Skip to main content

WireGuard VPN

by v1.0.20200319 | Debian 9

Modern virtual private network application known for state-of-the-art cryptography.

Set up a simple and fast VPN for free, and using a process as easy as using SSH. WireGuard is built to run faster and leaner than other VPNs, including popular competitor OpenVPN. It’s also easier to set up and optimized to run on Linux. WireGuard’s unique cryptography makes it easy to establish secure connections to shield your information while using public wifi or connecting to services you want to protect from the public Internet.

Use the Linode WireGuard VPN One-Click App to create a new Linode instance with a WireGuard network device just for you.

Software Included

The WireGuard VPN One-Click App will install the following required software on your Linode:

SOFTWAREDESCRIPTION
WireGuardVPN software.
UFWFirewall utility. The Port assigned during the WireGuard Options step of the deployment will allow outgoing and incoming traffic.

WireGuard Options

The WireGuard One-Click form includes fields for your WireGuard client’s public key, and for your client’s endpoint IP (which is your client’s public IP address). If you have already set up your client and installed the WireGuard software on it prior to setting up your WireGuard One-Click App, then you may already have this information. If you do have the key and the endpoint IP for the client, you can enter them into the app’s creation form, and your server’s configuration will be pre-populated with those values.

Note: Please note that a public key generated by WireGuard will not resemble a public key that you might use for SSH connections; when in doubt, leave the form’s Public Key (Client) field blank.

If you do not have the values for these fields, you can leave them empty. After the app is deployed, visit the Configure and Connect your WireGuard Client and Server section to set up your client and generate a key. The instructions in that section will also show you how to insert the key and the endpoint IP for your client into your server’s configuration.

Getting Started After Deployment

Configure and Connect your WireGuard Client and Server

After your One-Click App has provisioned your WireGuard server, you can proceed with setting up your WireGuard client and establishing a connection to the server.

If you did not provide a public key for WireGuard when you first set up your One-Click App, you will need to follow the next set of steps. These instructions will set up your client and inform your server of your client’s public key. If you did provide a public key when deploying the One-Click App and have set up your client, skip to the second collection of steps in this section.

  1. Follow the WireGuard Client section of our WireGuard guide to generate a public/private keypair for your client, and to set up the WireGuard network interface configuration on your client.
  2. Connect to your One-Click App’s Linode via SSH.
  3. Bring down the wg0 interface on the server:
    wg-quick down wg0
  4. Open the /etc/wireguard/wg0.conf file in a text editor (nano, for example).
  5. You will see a line that reads PublicKey = under the [Peer] section. Append your client’s public key to this line.
  6. You will also see a line that reads Endpoint =. Append your client’s Internet address to this line and then save the file. If your WireGuard client is also a Linode, user your Linode’s public IP. If your client is on your home computer, visit a site like whatismyip.com to get your address.
  7. Bring the wg0 interface back up on the server:
    wg-quick up wg0

Note: wg-quick is a convenient wrapper for many of the common functions in wg. To learn more about all the available commands for each utility, issue the wg --help and wg-quick --help commands from your Linode’s command line.

You should now have your server configuration completed. At this point, you still need to complete your client’s configuration; specifically, you need to add your server as a peer to the client:

  1. Connect to your One-Click App’s Linode via SSH.
  2. Just like your client, your server also has a public/private keypair of its own. The One-Click App script leaves a copy of these keys in the root user’s home folder:
    ls /root
    wg-private.key wg-public.key
  3. Use the cat command to get the value of the server’s WireGuard public key:
    cat /root/wg-public.key
  4. You should see a random string similar to:
    FngGVypEJ13KU8+OeBGG1sOd2i+aazsj7qPL3ZxacG8=
  5. Copy the output of your server’s public key, then use it to complete steps 1 and 2 of the Connect the Client and Server section of our WireGuard guide. These steps will tell you to append [Peer] section to your client’s existing WireGuard configuration and then how to enable the service on your client.

    Enter your server’s WireGuard tunnel IP (using the /24 CIDR notation) as the value for the AllowedIPs setting, and set the server’s public IP address and WireGuard port to be the Endpoint. Here’s an example template for a completed client configuration:
[Interface]
PrivateKey = <Your client WireGuard private key>
Address = 10.0.1.2

[Peer]
PublicKey = <Your server WireGuard public key>
AllowedIPs = 10.0.1.1
Endpoint = <Your WireGuard server public IP>:51820

After you complete steps 1 and 2 from that section, you will have established the server as the client’s peer.

Test your WireGuard Client’s Connection

This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client’s peer information:

  1. Access your WireGuard client and ping the WireGuard server. Replace 10.0.1.1 with the tunnel IP address you assigned to the WireGuard server in the One-Click App creation form:
    ping 10.0.1.1
  2. Use the WireGuard utility to verify your client’s latest handshake:
    wg show
    The last two lines of the output from running the wg command should be similar to:
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent

The WireGuard VPN One-Click App was built by Linode. For support regarding app deployment, contact Linode Support via the information listed in the sidebar.