How to Install WireGuard VPN on Ubuntu (Step-by-Step) + Add Clients

📅 April 13, 2026 ✍️ Ahmad Naamna Networking ⏱️ 3 min read 👁️ 15 views
📌 Quick Summary
    🧱 Table of Contents

    WireGuard is a modern, fast, and secure VPN that’s much easier to configure than OpenVPN or IPSec. In this guide, you’ll learn how to install WireGuard on a server and connect clients (Linux, Windows, mobile).

    ⚡ What You’ll Need

    • Ubuntu server (20.04 / 22.04 / 24.04)
    • Root or sudo access
    • A public IP (VPS recommended)

    📦 Step 1: Install WireGuard

    Update your system and install WireGuard:

    sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y

    Verify installation:

    wg --version
    version

    🔑 Step 2: Generate Server Keys

    WireGuard uses public/private key cryptography.

    umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

    View keys:

    cat server_private.key
cat server_public.key

    🌐 Step 3: Configure the Server

    Create the main config file:

    sudo nano /etc/wireguard/wg0.conf

    Paste:

    [Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

# Enable routing
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    👉 Replace SERVER_PRIVATE_KEY with your actual key.

    🔥 Step 4: Enable IP Forwarding

    Edit sysctl config:

    sudo nano /etc/sysctl.conf

    Uncomment/add:

    net.ipv4.ip_forward=1

    Apply:

    sudo sysctl -p

    🚪 Step 5: Open Firewall Port

    Allow WireGuard port:

    sudo ufw allow 51820/udp

    Enable firewall if not already:

    sudo ufw enable

    ▶️ Step 6: Start WireGuard

    sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

    Check status:

    sudo wg

    👤 Step 7: Add a Client

    Generate Client Keys

    wg genkey | tee client_private.key | wg pubkey > client_public.key

    Add Client to Server

    Edit server config:

    sudo nano /etc/wireguard/wg0.conf

    Add:

    [Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.66.66.2/32

    Restart WireGuard:

    sudo systemctl restart wg-quick@wg0

    💻 Step 8: Client Configuration

    Create client config file (client.conf):

    [Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.66.66.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

    📱 Step 9: Connect Client

    On Linux:

    sudo wg-quick up client

    On Windows/macOS:

    • Install WireGuard app
    • Import config file

    On Mobile:

    • Download WireGuard app
    • Scan QR or import config

    🔍 Step 10: Test Connection

    Check IP:

    curl ifconfig.me

    Check handshake:

    sudo wg

    ⚙️ Optional: Generate QR Code (Mobile)

    sudo apt install qrencode -y
qrencode -t ansiutf8 < client.conf

    🧠 Pro Tips

    • Use /32 per client (clean IP management)
    • Use PersistentKeepalive = 25 for mobile clients
    • Restrict access with firewall rules (like your setup 👀)
    • Don’t expose unnecessary ports

    🚀 Conclusion

    WireGuard is simple, fast, and powerful. With just a few steps, you now have a secure VPN server and connected clients.

    Related Posts

    More posts from similar topics

    Leave a comment

    Your email address will not be published. Required fields are marked *