Below is a straightforward, step-by-step guide to installing and configuring WireGuard as a client on Ubuntu. This assumes you already have a functioning WireGuard server running somewhere (for example, on a VPS, opnsense, or another machine) and that you have the server’s configuration details.

1. Install WireGuard

Ubuntu 20.04 or higher

1. Update and upgrade packages:

   sudo apt update sudo apt upgrade -y

2. Install WireGuard:

   sudo apt install wireguard -y

Note: On older Ubuntu releases (18.04 and below), you might need to enable backports or install from PPA, but most modern Ubuntu distributions have WireGuard available by default.

2. Generate Client Keys

1. Create a directory for WireGuard configuration (optional but recommended):

   sudo mkdir -p /etc/wireguard; sudo chmod 700 /etc/wireguard; cd /etc/wireguard

2. Generate a private key and store it in a file:

   umask 077; wg genkey | sudo tee client_private.key > /dev/null

   • umask 077 ensures that the generated file is only accessible by the file owner (root).
   • client_private.key is your client’s private key.

3. Generate a public key from the private key:

   sudo cat client_private.key | wg pubkey | sudo tee client_public.key > /dev/null

   • client_public.key will be the public key derived from the private key.

4. View your client’s public key (useful for adding it to the server config):

   sudo cat client_public.key

   Copy this output and add it to your server’s WireGuard configuration under the [Peer] section for this client. The server will need this to recognize your client.

3. Create the Client Configuration File

1. Open a new config file for the client (for example, wg-client.conf in /etc/wireguard):

   sudo nano /etc/wireguard/wg-client.conf

2. Add the following configuration (adjusting details to match your setup):

[Interface]
# Replace with your private key 
PrivateKey = <contents_of_client_private.key> 

# The VPN interface IP address on the client side.  
# Must be in the same subnet as the server's VPN interface. 
Address = 10.8.0.2/24 

# DNS servers you want to use when the VPN is up (e.g., 1.1.1.1, 8.8.8.8, or your server) 
DNS = 1.1.1.1  

# Prevents all traffic if the VPN goes down (optional) 
# SaveConfig = true  
 
[Peer] 
# Server's public key (from server configuration) 
PublicKey = <server_public_key_here> 

# The IP/Hostname and the server's WireGuard port 
Endpoint = your.server.ip.address:51820 

# Which IPs should go through the VPN; for a full tunnel, use 0.0.0.0/0, ::/0 
AllowedIPs = 0.0.0.0/0, ::/0 

# Optional: Keepalive packets if behind NAT 
PersistentKeepalive = 25 

• Replace <contents_of_client_private.key> with the contents of client_private.key.
• Replace <server_public_key_here> with the public key from your server.
• Adjust the Address to match your server’s subnet (often 10.8.0.x/24 or something similar).
• Make sure the Endpoint IP/port matches your server’s public IP address and WireGuard port.

3. Secure the permissions:

   sudo chmod 600 /etc/wireguard/wg-client.conf

4. Add the Client Peer to the Server Configuration

On your WireGuard server, you need to add a [Peer] section for the client. It typically goes into the server’s /etc/wireguard/wg0.conf (or equivalent). For example:

[Peer] 
# Description: client machine 
PublicKey = <client_public_key_here> 
AllowedIPs = 10.8.0.2/32`

• Use the client’s public key you noted above.
• AllowedIPs = 10.8.0.2/32 ensures traffic to that IP is routed through this tunnel.

Restart the WireGuard interface on the server to apply these changes:

sudo systemctl restart wg-quick@wg0

(Or use your actual interface name if it’s different than wg0.)

5. Bring Up the VPN on the Client

Back on the client (Ubuntu machine), you can activate your WireGuard connection:

sudo wg-quick up /etc/wireguard/wg-client.conf

• If everything is configured correctly, you should see the interface come up.

You can check the status of your WireGuard interface with:

sudo wg

This will display information such as the public key, endpoint, transfer data, etc.

6. (Optional) Enable Autostart at Boot

If you want the client to start automatically on reboot:

1. Rename your config to match the interface name:

   sudo cp /etc/wireguard/wg-client.conf /etc/wireguard/wg0.conf

   Note: WireGuard’s default systemd script expects an interface name that matches the config file. E.g., wg0.conf.

2. Enable and start the service:

   sudo systemctl enable wg-quick@wg0; sudo systemctl start wg-quick@wg0

   • Now your client interface (wg0) will come up at boot.

7. Verify Connectivity

Once the VPN is up, you can test by:

1. Checking IP address:

   ip address show wg0

   • You should see the IP (10.8.0.2 in the example above).

2. Pinging the server:

   ping 10.8.0.1

   • This verifies connectivity within the VPN tunnel.

3. Checking public IP (for full tunnel setups):

   curl ifconfig.me

   • You should see the server’s public IP if you routed all traffic (0.0.0.0/0) through WireGuard.

Summary

1. Install WireGuard on Ubuntu using apt install wireguard.
2. Generate keys (private and public) on the client.
3. Create the client config file referencing your private key, server’s public key, and the desired IP addresses.
4. Add the client’s public key into the server’s [Peer] configuration.
5. Bring up the interface on the client with wg-quick up wg-client.conf.
6. (Optional) Enable autostart using systemd and rename the config to wg0.conf.
7. Test connectivity to ensure everything is working.

That’s it! You now have a WireGuard VPN client running on Ubuntu. You can use this guide to connect to an existing WireGuard server securely. If you run into any issues, check logs using sudo journalctl -u wg-quick@wg0 or use sudo wg to get debug information.