WireGuard VPN Setup — Secure Tunnel on Ubuntu 22.04 (Explained)
In this guide, you will learn how to create your own secure tunnel by installing WireGuard VPN on Ubuntu 22.04.
Below each step there are short notes explaining why we did it.
📝 What Will You Learn in This Guide?
- WireGuard installation
- Generating keys for server and client
- Defining VPN IP ranges
- NAT/IP routing settings
- wg0.conf configuration
- Adding a peer (client)
- Tunnel initialization and verification
WireGuard is much faster than older VPN protocols with its modern cryptography and lightweight structure.
🔑 WireGuard VPN Installation Steps (Explained)
1. WireGuard Installation and Key Generation
📦 Install WireGuard on your system:
sudo apt update
sudo apt install wireguard
Description: The WireGuard package provides the “wg” and “wg-quick” commands.
🔐 Generate private key:
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
Description: The private key should only be read by root — if it is compromised, the VPN will crash.
🔓 Generate public key from private key:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Explanation: The public key is shared; The private key is never shared.
2. Defining VPN IP Ranges
Private network IP blocks are used for WireGuard tunneling.
✔ IPv4 Server IP: 10.8.0.1/24
✔ IPv6 (optional) Server IP: fd24:609a:6c18::1/64
Description: IPv6 provides future-proof support; It is not mandatory to use it.
3. WireGuard Server Configuration (wg0.conf)
Open the configuration:
sudo nano /etc/wireguard/wg0.conf
Use the example below:
[Interface]
PrivateKey = SUNUCU_OZEL_ANAHTAR
Address = 10.8.0.1/24, fd24:609a:6c18::1/64
ListenPort = 51820
SaveConfig = true
Description: The server determines which IP block and which port it will use here.
4. Turning on IP Forwarding
It is mandatory for VPN clients to access the internet.
sudo nano /etc/sysctl.conf
Add:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Apply:
sudo sysctl -p
Description: Allows the Linux kernel to route packets.
5. NAT/UFW Firewall Settings
Find the network interface name:
ip route list default
For example: eth0
Add NAT rules into wg0.conf:
sudo nano /etc/wireguard/wg0.conf
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Description: These rules exit VPN traffic to the internet via the server IP.
Open port on UFW:
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
Description: Without UDP 51820, WireGuard will not work.
6. Starting the WireGuard Service
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
Description: wg-quick service automatically reads a wg0.conf file.
7. Peer (Client) Configuration
Install WireGuard on the client:
sudo apt install wireguard
Generate client keys:
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Client configuration:
sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/24, fd24:609a:6c18::2/64
DNS = 1.1.1.1
[Peer]
PublicKey = SUNUCU_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Description: AllowedIPs = used to pass all traffic through the VPN.
8. Adding Peer to the Server
Get peer public key:
cat /etc/wireguard/public.key
Add to server:
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.8.0.2/32,fd24:609a:6c18::2/128
Restart the service:
sudo systemctl restart wg-quick@wg0
Description: Determines which IP the Peer will use within the VPN.
🧩 Important Files (Annotated Table)
| File Path | Description |
|---|---|
| /etc/wireguard/private.key | Private key — NEVER shared, only root can read it. |
| /etc/wireguard/public.key | Public key — shared with peer devices. |
| /etc/wireguard/wg0.conf | It is the main configuration file of WireGuard. The interface includes address, port and peer settings. |
| /etc/sysctl.conf | Contains core network settings such as IP forwarding. |
❓ FAQ — Frequently Asked Questions
1. Why is WireGuard so fast?
It operates at the kernel level and uses modern cryptography.
2. Why does 0.0.0.0/0 pass all traffic through the VPN?
This statement covers all IPv4 traffic; ::/0 is all IPv6.
3. Does WireGuard support TCP?
No, just UDP.
4. Why should the private key be kept secret?
The VPN is authenticated with the private key. If compromised, the VPN is over.
5. Is it necessary to restart after adding a peer?
No, it can be added live with wg set, but a restart is recommended.
🎯 Result
In this guide, you have completed all stages of installing WireGuard VPN on Ubuntu 22.04.
You learned how to generate keys on both the server and client side, define private IPv4/IPv6 address ranges, configure NAT and routing (IP Forwarding), and create firewall rules correctly.
Now:
- Your server is configured to open a secure VPN tunnel.
- Clients (peers) can be easily added to the network.
- Since all traffic can be routed from the server, you can easily browse even on insecure networks such as public WiFi.
- Thanks to the AllowedIPs setting, you can route only in-VPN resources or the entire internet through your server.
- You have installed a modern, fast and lightweight VPN solution.
Thanks to WireGuard's low latency, modern cryptography, and simple architecture, performance will be much higher than legacy protocols like OpenVPN/IPSec.
This setup also;
You can try it on the high-speed virtual servers on GenixNode and expand your corporate or personal private network by adding more than one peer.