Ubuntu setup Wireguard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and supercomputers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation step

Env: Ubuntu 19.10 64bit / Debian 10 sid 

// Ubuntu
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard
// Debian9 
Install linux-headers first (Hetnzer VPS issue)

apt install linux-headers-$(uname -r)

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list

printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable

apt update
apt install wireguard

// Updated July 3, 2019
// Update wiregurad
apt install wireguard=0.0.20190702-1 wireguard-dkms=0.0.20190702-1 wireguard-tools=0.0.20190702-1

Generate the public and private key

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)

wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Edit the wg0.conf file

## Vultr server has to change eth0 into ens3
# Edit wg0.conf
nano /etc/wireguard/wg0.conf

ListenPort = 993 # UDP
SaveConfig = false
Address =, fd86:ea04:1115::1/128

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true

[Peer] ## Generate from Android or other device
AllowedIPs =, fd86:ea04:1115::2/128

Save and fire it up!

wg-quick down wg0
wg-quick up wg0

Make it auto start on boot

systemctl enable [email protected]

Enable port forwarding

nano /etc/sysctl.conf 

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

sysctl -p 

Client config

PrivateKey = <Output of privatekey file that contains your private key>
Address =, fd86:ea04:1115::2/128
MTU = 1360
PublicKey = <Server's public key from *wg show* command on server>
Endpoint = <Linux server's Public IP>:993
AllowedIPs =, ::/0
PersistentKeepalive = 25

Updated on April 13 2019

If you using Google cloud with one-key Wireguard setup, and facing following error

$ ip link add dev wg0 type wireguard
RNETLINK answers: Operation not supported 


// Get latest linux-header
apt-get install libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config

// install wiregurad-tools again
apt-get install wireguard-dkms wireguard-tools

// Done
Credit: https://askubuntu.com/questions/973297/rnetlink-answers-operation-not-supported-fresh-ubuntu-fresh-wireguard

Photo by Matteo Catanese on Unsplash