requests and returning responses. This connection is encrypted in both directions. Visited websites only see the server's IP address, not your own.
Setting up a VPN with WireGuard is easier than with its competitors (which sometimes require a demanding configuration that is easily beyond a beginner's capabilities). With the recent addition of WireGuard to the mainline kernel, its adoption is expected to continue to grow; over time, the configuration is likely to be simplified with additional tools.
Installing WireGuard
Unlike its competitors, WireGuard uses the same software on the server and the clients. After installing the wireguard package via the server's and the clients' package managers, start the process of generating private and public keys; this is comparable to the same procedure in SSH. You need to create a key pair for each device that will have access to the VPN. The two computers on either end of the WireGuard tunnel each need the public keys from the other end. WireGuard does not care whether the server is on the Internet or a local network.
If you are using Ubuntu 20.04, the best way to install WireGuard is to type the following at the command line
sudo apt install wireguard
rather than using the graphical package manager, which only gives you an outdated third-party snap package (Figure 1). Also make sure that the header files are installed to match the kernel.
After installing the package, you still need to enable IP forwarding on the designated WireGuard server. As root, open the /etc/sysctl.conf
file in an editor and uncomment the lines #net.ipv4.ip_forward=1
for IPv4 or #net.ipv6.conf.all.forwarding=1
for IPv6 (Listing 1). Then reload the system configuration (Listing 2) by typing:
sudo sysctl -p
Listing 1
Enabling IP Forwarding
[...] # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 [...] # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1 [...]
Listing 2
Reloading WireGuard
### Install Wireguard $ sudo apt update $ sudo apt install wireguard resolvconf ### Only on the Wireguard server: $ sudo nano /etc/sysctl.conf $ sudo sysctl -p
Key Services
Now create the required private and public keys on the server and clients (shown in Listing 3). Finally, check that the keys have been created with the ls
command (Figure 2). It is best to copy both public keys into a text file and save them on a USB stick for later configuration.
Listing 3
Creating Private and Public Keys
$ sudo -s $ cd /etc/wireguard ### Generate key on server: $ umask 077; wg genkey | tee <client1>.key | wg pubkey > <client1>.pub ### Generate key on client: $ umask 077; wg genkey | tee <client2>.key | wg pubkey > <client2>.pub ### Check key on server: $ ls -al total 24 drwx------ 2 root root 4096 Apr 30 19:49 . drwxr-xr-x 131 root root 12288 Apr 30 19:47 .. -rw------- 1 root root 45 Apr 30 19:49 client1.key -rw------- 1 root root 45 Apr 30 19:49 client1.pub $ cat /etc/wireguard/client1.key YBwK1N1O7OwOEtWCFnxwF9aVB0GK5YUNxEtU1pyVuUs= $ cat /etc/wireguard/client1.pub LnEReQTHUY7FIMaAR6qVcCfk95ucPY6O/zb4OfdfYh4=
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.