LightYear
/Docs
DocsNetworkingSet Up WireGuard VPN on Ubuntu 22.04

Set Up WireGuard VPN on Ubuntu 22.04

Install and configure WireGuard to create a secure VPN tunnel between your server and client devices.

advanced
15 min read
LightYear Docs Team
Updated April 24, 2026
wireguardvpnnetworkingsecurityubuntu
Ready to get started?

Networking Topology Diagram

WireGuard is a modern, high-performance VPN protocol that uses state-of-the-art cryptography. This guide configures a WireGuard server on Ubuntu 22.04 and connects a client device.

Prerequisites

  • Ubuntu 22.04 server with a public IP
  • Port 51820/UDP open in your firewall group
  • A client device (Linux, macOS, Windows, iOS, or Android)

Step 1 — Install WireGuard

>_BASH
$apt update
$apt install -y wireguard

Verify the installation:

>_BASH
$wg --version
OUTPUT
wireguard-tools v1.0.20210521 - https://git.zx2c4.com/wireguard-tools/

Step 2 — Generate Server Keys

>_BASH
$wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
$chmod 600 /etc/wireguard/server_private.key

View the keys:

>_BASH
$cat /etc/wireguard/server_private.key
$cat /etc/wireguard/server_public.key

Step 3 — Detect the Network Interface

>_BASH
$ip -o -4 route show to default | awk '{print $5}'
OUTPUT
eth0

Note the interface name (commonly eth0 or ens3).

Step 4 — Create the Server Configuration

>_BASH
$nano /etc/wireguard/wg0.conf
INI
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

Replace SERVER_PRIVATE_KEY with the contents of /etc/wireguard/server_private.key and eth0 with your actual interface name.

Step 5 — Enable IP Forwarding

>_BASH
$echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
$sysctl -p
OUTPUT
net.ipv4.ip_forward = 1

Step 6 — Generate Client Keys

>_BASH
$wg genkey | tee /etc/wireguard/client1_private.key | wg pubkey > /etc/wireguard/client1_public.key

Step 7 — Create Client Configuration

>_BASH
$nano /etc/wireguard/client1.conf
INI
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = YOUR_SERVER_IP:51820
PersistentKeepalive = 25

Step 8 — Add Client as Peer on Server

>_BASH
$wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.8.0.2/32

Step 9 — Start WireGuard

>_BASH
$systemctl enable wg-quick@wg0
$systemctl start wg-quick@wg0
$systemctl status wg-quick@wg0
OUTPUT
[email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled)
     Active: active (exited) since Thu 2026-04-24 10:00:00 UTC; 5s ago

Step 10 — Connect the Client

Copy client1.conf to your client device and import it into the WireGuard app.

On Linux:

>_BASH
$wg-quick up client1.conf

Verify the tunnel:

>_BASH
$wg show
OUTPUT
interface: wg0
  public key: SERVER_PUBLIC_KEY
  private key: (hidden)
  listening port: 51820

peer: CLIENT_PUBLIC_KEY
  endpoint: CLIENT_IP:PORT
  allowed ips: 10.8.0.2/32
  latest handshake: 5 seconds ago
  transfer: 1.23 KiB received, 2.34 KiB sent

[!TIP] Use the WireGuard mobile app (iOS/Android) to scan a QR code generated from the client config: qrencode -t ansiutf8 < /etc/wireguard/client1.conf

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy