šŸŽ New User? Get 20% off your first purchase with code NEWUSER20 Register Now ā†’
Menu

Categories

Networking

WireGuard VPN Setup on Linux: Installation and Configuration Guide

Ethan Marshall | March 16, 2026 | 11 min read | 3 views
WireGuard VPN Setup on Linux: Installation and Configuration Guide

WireGuard is a modern, fast, and secure VPN protocol that has become the standard choice for Linux VPN implementations. Its simplicity, performance, and small codebase make it superior to older solutions like OpenVPN and IPSec in most use cases.

Why WireGuard?

  • Performance: Significantly faster than OpenVPN with lower latency
  • Simplicity: Minimal configuration compared to IPSec or OpenVPN
  • Security: Modern cryptographic primitives (Curve25519, ChaCha20, Poly1305)
  • Built into Linux kernel: Available since kernel 5.6
  • Small codebase: ~4,000 lines of code vs 100,000+ for OpenVPN

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install wireguard

# RHEL/CentOS/AlmaLinux
sudo dnf install wireguard-tools

# Verify
wg --version

Server Configuration

# Generate server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

[Peer]
# Client 2
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Client Configuration

# Generate client keys
wg genkey | tee client_private.key | wg pubkey > client_public.key

# Client config
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = server-ip:51820
AllowedIPs = 0.0.0.0/0       # Route all traffic through VPN
PersistentKeepalive = 25

Managing the VPN

# Start/Stop
sudo wg-quick up wg0
sudo wg-quick down wg0

# Enable at boot
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg show

# Add peer dynamically
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.4/32

Firewall Rules

# Allow WireGuard port
sudo ufw allow 51820/udp

# Allow forwarding on the VPN interface
sudo ufw allow in on wg0
sudo ufw allow out on wg0

Split Tunneling

# Only route specific networks through VPN (not all traffic)
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = server-ip:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Troubleshooting

  • Check logs: journalctl -u wg-quick@wg0
  • Verify keys match: Server peer PublicKey must match client's public key
  • Check firewall: Ensure UDP port 51820 is open
  • Test connectivity: ping 10.0.0.1 from client
  • Check IP forwarding: sysctl net.ipv4.ip_forward

WireGuard simplifies VPN deployment without sacrificing security or performance. Whether you need secure remote access, site-to-site connectivity, or privacy protection, WireGuard is the modern standard for Linux VPN solutions.

Share this article:
Ethan Marshall
About the Author

Ethan Marshall

Network Administration, Network Architecture, Infrastructure Connectivity, Technical Documentation

Ethan Marshall is a networking specialist and technical author focused on the design, implementation, and operation of reliable and secure network infrastructures.

He has extensive experience working with enterprise networks, including routing and switching, TCP/IP-based architectures, VLAN segmentation, firewall integ...

Computer Networking TCP/IP Routing and Switching VLANs Firewalls
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.