Setting Up WireGuard VPN on a VPS

What Is WireGuard?

WireGuard is a modern VPN protocol that is simpler, faster, and more secure than OpenVPN or IPsec. It uses state-of-the-art cryptography and has a minimal codebase (~4,000 lines vs OpenVPN's ~100,000).

Install WireGuard

# Ubuntu/Debian
sudo apt update && sudo apt install -y wireguard

# Rocky/Alma Linux
sudo dnf install -y wireguard-tools

Generate Key Pairs

# Server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

# Client keys
wg genkey | tee client_private.key | wg pubkey > client_public.key

Server Configuration

Create /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

Start WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Client Configuration

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0  # Route all traffic through VPN
PersistentKeepalive = 25

Verify Connection

sudo wg show
# Shows handshake time, data transferred, and connected peers

Firewall Rule

sudo ufw allow 51820/udp