WireGuard Client Setup on Ubuntu
Summary: Install WireGuard on Ubuntu, generate keys, configure a VPN tunnel to a remote server, and verify the connection.
| Key | Value |
|---|---|
| Server public IP | 203.0.113.10 |
| Client public IP | 198.51.100.50 |
| VPN subnet | 10.0.0.0/24 |
| Server VPN IP | 10.0.0.1 |
| Client VPN IP | 10.0.0.2 |
| WireGuard port | 51820 |
| DNS server | 1.1.1.1 |
| Interface name | wg0 |
| Config path | /etc/wireguard/wg0.conf |
| Server hostname | vpn-server-01 |
| Client hostname | vpn-client-01 |
| OS | Ubuntu 24.04 LTS |
0. Prerequisites
- An Ubuntu 24.04 LTS machine to use as the VPN client
sudoor root access on the client- A remote WireGuard server already running and accepting peers (this tutorial covers the client side only)
- The server’s public key and endpoint IP address
digis used to test DNS resolution — install it withsudo apt install -y dnsutilsif it is not already present- Familiarity with IP addresses and CIDR notation (see Tutorial 00: Networking Basics if these are new to you)
1. Install WireGuard
Update your package list and install WireGuard:
sudo apt update
sudo apt install -y wireguard
Verify the installation:
wg --version
This installs the wireguard-tools package, which provides the wg and wg-quick utilities.
2. Generate Client Keys
WireGuard uses public/private key pairs for authentication. Generate a key pair for your client:
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
The first command sets file permissions so only your user can read the key files. The second generates a private key, saves it to privatekey, and derives the matching public key into publickey.
Display both keys:
cat privatekey
cat publickey
Warning: Your private key must stay secret. Never share it or commit it to version control.
Store both values — you will need the private key for your client config and the public key to register as a peer on the server.
After copying the keys to your config file, remove the key files:
rm privatekey publickey
3. Create the Client Configuration
Create the WireGuard config file:
sudo nano /etc/wireguard/wg0.conf
Paste the following configuration, replacing the placeholder values with your actual keys:
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = 203.0.113.10:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Code language: HTML, XML (xml)Lock down the file permissions so only root can read it:
sudo chmod 600 /etc/wireguard/wg0.conf
3.1 Configuration Explained
[Interface] section — settings for your client:
| Field | Purpose |
|---|---|
PrivateKey | Your client’s private key (generated in Step 2) |
Address | The VPN IP address assigned to this client — /32 means a single host (the smallest possible subnet) |
DNS | DNS server to use while the tunnel is active — prevents DNS queries from leaking outside the VPN |
[Peer] section — settings for the server you are connecting to:
| Field | Purpose |
|---|---|
PublicKey | The server’s public key (provided by the server admin) |
Endpoint | The server’s public IP address and UDP port, written as IP:port |
AllowedIPs | Which destination addresses to route through the tunnel — 0.0.0.0/0 (a /0 prefix) covers every possible address, meaning all traffic |
PersistentKeepalive | Send a keepalive packet every 25 seconds to maintain the connection through NAT (network address translation) |
4. Register the Client on the Server
On the WireGuard server, add your client as a peer. Run this on the server:
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.0.0.2/32
Code language: HTML, XML (xml)To make this persistent across server reboots, add a [Peer] block to the server’s /etc/wireguard/wg0.conf:
[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32
Code language: HTML, XML (xml)Note: The server must have IP forwarding enabled and NAT configured for clients to reach the internet through it. That is outside the scope of this client-focused tutorial.
5. Start the Tunnel
Bring up the WireGuard interface:
sudo wg-quick up wg0
Check the interface status:
sudo wg show wg0
You should see output showing your interface, the peer, and a recent handshake timestamp once the connection is established.
6. Verify the Connection
Check that your traffic is routed through the VPN by querying your public IP:
curl ifconfig.me
Code language: CSS (css)The output should show 203.0.113.10 (the VPN server’s IP), not your client’s real public IP.
Test DNS resolution:
dig example.com +short
Code language: CSS (css)Test connectivity to the server’s VPN IP:
ping -c 3 10.0.0.1
Code language: CSS (css)7. Enable WireGuard at Boot
To start the tunnel automatically on every boot:
sudo systemctl enable wg-quick@wg0
Code language: CSS (css)This creates the necessary systemd service link. You can manage the service with standard commands:
sudo systemctl start wg-quick@wg0
sudo systemctl stop wg-quick@wg0
sudo systemctl status wg-quick@wg0
Code language: CSS (css)Note:
wg-quick up wg0andsystemctl start wg-quick@wg0do the same thing. Usesystemctlif you want the tunnel to start at boot; usewg-quickfor one-off manual control.
8. Troubleshooting
No handshake appears in wg show:
- Try pinging the server:
ping -c 1 203.0.113.10— if this times out, it does not necessarily mean the server is down (many servers block ICMP ping while WireGuard UDP traffic still works) - Check that UDP port
51820is open on the server’s firewall - Verify that the client’s public key is registered on the server
curl ifconfig.me times out:
- Check that the server has IP forwarding enabled
- Verify NAT/masquerade rules on the server
DNS resolution fails:
- Confirm the
DNSline inwg0.confpoints to a working resolver - Try an alternative DNS server like
1.0.0.1or8.8.8.8
Connection drops behind NAT:
- Make sure
PersistentKeepalive = 25is set in the[Peer]section
Summary
You now have a working WireGuard VPN client on Ubuntu. The tunnel encrypts all traffic and routes it through your VPN server. Key files and commands to remember:
- Config file:
/etc/wireguard/wg0.conf - Bring up:
sudo wg-quick up wg0 - Bring down:
sudo wg-quick down wg0 - Check status:
sudo wg show wg0 - Enable at boot:
sudo systemctl enable wg-quick@wg0
The next tutorials cover split tunneling to keep local network access while on the VPN, and a kill switch to block all traffic if the VPN drops.
