In this blog post, we are going to install WireGuard server on Linux. I already showed you a WireGuard installation on Amazon Lightsail in a previous blog post. And in this past blog post, I showed you the WireGuard client installation on Windows. The issue with the installation in these blog posts is that it only supports IPv4. If you have a client that only speaks IPv6, the described configuration does not work. The problem is that Amazon Lightsail currently does not support IPv6.
This time we are going to do a WireGuard server installation that supports IPv4 and IPv6 peers. For the following installation, I use a Virtual Private Server from Hetzner, a company that has data centers in Germany and Finland (Helsinki). The servers from Hetzner have out of the box IPv4 and IPv6 support.
I run the following installation on a pristine Ubuntu 18.04 with just an SSH server and the base system installed. I use the smallest server that Hetzner offers with 2 GB RAM. Plenty of memory for just running a WireGuard server.
For the following WireGuard installation, I'm going to use a script that is hosted in this GitHub repository. First, a word of warning: When you download scripts from the Internet, do not simply execute them. Always open the file in an editor after you have downloaded it. Scan the code and try to understand what the script does. Look for statements like apt, rpm, yum, wget and curl that download files from the Internet. The reason to be careful is that it's very easy for an attacker to install a backdoor or malware on your server this way.
With this warning out of the way, we can now proceed with the installation. The benefit of using this batch file is that it supports multiple Linux variants: CentOS, Debian, Ubuntu, Arch, Fedora, Redhat, Raspbian. The installation requires a Linux with a 4.1 or newer kernel. You also need root access, or a user account with sudo privilege to execute the script.
Make sure that your system is up to date. On Ubuntu, you can do this with the following command
apt update && apt dist-upgrade
Download the latest version of the script with this command:
curl https://raw.githubusercontent.com/complexorganizations/wireguard-manager/master/wireguard-server.sh --create-dirs -o /etc/wireguard/wireguard-server.sh
Or even better use a link that contains the commit SHA-1 hash. Downloading the script this way has the advantage that when you want to run the script multiple times, you only have to check the contents once. Even when an attacker takes over the GitHub account, he can't change the content of the file without changing the SHA-1.
This command downloads the version of the script from April 15th, 2020.
curl https://raw.githubusercontent.com/complexorganizations/wireguard-manager/0de8edcceddd1840b46360aa906c4d7d5a2aeb3c/wireguard-server.sh --create-dirs -o /etc/wireguard/wireguard-server.sh
Open the script in an editor and check the contents!
Next, execute the script with the following command
The script guides you through the installation.
Firstly, the script asks you about the IP addresses and which tools to detect IP. Confirm these settings with
y. The defaults should work fine.
What ipv4 subnet do you want to use? 1) 10.8.0.0/24 (Recommended) 2) 10.0.0.0/24 3) Custom (Advanced) Subnetwork choice [1-3]: 1 What ipv6 subnet do you want to use? 1) fd42:42:42::0/64 (Recommended) 2) fd86:ea04:1115::0/64 3) Custom (Advanced) Subnetwork choice [1-3]: 1 How would you like to detect IPV4? 1) Curl (Recommended) 2) IP (Advanced) 3) Custom (Advanced) ipv4 choice [1-3]: 1 How would you like to detect IPV6? 1) Curl (Recommended) 2) IP (Advanced) 3) Custom (Advanced) ipv6 choice [1-3]: 1 How would you like to detect IPV6? 1) IP (Recommended) 2) Custom (Advanced) nic choice [1-2]: 1
Next, it asks you about the port you want to WireGuard to listen to I recommend using a custom port (option 2). For this example, I use 55443
What port do you want WireGuard server to listen to? 1) 51820 (Recommended) 2) Custom (Advanced) 3) Random [1024-65535] Port choice [1-3]: 2 Custom port [1-65535]: 55443
Using a custom or random compared to the predefined 51820 port does not increase security, but it prevents a few drive by port scans that only listen for well-known ports. A targeted attack against your server with a full port scan will reveal all open ports.
Next, the script asks about the keepalive interval and MTU. I recommend you confirm the defaults.
What do you want your keepalive interval to be? 1) 25 (Default) 2) 0 3) Custom (Advanced) Nat Choice [1-3]: 1 What MTU do you want to use? 1) 1280 (Recommended) 2) 1420 3) Custom (Advanced) MTU choice [1-3]: 1
After that, the scripts ask you about what IP version your clients should use to connect to the WireGuard server. Here I would always choose option 1 unless all your clients only use IPv6 but no IPv4 addresses.
What IPv do you want to use to connect to WireGuard server? 1) IPv4 (Recommended) 2) IPv6 (Advanced) IP Choice [1-2]: 1
Next, you can disable one of the IP protocols. Useful if you are sure that you are only going to use one of the IP protocols, but usually you would select option 1
Do you want to disable IPv4 or IPv6 on the server? 1) No (Recommended) 2) IPV4 3) IPV6
The next option concerns the client. The script asks you if the client should forward all traffic through the VPN connection or exclude private IPs. Private IP addresses are located in these ranges 192.168.0.0 - 192.168.255.255, 172.16.0.0 - 172.31.255.255 and 10.0.0.0 - 10.255.255.255 and are used for internal LANs. If you use a WireGuard connection and, at the same time, want to connect to your LAN, select option 2. In this example, all my clients are not connected to any LAN, so I select option 1.
What traffic do you want the client to forward to wireguard? 1) Everything (Recommended) 2) Exclude Private IPs (Allows LAN IP connections) Client Allowed IP Choice [1-2]: 1
Next, the script asks about installing Unbound. Unbound is a DNS server. I would recommend installing it so your WireGuard server can also act as the DNS resolver and all the DNS traffic also flows through the VPN and hides it from your ISP
Do You Want To Install Unbound (y/n): y
Lastly, the script asks about a name for the client configuration. The script not only installs the WireGuard server, it also creates one client configuration.
Lets name the WireGuard Peer, Only use words no special characters Client name: mylaptop
After this, the script starts to install WireGuard and all dependent libraries. As the last step, it creates the client configuration and displays a QR code on the screen. You can scan this code with your iOS and Android WireGuard app.
The scripts writes the server configuration into the file
/etc/wireguard/wg0.conf and the client configuration into the file
Don't forget to open the incoming WireGuard port, when you have a firewall installed. You only have to open the port for UDP connections. If you use the UFW firewall you can open the port with this command
ufw allow 55443/udp
Adding more clients
The script is not only useful for the initial installation; it can also help you create more client configurations. When you run the script the second time it recognizes that WireGuard server is already installed and presents a different menu
root@ubuntu-blog:~# bash /etc/wireguard/wireguard-server.sh What do you want to do? 1) Show WireGuard Interface 2) Start WireGuard Interface 3) Stop WireGuard Interface 4) Restart WireGuard Interface 5) Add WireGuard Peer 6) Remove WireGuard Peer 7) Reinstall WireGuard Interface 8) Uninstall WireGuard Interface 9) Update this script
Here you can start and stop the WireGuard server, add and remove WireGuard clients and uninstall the WireGuard server.
To add a new client select option 5 and give the client a name
Select an Option [1-9]: 5 Tell me a new name for the client config file. Use one word only, no special characters. (No Spaces) New client name: laptop2
The script displays the QR code you can scan with your phone.
When you have a client that can't scan the QR code, like the Windows client, open the configuration file on the server
Open the configuration dialog on the client and copy and paste the configuration from the server into your client.
To install WireGuard with the presented script is very convenient. You get a well-tested server configuration that is reviewed and used by many users.
But always be careful with scripts you download from the Internet and run on your server.