Tools

Tools: Essential Guide: Setting Up WireGuard VPN on Ubuntu 26.04

2026-05-08 0 views admin
Tools: Essential Guide: Setting Up WireGuard VPN on Ubuntu 26.04

Install WireGuard

Configure the WireGuard Server

Generate a Client Configuration

Configure IP Forwarding and Firewall

Start WireGuard

Connect a Client

Next Steps WireGuard is a modern VPN protocol built into the Linux kernel since version 5.6, offering a significantly smaller codebase, faster handshakes, and lower latency compared to OpenVPN or IPsec. This guide sets up a WireGuard server on Ubuntu 26.04, generates key pairs for the server and a client, configures IP forwarding, and walks through connecting a client device with a verified tunnel. WireGuard is available directly from Ubuntu 26.04's default APT repository. 1. Update the APT package index: 2. Install WireGuard: The server configuration requires generating a key pair, identifying the active network interface, and creating the wg0 interface configuration file. 1. Generate the server private key: 2. Derive the server public key: 3. Identify the main network interface: Note the interface name in the output, commonly eth0 or ens3. 4. Create the server interface configuration: Replace eth0 with your actual interface name. Each client requires its own key pair and a configuration file that references the server's public key and endpoint. 1. Generate the client key pair: 2. Get the server public key: 3. Create the client configuration file: 4. Register the client as a peer on the server: Add the following block to /etc/wireguard/wg0.conf: IP forwarding must be enabled at the kernel level for the server to route traffic between the VPN interface and the external network. 1. Enable IPv4 forwarding: 2. Open the WireGuard UDP port: Enable the wg0 interface as a systemd service so it starts automatically on every boot. 1. Enable and start the service: 2. Check the service status: 3. View the interface and connected peers: Transfer the client configuration to the target device and establish the tunnel. 1. Transfer the client configuration securely: 2. Connect from the client device: Replies from 10.0.0.1 confirm the VPN tunnel is active and traffic is flowing through the encrypted interface. WireGuard is running and accepting client connections. From here you can: For the complete guide, visit the original article on Vultr Docs. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update $ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update $ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update $ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install wireguard -y $ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install wireguard -y $ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install wireguard -y $ wg genkey | -weight: 600;">sudo tee /etc/wireguard/server_private.key $ -weight: 600;">sudo chmod 600 /etc/wireguard/server_private.key $ wg genkey | -weight: 600;">sudo tee /etc/wireguard/server_private.key $ -weight: 600;">sudo chmod 600 /etc/wireguard/server_private.key $ wg genkey | -weight: 600;">sudo tee /etc/wireguard/server_private.key $ -weight: 600;">sudo chmod 600 /etc/wireguard/server_private.key $ -weight: 600;">sudo cat /etc/wireguard/server_private.key | wg pubkey | -weight: 600;">sudo tee /etc/wireguard/server_public.key $ -weight: 600;">sudo cat /etc/wireguard/server_private.key | wg pubkey | -weight: 600;">sudo tee /etc/wireguard/server_public.key $ -weight: 600;">sudo cat /etc/wireguard/server_private.key | wg pubkey | -weight: 600;">sudo tee /etc/wireguard/server_public.key $ ip route | grep default $ ip route | grep default $ ip route | grep default $ -weight: 600;">sudo nano /etc/wireguard/wg0.conf $ -weight: 600;">sudo nano /etc/wireguard/wg0.conf $ -weight: 600;">sudo nano /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <paste server private key here> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <paste server private key here> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <paste server private key here> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE $ wg genkey | tee client_private.key $ cat client_private.key | wg pubkey | tee client_public.key $ wg genkey | tee client_private.key $ cat client_private.key | wg pubkey | tee client_public.key $ wg genkey | tee client_private.key $ cat client_private.key | wg pubkey | tee client_public.key $ -weight: 600;">sudo cat /etc/wireguard/server_public.key $ -weight: 600;">sudo cat /etc/wireguard/server_public.key $ -weight: 600;">sudo cat /etc/wireguard/server_public.key $ nano client.conf $ nano client.conf $ nano client.conf [Interface] Address = 10.0.0.2/32 PrivateKey = <client private key> DNS = 8.8.8.8 [Peer] PublicKey = <server public key> Endpoint = YOUR-SERVER-IP:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 [Interface] Address = 10.0.0.2/32 PrivateKey = <client private key> DNS = 8.8.8.8 [Peer] PublicKey = <server public key> Endpoint = YOUR-SERVER-IP:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 [Interface] Address = 10.0.0.2/32 PrivateKey = <client private key> DNS = 8.8.8.8 [Peer] PublicKey = <server public key> Endpoint = YOUR-SERVER-IP:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 [Peer] PublicKey = <client public key> AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <client public key> AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <client public key> AllowedIPs = 10.0.0.2/32 $ echo "net.ipv4.ip_forward=1" | -weight: 600;">sudo tee -a /etc/sysctl.conf $ -weight: 600;">sudo sysctl -p $ echo "net.ipv4.ip_forward=1" | -weight: 600;">sudo tee -a /etc/sysctl.conf $ -weight: 600;">sudo sysctl -p $ echo "net.ipv4.ip_forward=1" | -weight: 600;">sudo tee -a /etc/sysctl.conf $ -weight: 600;">sudo sysctl -p $ -weight: 600;">sudo ufw allow 51820/udp $ -weight: 600;">sudo ufw allow 51820/udp $ -weight: 600;">sudo ufw allow 51820/udp $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">start wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">status wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">status wg-quick@wg0 $ -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">status wg-quick@wg0 $ -weight: 600;">sudo wg show $ -weight: 600;">sudo wg show $ -weight: 600;">sudo wg show $ scp client.conf user@your-local-machine:~/ $ scp client.conf user@your-local-machine:~/ $ scp client.conf user@your-local-machine:~/ $ ping 10.0.0.1 $ ping 10.0.0.1 $ ping 10.0.0.1 - Linux: -weight: 600;">sudo wg-quick up ~/client.conf - Windows / macOS / iOS / Android: Install the WireGuard app and import client.conf - Add more clients by generating additional key pairs and adding new [Peer] blocks to wg0.conf - Restrict each client to specific subnets by adjusting AllowedIPs per peer - Reload the configuration without restarting using -weight: 600;">sudo wg syncconf wg0 <(-weight: 600;">sudo wg-quick strip wg0)

🏷️ Tags

toolsutilitiessecurity toolsessentialguidesettingwireguardubuntu

More from Tools

Tools: Update: How to Buy 2014 Years old Gmail Accounts Through 2026

Tools: Update: How to Buy 2014 Years old Gmail Accounts Through 2026

2026-05-09 0
Tools: Best 8 Platforms to Buy Aged GitHub Accounts With

Tools: Best 8 Platforms to Buy Aged GitHub Accounts With

2026-05-09 0
Tools: The Supply Chain Security Audit Nobody Told You to Run (Until It Was Too Late) - Expert Insights

Tools: The Supply Chain Security Audit Nobody Told You to Run (Until It Was Too Late) - Expert Insights

2026-05-09 0
Tools: Latest: How to Deploy Nemotron-4 340B with vLLM on a $24/Month DigitalOcean GPU Droplet: Enterprise Reasoning at 1/120th Claude Cost

Tools: Latest: How to Deploy Nemotron-4 340B with vLLM on a $24/Month DigitalOcean GPU Droplet: Enterprise Reasoning at 1/120th Claude Cost

2026-05-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views