WireGuard’s inclusion in Ubuntu 24.04’s default repositories means you can deploy a modern, high-speed VPN without additional kernel modules or complex dependencies. Its streamlined architecture and use of advanced cryptography make it a preferred choice for both individual users and organizations seeking reliable, low-overhead VPN connectivity. The following steps outline the most robust approach to installing and configuring WireGuard on Ubuntu 24.04, from server setup to client connection and firewall integration.

Step 1: Update your system to ensure all packages are current. This prevents compatibility issues and ensures you have the latest security patches. Run:

sudo apt update && sudo apt upgrade -y

Step 2: Install WireGuard using the package manager. WireGuard and its tools are available in the default Ubuntu 24.04 repositories, so installation is straightforward. Enter:

sudo apt install wireguard wireguard-tools -y

Step 3: Generate cryptographic keys for the server. WireGuard uses a public/private keypair for each peer, similar to SSH. Set a restrictive umask first to protect private keys:

umask 077
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

This command creates /etc/wireguard/server_private.key and /etc/wireguard/server_public.key. The private key must remain secret. Adjust permissions to restrict access:

sudo chmod 600 /etc/wireguard/server_private.key

Step 4: Identify your server’s main network interface. This is required for NAT and routing. List interfaces with:

ip a

Typically, the main interface is named enp1s0, eth0, or similar. Note the interface name and public IP address for later use.

Step 5: Create the WireGuard server configuration file. Open /etc/wireguard/wg0.conf with your preferred text editor and add the following, replacing placeholders with your actual private key and interface name:

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = 
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o  -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o  -j MASQUERADE

Explanation: Address assigns a private subnet for VPN clients. ListenPort sets the UDP port (default is 51820). PrivateKey is the server’s private key. PostUp and PostDown add/remove firewall and NAT rules automatically when the interface starts or stops, ensuring VPN traffic is routed through the correct interface and clients can access the internet.

Step 6: Enable IPv4 forwarding so the server can route packets between VPN clients and the internet. Add or uncomment the following line in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Apply the change immediately:

sudo sysctl -p

Step 7: Open the WireGuard port in your firewall. If you use UFW (Uncomplicated Firewall), allow UDP port 51820 and reload the rules:

sudo ufw allow 51820/udp
sudo ufw reload

If UFW is not yet enabled, enable it after allowing SSH (port 22) to prevent lockout:

sudo ufw allow 22/tcp
sudo ufw enable

Step 8: Start and enable the WireGuard interface. This brings up the VPN and ensures it starts on boot:

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Check the status to confirm it’s running:

sudo systemctl status wg-quick@wg0

To view the active VPN interface and peers, run:

sudo wg show wg0

Configure WireGuard Clients

Step 9: Generate a keypair for each client. On the client device (or on the server if distributing configs), run:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Keep client_private.key secure. You will need client_public.key for the server configuration.

Step 10: Create the client configuration file. On the client, open /etc/wireguard/wg0.conf (or client1.conf) and add:

[Interface]
PrivateKey = 
Address = 10.8.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = :51820
PersistentKeepalive = 25

Explanation: PrivateKey is the client’s private key. Address assigns a unique private IP within the VPN subnet. DNS sets the resolver used when the tunnel is active. PublicKey is the server’s public key. AllowedIPs controls which traffic routes through the VPN (use 0.0.0.0/0 for all traffic). Endpoint is the server’s public IP and port. PersistentKeepalive helps maintain NAT traversal for clients behind firewalls.

Step 11: Register the client on the server. Add a new [Peer] section to /etc/wireguard/wg0.conf on the server for each client:

[Peer]
PublicKey = 
AllowedIPs = 10.8.0.2/32

Restart the WireGuard service to apply changes:

sudo systemctl restart wg-quick@wg0

Step 12: Transfer the client configuration file to the client device securely (for example, using scp or a secure file-sharing method). On the client, bring up the VPN:

sudo wg-quick up wg0

To stop the VPN, use:

sudo wg-quick down wg0

Step 13: Test the VPN connection. From the client, ping the server’s VPN IP:

ping -c 3 10.8.0.1

If successful, the VPN tunnel is operational. You can also check your public IP address (for example, with curl https://icanhazip.com) to confirm that traffic is routed through the VPN server.

Alternate Configuration: Using UFW for NAT and Routing

Some users prefer managing NAT and forwarding rules with UFW rather than iptables commands in PostUp and PostDown. To set up NAT with UFW:

Step 1: Edit /etc/ufw/before.rules and add the following lines at the top, replacing enp1s0 with your main network interface and 10.8.0.0/24 with your VPN subnet:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT

Step 2: Allow forwarding for the VPN subnet. In the same file, find the ufw-before-forward chain and add:

-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

Save and restart UFW:

sudo systemctl restart ufw

This approach centralizes firewall management but requires careful editing to avoid syntax errors.

WireGuard’s efficient protocol and straightforward configuration make it a practical solution for secure remote access and site-to-site networking on Ubuntu 24.04. Regularly update your system and WireGuard packages to maintain optimal security and performance.