17 August, 2023

How to Setup Wireguard VPN on Ubuntu/Debian Server

A comprehensive guide on installing and configuring Wireguard VPN on Ubuntu or Debian servers, including setup of a user-friendly GUI interface.

Available in:

English

Vietnamese

Reading time: 5 min.

Table of content

What is Wireguard?

Like OpenVPN, Wireguard is a client-server VPN protocol. For example, if you have an Ubuntu server in France, you can install the Wireguard server on it, and then connect from your phone, laptop, or other client devices as if you're accessing the internet from France.

Another use case is when you have a NAS on your server's local network and want to access it securely (secure tunnel). You can use Wireguard to establish an encrypted connection from the client to the server's local network.

Wireguard differs from OpenVPN in that it's a module pre-installed in every Linux kernel, avoiding the need to transfer data back and forth between kernel space and user space. Generally, Wireguard is lighter and faster than OpenVPN.

⚠️ This guide is for those with some experience in server (VPS) setup and using Linux command line. If you're not familiar with these, you should use readily available VPNs (NordVPN, ExpressVPN, etc.) to save time on installation.

The main steps of the installation will include:

Installing Wireguard and GUI for Wireguard
Setting up a systemd unit to automatically load the config file for Wireguard
Creating keys for clients (phones, computers, etc.)
Connecting clients to the server

This guide is based on https://github.com/ngoduykhanh/wireguard-ui ; Thanks to Ngo Duy Khanh for taking the time to create this GUI.

1. Installing Wireguard and GUI for Wireguard

Before starting, make sure you've enabled IP forwarding. Google "enable ip forwarding ubuntu" for instructions.

Visit https://github.com/ngoduykhanh/wireguard-ui/releases, then find the link for the ...linux-amd64.tar.gz version (remember it's the Linux version, not FreeBSD; amd64 for Intel/AMD chips and ARM version for ARM chips)

For example, at the time of writing, the latest version is https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.5.2/wireguard-ui-v0.5.2-linux-amd64.tar.gz

Run the following commands on the server:

sudo apt install -y wget wireguard nano tar

wget -O ./wireguard-ui.tar.gz https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.5.2/wireguard-ui-v0.5.2-linux-amd64.tar.gz

tar xvzf ./wireguard-ui.tar.gz

chmod a+x ./wireguard-ui

sudo chown root:root ./wireguard-ui

sudo mv ./wireguard-ui /bin/wireguard-ui

file /bin/wireguard-ui

If it shows the last line like this, it's OK:

/bin/wireguard-ui: ELF 64-bit LSB executable ..............

Next, run the following command to install the systemd service for the GUI

sudo wget -O /etc/systemd/system/wireguardgui.service https://gist.githubusercontent.com/ngxson/9672d720c86234299623caa703e615d1/raw/7c9eafb3a0173563a78a410046afa00655e4fbac/wireguardgui.service

sudo systemctl enable wireguardgui.service

sudo systemctl start wireguardgui.service

sudo systemctl status wireguardgui.service

If the last line shows as follows, it's OK:

http server started on [::]:5000

Note that the GUI will listen on port 5000. If you already have an app using this port, see the instructions at the end of the article to change the port (in the "Possible Errors" section)

Access IP_SERVER:5000, you will see the login page: Default username: admin ; password: admin

Next, you need to set a password to access this GUI. Go to User settings => Admin => Edit

Then, go to the Wireguard server section to set up the post up / post down script:

Remember to replace ens3 with the network interface your machine uses to access the internet, for example, it could be eth0, check by running the command: ifconfig

For post up:

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

For post down:

iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

Click Apply Config to create the config file (for the next step):

2. Setting up systemd unit to automatically load config file for Wireguard

Run the following commands in order:

sudo wget -O /etc/systemd/system/wgui.service https://gist.githubusercontent.com/ngxson/9672d720c86234299623caa703e615d1/raw/7c9eafb3a0173563a78a410046afa00655e4fbac/wgui.service

sudo wget -O /etc/systemd/system/wgui.path https://gist.githubusercontent.com/ngxson/9672d720c86234299623caa703e615d1/raw/7c9eafb3a0173563a78a410046afa00655e4fbac/wgui.path

sudo systemctl enable wgui.{path,service}

sudo systemctl start wgui.{path,service}

sudo systemctl status wgui.service

If it shows "Finished Restart WireGuard." then it's OK

3. Creating keys for clients (phones, computers, etc.)

Go to Wireguard client

Then click New client (top right corner)

Enter the necessary parameters:

Name: set as you wish
Email: fill in randomly, not important
IP Allocation: leave as is
Allowed IPS:
- If you want the client to access everything on the internet through the server (proxy), leave it as 0.0.0.0/0
- If you want to allow the client to access the local network on the server (e.g., you have a NAS on the server), but other sites don't go through the server, delete 0.0.0.0/0 and set the local IP range, for example 192.168.100.0/24
Extra Allowed IPs:
- Usually left blank
- Only fill in if you want the server to be able to access the client's LAN network in reverse. For example, if you have a NAS and laptop at home, for the server to access the NAS, set the home LAN IP, for example 192.168.1.0/24

Click apply config, the Wireguard server will automatically restart

4. Connecting clients to the server

On mobile:

Click on the QR code to display the code:

Then on your phone, scan this code:

On Linux:

Click download to download the config file

Then, on the client, install Wireguard

sudo apt install wireguard

Connect to Wireguard with the command:

sudo wg-quick /path/to/file.conf
sudo wg # check status

On Windows, Mac

Export the config file by clicking the Download button

Then, import this file into the software: https://www.wireguard.com/install/

Possible Errors

Cannot connect to the server Check again in the "Global settings" section (left menu), see if the server's public IP is correct. If the server is placed behind a firewall or NAT by the ISP, this IP might be wrong. Also, check if the firewall has opened UDP port 51820
Can connect but internet access is very unstable For some providers, you may need to reduce the MTU. Check in the "Global settings" section (left menu), set MTU to 1370 (and also update the settings on the client) to see if it improves. For example, I use OVH, and need to set it to 1370 for it to work.
Port 5000 is already in use by another app For example, if you want to change to port 12345: Edit the file /etc/systemd/system/wireguardgui.service Change the following part: /bin/wireguard-ui To: /bin/wireguard-ui --bind-address 0.0.0.0:12345 Then run the following command: sudo systemctl restart wireguardgui.service

Want to receive latest articles from my blog?

Follow on