Installing and Configuring WireGuard VPN on Ubuntu 22.04 & 24.04
WireGuard has quickly become the default choice for modern VPNs. It’s lightweight, fast, and far simpler than older protocols like OpenVPN or IPSec. If you’re looking to run your own secure VPN, setting it up on a VPS is one of the best solutions.
In this tutorial, we’ll walk through installing WireGuard on Ubuntu 22.04 and 24.04. The steps apply to almost any server, but they’re especially straightforward if you’re running a Linux VPS with Ubuntu preinstalled.
Step 1. Update Your VPS
First, update all packages to the latest version:
sudo apt update && sudo apt upgrade -y
Step 2. Install WireGuard
Install the WireGuard packages and tools:
sudo apt install -y wireguard wireguard-tools
Step 3. Generate Server Keys
Create a pair of private and public keys for your server:
umask 077
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
● The private key is saved in /etc/wireguard/server_private.key
● The public key is saved in /etc/wireguard/server_public.key
Step 4. Enable IP Forwarding
Allow packet forwarding at the system level:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl --system
Step 5. Configure WireGuard
Create the main configuration file:
sudo nano /etc/wireguard/wg0.conf
Paste the following configuration (replace <server_private_key > with the content of your private key file):
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
# NAT rules for outgoing traffic (replace eth0 with your network interface)
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.0.0.2/32
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
# NAT rules for outgoing traffic (replace eth0 with your network interface)
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.0.0.2/32
👉 Note: Replace eth0 with your VPS network interface name (you can check with ip a).
Step 6. Enable and Start WireGuard
Start WireGuard and enable it to run on boot:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Check the service status:
sudo systemctl status wg-quick@wg0
Step 7. Test Your VPN
Verify that WireGuard is running:
sudo wg show
You should see your interface wg0 along with keys and connection status.
✅ Now your server is ready to accept client connections. To connect clients, generate their key pairs, add them under [Peer] on the server, and configure the client’s .conf file with the server’s public key and endpoint.
Step 8. Generate Client Keys and Configure client.conf
1. Generate Client Keys (on server or client machine)
You can generate client keys either directly on the server or on the client machine. Here is an example on the server:
umask 077
wg genkey | tee ~/client1_private.key | wg pubkey > ~/client1_public.key
● client1_private.key → used in the client config.
● client1_public.key → added to the server’s /etc/wireguard/wg0.conf.
2. Add Client to Server Configuration
Edit /etc/wireguard/wg0.conf on your VPS and add a new [Peer] block:
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.2/32
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.2/32
Restart WireGuard to apply changes:
sudo systemctl restart wg-quick@wg0
3. Create Client Configuration (client1.conf)
On the client machine (or export this file securely to the client), create:
[Interface]
PrivateKey = <client1_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
Endpoint = <your_server_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
PrivateKey = <client1_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
Endpoint = <your_server_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
● <server_public_key> → take from /etc/wireguard/server_public.key
● <your_server_ip> → replace with the actual public IP of your VPS
● <AllowedIPs = 0.0.0.0/0, ::/0> → routes all internet traffic through the VPN
(if you only need access to the VPN subnet, set it to 10.0.0.0/24 instead)
4. Test the Connection
On the client run:
sudo wg-quick up client1
Check VPN status:
sudo wg show
If configured correctly, you should see a latest handshake entry.
Now try to ping the server’s VPN IP (the one you set in the server’s [Interface] block, e.g. 10.0.0.1):
ping <server_vpn_ip>
👉 Replace <server_vpn_ip> with your actual server VPN address (e.g., 10.0.0.1 or 10.8.0.1).
Why Choose WireGuard on VPS?
When deployed on a VPS, it gives you a private and powerful way to secure your traffic anywhere in the world. Here are the main reasons to choose WireGuard on VPS:
● Speed: faster than OpenVPN or IPSec
● Simplicity: minimal configuration, quick setup
● Security: built on modern cryptography
If privacy is your top priority, you can host WireGuard on an Anonymous VPS that doesn't ask for verification or KYC.
Conclusion
WireGuard provides a secure and fast VPN with a few simple steps. After setting it up, the server is fully in your hands. With Vikhost you can even maintain private payments — for instance, by opting for a Bitcoin VPS plan and paying directly in cryptocurrency.