There is a large variety of VPN providers available to choose from today. Some are free, some are pricey but have highly promising features. Some collect no logs. I reported on one of my favorites earlier (Private Internet Access), which combines the best of the above. It’s great to be able to overcome geo restrictions, censorship, and connection limitations by purchasing freedom for a relatively low amount of currency. If you want to drive this concept further though and take full control, you’ve come to the right place. In this article, I will show you everything about setting up and using a private WireGuard VPN server.
WireGuard is a modern, high-performance VPN (Virtual Private Network) protocol designed to be simple, fast, and secure. Unlike traditional VPN protocols, WireGuard aims to be more efficient and easier to configure. It uses state-of-the-art cryptography to provide a secure tunnel for network traffic and is suitable for both small and large-scale deployments. While you can set up private mesh networks using very versatile services like ZeroTier One, WireGuard allows you to customize every aspect of your setup.
What makes WireGuard stand out: An Introduction
WireGuard is known for its high efficiency, cross-platform availability, and ease of setup. Besides this, it uses state of the art encryption technology and is considered very secure. Some of the major points speaking for WireGuard hence include:
- High Performance: Minimal overhead, which results in faster speeds and lower latency compared to other VPN solutions.
- Simplicity: Easy to configure and deploy with a minimal set of options.
- Security: Uses cutting-edge cryptographic algorithms to ensure data integrity and confidentiality.
- Cross-Platform: Available on various platforms including Linux, Windows, macOS, iOS, and Android.
WireGuard allows you to connect various hosts to the same virtual private network. As noted in one of my previous VPN articles, there is an important distinction to be made between different meanings of the term VPN.
Most VPN service providers allow you to route your internet traffic through their remote servers. It also means though, that hosts that are not part of the same physical network are connected through a virtual network connection. This better reflects the true meaning of what VPN really means and where it originates from. In this article, we will cover both ways when setting up and using a private WireGuard VPN server.
Setting up the Private WireGuard Server
For the purpose of this article, I will guide you through setting up your own WireGuard VPN server on a brand new DigitalOcean droplet (you can get one with $200 credits for free here). I’m going to create a very basic droplet for this as WireGuard is very resource efficient:
Once you set up your SSH key or password and hit “Create Droplet“, DigitalOcean will deploy your virtual machine. This takes just takes a few minutes. I will be using a regular Ubuntu for this demonstration, but WireGuard is compatible with many different distributions. Once the droplet is ready, we will use the built-in DigitalOcean console for the sake of simplicity.
This opens a root console. First of all, prepare your system for setting up WireGuard:
apt update
Then install WireGuard from the Ubuntu repositories:
apt install wireguard
After the software is installed, we will set up all required server configuration.
Configuring the Private WireGuard Server
Ensure that all directories we need are present and have the right access permissions:
mkdir -p /etc/wireguard
cd /etc/wireguard
umask 077
Now use wg to create the server keys:
wg genkey | tee server_private.key | wg pubkey > server_public.key
After this, you will have two files in the /etc/wireguard directory:
- server_private.key: This contains the server’s private key
- server_public.key: This contains the server’s public key
Keep the private key safe and don’t share it with anyone if not absolutely necessary. With this key, any encrypted communication passing through the VPN server can be decrypted. Make sure that only the root user can access it, too (assuming the file is owned by root, which it by default should after the above steps):
chmod 600 /etc/wireguard/server_private.key
Setting up the Configuration File and Starting the WireGuard Server
For your VPN to work correctly, we need to set an IP subnet to use for address allocation. For our VPN, we will use the subnet 10.0.0.0/24. First, create the configuration file at /etc/wireguard/wg0.conf and enter this basic configuration:
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE_KEY
# Enable IP forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
Here, YOUR_SERVER_PRIVATE_KEY is the contents of /etc/wireguard/server_private.key. You can obtain it by running:
cat /etc/wireguard/server_private.key
It will consist of a string of characters similar to this:
KxLguf+YFgH1R9L7yU3uOWFbFId8e6xI56/Bzz50vlk=
Just place this string behind the “PrivateKey = ” field, without quotation marks, and save the file. Now you can start WireGuard:
wg-quick up wg0
systemctl enable wg-quick@wg0
WireGuard is now running on your DigitalOcean droplet. Note down its public IP address (from DO’s dashboard) as we will need it in the next step for the client configuration.
Preparing Configurations for WireGuard VPN Clients
Now that the server setup is complete, we will configure the client side. In this section, we will create a client so that it can connect to the server. For that, we first need to create a client configuration. Generate client keys similar to the server keys from above. You can do this on any machine that has WireGuard installed, but for the sake of simplicity we’ll do it on the server host (as all tools are installed there already):
wg genkey | tee client_private.key | wg pubkey > client_public.key
You now have two files: client_private.key, and client_public.key. These are equivalent to the server keys, but identify a different entity. Now create a client configuration file (e.g., “client.conf“):
[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = your_droplet_ip:51820
AllowedIPs = 0.0.0.0/0
Here, YOUR_CLIENT_PRIVATE_KEY is analogous to the server private key you configured above. YOUR_SERVER_PUBLIC_KEY is the content of the server’s public key file. You can share this with anyone, it doesn’t give away any secret information. Still, keep this configuration file and especially the client private key safe, as the client’s communication can be decrypted with it. In this configuration, you can now also set the DNS that the client should use to resolve hostnames. 1.1.1.1 is a well-known, fast, and private DNS managed by Cloudflare. You can enter any DNS IP here that is reachable from the client’s network.
On the server, add the client’s public key to the WireGuard server:
wg set wg0 peer YOUR_CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2/32
This is it. You can now set up the client software with the configuration you just created. Once you have done this, you succeesed in setting up and using a private WireGuard VPN server!
Setting up the WireGuard VPN Clients
Once your server is set up and you generated a client configuration, you can start setting up clients. You will need a separate client certificate for each client. Theoretically you can re-use them, but for the sake of security you should set up one configuration (and key pair) per client.
In the following, we will set up clients for two platforms: Ubuntu Linux and the WireGuard iOS app.
Ubuntu Linux
To install and set up the WireGuard client on Ubuntu, first install the apt package:
sudo apt update
sudo apt install wireguard
Create a new file /etc/wireguard/wg0.conf and copy the client configuration you created in the previous step into this file. Now you can start WireGuard:
sudo wg-quick up wg0
That’s it. WireGuard is now connecting you to the WireGuard VPN server that you set up on your DigitalOcean droplet.
iOS
Setting WireGuard on iOS is very straight forward. First, you download the app from the app store. The easiest way to transfer the generated client configuration from above onto your iOS device is via iCloud. Just email yourself the file and “Save to Files“, or place it in your iCloud Files section through a browser or similar.
After installing the app, it will greet you with this screen. Tapping “+” or “Add Tunnel” will open an action sheet asking how you want to add the tunnel. For this demonstration, we will choose “Create from file or archive” and select the client.conf file we uploaded to iCloud.
WireGuard will now attempt to add this VPN configuration to iOS VPN store. Confirm the action and enter your PIN code if asked for it. Afterwards, your new configuration will be listed in WireGuard’s app window. The switch next to it connects or disconnects your iOS device from your droplet server.
When tapping on the “client” name in the window, you can alter its name and various other settings. I leave this part for you to explore as it is beyond the scope of this article. One notable feature though is that (besides the fact that you can change the connection’s name) you can configure on-demand activation. This means that WireGuard will automatically connect to the VPN server once it is e.g. on cellular or a WiFi connection.
Enabling Traffic Forwarding on the Private VPN Server
To allow clients to route their traffic through the VPN server (your droplet in this case), you need to set up IP forwarding on the server. Log into your droplet as root and enable IP forwarding:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
This is it. If your clients are now configured to set their default route to the VPN server, they will now access the internet through your DigitalOcean droplet. If you’re still unsure whether you should use one, this link gives you $200 of free credit on DigitalOcean. That’s a lot given that the small scale machine we’re using here only costs $4 per month. Give it a try, it’s worth it!
Conclusion
You now know what it takes to setting up and using a private WireGuard VPN server and connecting clients to it. WireGuard is one of the most prominent open source VPN implementations. It is fast, versatile, secure, and easy to set up. If you don’t want to opt for services like ZeroTier One or Private Internet Access, WireGuard may be what you are looking for. Should you want to know more about the technical details behind WireGuard, I advise you to browse their website – it’s quite comprehensive!
If you want to share your own thoughts and experiences, comment below to get the conversation started!