Setup WireGuard on Ubuntu 22.04 with DigitalOcean

This guide will walk you through the process of setting up a WireGuard VPN server on an Ubuntu 22.04 droplet hosted on DigitalOcean. By the end, you'll have a secure and private VPN connection for your devices.

Prerequisites

Before you begin, ensure you have the following:

A DigitalOcean account.
A new DigitalOcean Droplet running Ubuntu 22.04 (the smallest size is usually sufficient).
Access to your Droplet via SSH with root or sudo privileges.
WireGuard client applications installed on the devices you want to connect.
Basic familiarity with the Linux command line.

Note: Commands in this guide are intended to be run as a user with sudo privileges. If you are logged in as root, you can omit the `sudo` prefix.

Installation & Configuration Steps

Step 1: Update System and Install WireGuard

First, log in to your server via SSH. Then, update your package list and upgrade existing packages:

sudo apt update
sudo apt upgrade -y

Now, install WireGuard and related tools:

sudo apt install wireguard wireguard-tools -y

This installs the WireGuard kernel module and the wg and wg-quick command-line utilities.

Step 2: Generate Server Keys

WireGuard works by encrypting traffic using public-key cryptography. We need to generate a private and public key for the server.

# Create a directory for WireGuard configuration
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard # Restrict permissions

# Navigate to the directory
cd /etc/wireguard

# Generate keys
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

Make sure to protect your private key:

sudo chmod 600 /etc/wireguard/privatekey

You can view your keys using cat. You will need these in the next step.

Important: Keep your private key secure and do not share it. The public key will be shared with clients.

Step 3: Create WireGuard Server Configuration

Create the server configuration file at /etc/wireguard/wg0.conf. You can use a command-line editor like nano:

sudo nano /etc/wireguard/wg0.conf

Paste the following configuration into the file. You must replace YOUR_SERVER_PRIVATE_KEY_HERE with the content of your /etc/wireguard/privatekey file.

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE_KEY_HERE

# Forward traffic - replace eth0 if your public interface is different (e.g., ens3)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

To find your public network interface (e.g., eth0), you can use the command ip route | grep default.

Step 4: Enable IP Forwarding

For the VPN to route traffic, you need to enable IP forwarding on the server. Edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Uncomment (or add) the following line: net.ipv4.ip_forward=1

Apply the changes without rebooting:

sudo sysctl -p

Step 5: Configure Firewall (UFW)

If you are using UFW (Uncomplicated Firewall), allow UDP traffic on port 51820 (or your chosen WireGuard port) and allow SSH traffic:

sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

Ensure your cloud provider's firewall (e.g., DigitalOcean Cloud Firewalls) also allows UDP traffic on this port.

Step 6: Start and Enable WireGuard Service

Start the WireGuard interface and enable it to start on boot:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Check the status to ensure it's running correctly:

sudo wg show wg0

You should see information about your WireGuard interface, including the listening port and public key.

Step 7: Configure a Client

Now you need to configure your first client (e.g., your laptop or phone).

On your client device, install the WireGuard application and generate a new key pair within the app.
On the server, add the client as a peer. Replace CLIENT_PUBLIC_KEY_HERE with the public key from your client app.
```
sudo wg set wg0 peer CLIENT_PUBLIC_KEY_HERE allowed-ips 10.0.0.2/32
```

On your client device, create the configuration. Use the client's private key and the server's public key.

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Import this configuration into your client app and connect.

Conclusion

Congratulations! You should now have a fully functional, manually configured WireGuard VPN server. You can add more clients by repeating Step 7 for each new device, making sure to assign a new IP address (e.g., 10.0.0.3/32) for each one.