Skip to content
Learni
View all tutorials
Réseau et Infrastructure

How to Install and Configure WireGuard in 2026

14 minINTERMEDIATE
SécuritéVPNWireGuard
Lire en français

Introduction

WireGuard is a modern, simple, and high-performance VPN that has replaced OpenVPN in many use cases. Its minimalist configuration reduces the attack surface while delivering excellent performance thanks to ChaCha20 and Curve25519. This tutorial walks you through deploying a WireGuard server with multiple clients, including network configuration and routing. You will learn how to generate keys, create configuration files, and secure the tunnel. The progressive approach helps you understand each step before customizing further.

Prerequisites

  • Ubuntu 22.04 or 24.04 server with root access
  • Basic Linux command-line knowledge
  • A domain or public IP for the server
  • Linux, macOS, or Windows client for testing

Installing the WireGuard Package

terminal
sudo apt update
sudo apt install -y wireguard wireguard-tools

This command installs the WireGuard kernel module and wg tools. On Ubuntu 22.04+, the module is already integrated into the kernel, but the tools are required to manage interfaces.

Generating Server Keys

terminal
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

This generates a Curve25519 key pair. The private key is protected with chmod 600 because it must never be exposed.

Creating the Server Configuration File

/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = $(cat /etc/wireguard/server_private.key)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

The wg0.conf file defines the server interface. PostUp/PostDown handle NAT so clients can access the internet through the server.

Enabling and Starting the Service

terminal
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

wg-quick@wg0 uses systemd to load the configuration and create the interface. The wg show command verifies that the interface is active.

Client Configuration

client.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = VOTRE_IP:51820
AllowedIPs = 0.0.0.0/0

The client uses AllowedIPs = 0.0.0.0/0 to route all traffic through the VPN. Replace the variables with your actual keys and IP.

Best Practices

  • Always use unique keys per client and revoke them if compromised
  • Restrict AllowedIPs to the minimum necessary
  • Enable UFW or nftables firewall in addition to PostUp rules
  • Store private keys securely with encryption
  • Regularly update the kernel and wireguard-tools

Common Mistakes to Avoid

  • Forgetting to enable IPv4 forwarding in sysctl
  • Using the same private key on multiple devices
  • Neglecting DNS configuration on the client
  • Not opening UDP port 51820 on the server firewall

Going Further

To explore advanced WireGuard configuration, check out our Learni courses.