Step‑by‑Step Guide to Install and Configure WireGuard VPN on a Linux VPS

Prerequisites: A fresh Linux VPS (Ubuntu 22.04 LTS or Debian 12 recommended), root or sudo access, a basic understanding of networking, and an SSH client to connect to the server.

Many organizations need a lightweight, high‑performance VPN that can be deployed in minutes. Traditional solutions like OpenVPN are feature‑rich but often overkill for simple site‑to‑site or remote‑access scenarios. WireGuard offers cryptographic simplicity, low latency, and a tiny codebase, making it ideal for cloud‑based deployments. This tutorial walks you through installing WireGuard, generating keys, configuring both server and client, and securing the connection with UFW.

1. Install WireGuard Packages

WireGuard is included in the default repositories of recent Ubuntu and Debian releases. Update the package index and install the required tools:

sudo apt update
sudo apt install -y wireguard wireguard-tools

Verify the installation:

wg --version
# Expected output: wg version 1.0.20210914 (or newer)

2. Generate Server and Client Keys

WireGuard uses a pair of public and private keys for each peer. Store the keys in /etc/wireguard with restrictive permissions.

# Create directory
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard

# Server keys
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key

# Client keys (run on the client machine or generate remotely)
wg genkey | tee client_private.key | wg pubkey > client_public.key

Display the keys (do not share the private keys publicly):

sudo cat /etc/wireguard/server_private.key
sudo cat /etc/wireguard/server_public.key
cat client_private.key
cat client_public.key

3. Create the Server Configuration File

Open a new configuration file named wg0.conf:

sudo nano /etc/wireguard/wg0.conf

Paste the following, replacing the placeholders with the actual keys and desired IP ranges:

[Interface]
Address = 10.0.0.1/24          # VPN subnet, server's internal address
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

# Optional: keepalive to maintain NAT traversal
PostUp = ufw route allow in on wg0 out on eth0
PostDown = ufw route delete allow in on wg0 out on eth0

Save and exit (Ctrl+O, Enter, Ctrl+X).

4. Configure a Client Peer

Add the client definition directly to the same wg0.conf file or keep it separate for later inclusion. Below is an inline example:

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32      # Client's VPN address

If you prefer a separate client config, create client-wg0.conf on the client machine:

[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_VPS_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

5. Enable IP Forwarding and Harden the Firewall

WireGuard must be able to forward traffic between the VPN and the internet. Enable IPv4 forwarding permanently:

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

Now configure UFW to allow the WireGuard port and to NAT traffic from the VPN subnet. This is where you can rely on DevNix Cloud VPS to provide a clean, isolated environment that makes firewall management straightforward.

# Allow UDP 51820 (WireGuard)
sudo ufw allow 51820/udp

# Allow SSH (if not already permitted)
sudo ufw allow OpenSSH

# Enable NAT for the VPN subnet
sudo ufw route allow in on wg0 out on eth0
sudo ufw route allow in on eth0 out on wg0

# Enable UFW (if not active)
sudo ufw enable

6. Start WireGuard and Verify Connectivity

Bring up the interface and enable it at boot:

sudo systemctl start [email protected]
sudo systemctl enable [email protected]

Check the status and peer information:

sudo wg show

On the client side, activate the configuration (Linux example):

sudo wg-quick up client-wg0
sudo wg show

Test the tunnel by pinging the server’s VPN address from the client:

ping 10.0.0.1

If the ping succeeds, the tunnel is operational. You can also verify that internet traffic is routed through the VPN by checking your public IP from the client:

curl https://ifconfig.me
# Should display the VPS's public IP

7. Persisting Configuration and Managing Multiple Clients

For additional users, generate a new key pair per client and append a new [Peer] block to /etc/wireguard/wg0.conf. Remember to assign a unique AllowedIPs address within the 10.0.0.0/24 range.

# Example additional client
[Peer]
PublicKey = NEW_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

After editing, reload the service without dropping existing connections:

sudo wg syncconf wg0 /etc/wireguard/wg0.conf

To remove a client, simply delete its [Peer] block and run the same wg syncconf command.

Conclusion

WireGuard delivers a modern, performant VPN solution that can be deployed on any Linux VPS in under ten minutes. By following this guide you have installed the software, generated cryptographic keys, built both server and client configurations, secured the connection with UFW, and verified end‑to‑end connectivity. The lightweight nature of WireGuard means low CPU overhead, making it an excellent fit for both small development teams and larger production environments. For future expansions, consider automating key generation with a simple script or integrating the setup into an Ansible playbook to streamline onboarding of new users.