Tested April 2026<\/strong> on Ubuntu 26.04 LTS (kernel 7.0.0-10), WireGuard tools v1.0.20250521<\/em><\/p>\n\n The article uses OpenVPN and IPsec work, but both carry decades of cipher choices, legacy options and config complexity. WireGuard takes the opposite approach: one cipher suite, no negotiation, no certificates, no PKI. Keys are short base64 strings you exchange once. The kernel module has been in mainline Linux since 5.6, so on Ubuntu 26.04 there is nothing extra to compile. You only need the userspace tooling.<\/p>\n\n Refresh the package index and install the WireGuard userspace tools. The kernel module is already present in stock Ubuntu 26.04, so this is a small install.<\/p>\n\n\n Confirm the version you landed on:<\/p>\n\n\n You should see the shipped version string:<\/p>\n\n\n WireGuard peers identify each other by public keys. Generate a private key for the server, derive the public key, and set a restrictive umask so the private key never lands with world-readable permissions.<\/p>\n\n\n Print both keys. You will paste the public key into the client config shortly.<\/p>\n\n\n Keys are 44-character base64 strings. Treat the private key the same way you treat an SSH private key: never copy it off the server, never commit it to git.<\/p>\n\n Create Paste this, substituting your own private key:<\/p>\n\n\n Replace Lock down the file permissions:<\/p>\n\n\n Without forwarding, the server drops traffic destined for the internet, even with masquerade rules in place. Enable it persistently:<\/p>\n\n\n The output confirms the kernel accepted the new value:<\/p>\n\n\n Ubuntu ships UFW but it is inactive by default. Allow SSH so you do not lock yourself out, then open UDP\/51820 for WireGuard:<\/p>\n\n\n Confirm both rules are active:<\/p>\n\n\n The masquerade rules in Use the Check the service state:<\/p>\n\n\n The unit type is Verify the You should see the tunnel address and a UP state:<\/p>\n\n\n Switch to the client machine. Install the same tools and create its key pair the same way:<\/p>\n\n\n Print the client public key. This is what you will add to the server’s peer list:<\/p>\n\n\n Create Fill in the client private key and the server’s public key:<\/p>\n\n\n Set strict permissions:<\/p>\n\n\n Back on the server, append the peer block to Reload the interface in place without dropping the current peer sessions using The On the client, enable and start the service:<\/p>\n\n\n Within a couple of seconds, The client view shows the peer endpoint, a recent handshake timestamp, and byte counters moving:<\/p>\n\n\n Three tests confirm everything works: handshake, ICMP over the tunnel, and routed traffic through the VPN.<\/p>\n\n From the client, ping the server’s VPN address:<\/p>\n\n\n Sub-millisecond round trips on a LAN, single-digit milliseconds over the internet:<\/p>\n\n\n Confirm external traffic exits through the server by checking your public IP:<\/p>\n\n\n The returned address should match the server’s public IP, not the client’s:<\/p>\n\n\n On the server, The Change the value on the client, reload, and WireGuard rewrites the routes accordingly.<\/p>\n\n Every additional client needs its own key pair, its own Add a laptop client and copy its generated config back to that laptop:<\/p>\n\n\n The resulting When The port should be in The peer counters climb on both sides, the ping to Forwarding must be On the client, Alternatively, point the client at a public resolver directly in This appears when the kernel has no WireGuard module. On Ubuntu 26.04 it ships in-tree, so the fix is almost always that an older kernel is still booted after an update. Reboot, or check with A working tunnel is the starting point. A few natural next steps:<\/p>\n\n WireGuard will not solve every networking problem, but for point-to-site and site-to-site tunnels on Linux, it is hard to beat on simplicity, performance, and cipher hygiene.<\/p>\n","protected":false},"excerpt":{"rendered":" Every remote worker, every road-warrior laptop, every home-lab server that needs to reach the office safely ends up needing a VPN. The choice used to be painful: OpenVPN with its sprawling config, or a commercial mesh VPN with a monthly bill. WireGuard changed that. It ships inside the Linux kernel, the config is short enough … Read more<\/a><\/p>\n","protected":false},"author":17,"featured_media":166210,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,75,81],"tags":[282,2254,39816,583,2944],"cfg_series":[39802],"class_list":["post-166211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-tutorials","category-security","category-ubuntu","tag-linux","tag-ubuntu","tag-ubuntu-26-04","tag-vpn","tag-wireguard","cfg_series-ubuntu-2604-security"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/166211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=166211"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/166211\/revisions"}],"predecessor-version":[{"id":166212,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/166211\/revisions\/166212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/166210"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=166211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=166211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=166211"},{"taxonomy":"cfg_series","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/cfg_series?post=166211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Prerequisites<\/h2>\n\n
\n
203.0.113.10<\/code> as the stand-in for the server’s public IP and 10.100.0.0\/24<\/code> as the VPN subnet. Swap these for your real values.<\/p>\n\nWhy WireGuard<\/h2>\n\n
Step 1: Install WireGuard on the server<\/h2>\n\n
sudo apt update\nsudo apt install -y wireguard wireguard-tools<\/code><\/pre>\n\n\nwg --version<\/code><\/pre>\n\n\nwireguard-tools v1.0.20250521 - https:\/\/git.zx2c4.com\/wireguard-tools\/<\/code><\/pre>\n\n\nStep 2: Generate the server key pair<\/h2>\n\n
sudo mkdir -p \/etc\/wireguard\ncd \/etc\/wireguard\nsudo sh -c 'umask 077; wg genkey | tee server_private.key | wg pubkey > server_public.key'<\/code><\/pre>\n\n\nsudo cat \/etc\/wireguard\/server_private.key\nsudo cat \/etc\/wireguard\/server_public.key<\/code><\/pre>\n\n\nStep 3: Write the server configuration<\/h2>\n\n
\/etc\/wireguard\/wg0.conf<\/code>. The interface block defines the VPN subnet, the listening port, and the NAT rules that rewrite client traffic on the way out. The [Peer]<\/code> block comes later once you have the client’s public key.<\/p>\n\n\nsudo nano \/etc\/wireguard\/wg0.conf<\/code><\/pre>\n\n\n[Interface]\nAddress = 10.100.0.1\/24\nListenPort = 51820\nPrivateKey = SERVER_PRIVATE_KEY_HERE\nSaveConfig = false\n\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<\/code><\/pre>\n\n\neth0<\/code> with your actual outbound interface if it differs. You can check with ip route show default<\/code>. The PostUp<\/code> and PostDown<\/code> hooks toggle forwarding and source-NAT automatically when the interface comes up and goes down, so there are no stray iptables rules after a stop.<\/p>\n\nsudo chmod 600 \/etc\/wireguard\/wg0.conf<\/code><\/pre>\n\n\nStep 4: Enable IPv4 forwarding<\/h2>\n\n
echo 'net.ipv4.ip_forward=1' | sudo tee \/etc\/sysctl.d\/99-wireguard.conf\nsudo sysctl -p \/etc\/sysctl.d\/99-wireguard.conf<\/code><\/pre>\n\n\nnet.ipv4.ip_forward = 1<\/code><\/pre>\n\n\nStep 5: Open the UFW firewall<\/h2>\n\n
sudo ufw allow 22\/tcp\nsudo ufw allow 51820\/udp\nsudo ufw --force enable\nsudo ufw status verbose<\/code><\/pre>\n\n\nStatus: active\nLogging: on (low)\nDefault: deny (incoming), allow (outgoing), deny (routed)\nNew profiles: skip\n\nTo Action From\n-- ------ ----\n22\/tcp ALLOW IN Anywhere\n51820\/udp ALLOW IN Anywhere<\/code><\/pre>\n\n\nwg0.conf<\/code> handle NAT via iptables directly, so no further UFW changes are needed for routed traffic.<\/p>\n\nStep 6: Start the WireGuard service<\/h2>\n\n
wg-quick@<\/code> systemd template to bring the interface up and enable it at boot. The unit name matches the config filename, so wg0.conf<\/code> maps to wg-quick@wg0<\/code>.<\/p>\n\n\nsudo systemctl enable --now wg-quick@wg0<\/code><\/pre>\n\n\nsudo systemctl status wg-quick@wg0 --no-pager<\/code><\/pre>\n\n\noneshot<\/code>, so it reports active (exited)<\/code> which is the expected state for a successful run:<\/p>\n\n\n![\"wg-quick@wg0](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/04\/wm-wireguard-systemctl-status-ubuntu-2604.png\" "\\"\\"")
<\/figure>\n\n\nwg0<\/code> interface exists and has the right address:<\/p>\n\n\nip addr show wg0<\/code><\/pre>\n\n\n3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\n link\/none\n inet 10.100.0.1\/24 scope global wg0\n valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\nStep 7: Generate the client key pair<\/h2>\n\n
sudo apt update\nsudo apt install -y wireguard wireguard-tools\nsudo mkdir -p \/etc\/wireguard\ncd \/etc\/wireguard\nsudo sh -c 'umask 077; wg genkey | tee client_private.key | wg pubkey > client_public.key'<\/code><\/pre>\n\n\nsudo cat \/etc\/wireguard\/client_public.key<\/code><\/pre>\n\n\nStep 8: Write the client configuration<\/h2>\n\n
\/etc\/wireguard\/wg0.conf<\/code> on the client. The Endpoint<\/code> is the server’s public address, AllowedIPs = 0.0.0.0\/0<\/code> sends all traffic through the tunnel (full tunnel), and PersistentKeepalive<\/code> keeps NAT mappings alive if the client is behind a home router.<\/p>\n\n\nsudo nano \/etc\/wireguard\/wg0.conf<\/code><\/pre>\n\n\n[Interface]\nAddress = 10.100.0.2\/24\nPrivateKey = CLIENT_PRIVATE_KEY_HERE\nDNS = 1.1.1.1\n\n[Peer]\nPublicKey = SERVER_PUBLIC_KEY_HERE\nEndpoint = 203.0.113.10:51820\nAllowedIPs = 0.0.0.0\/0\nPersistentKeepalive = 25<\/code><\/pre>\n\n\nsudo chmod 600 \/etc\/wireguard\/wg0.conf<\/code><\/pre>\n\n\nStep 9: Register the client as a peer on the server<\/h2>\n\n
\/etc\/wireguard\/wg0.conf<\/code>. The AllowedIPs<\/code> here is \/32<\/code>, meaning “only this one VPN address belongs to this peer” which prevents IP spoofing between clients.<\/p>\n\n\nsudo tee -a \/etc\/wireguard\/wg0.conf > \/dev\/null <<'PEER'\n\n[Peer]\nPublicKey = CLIENT_PUBLIC_KEY_HERE\nAllowedIPs = 10.100.0.2\/32\nPEER<\/code><\/pre>\n\n\nwg syncconf<\/code>:<\/p>\n\n\nsudo wg syncconf wg0 <(sudo wg-quick strip wg0)<\/code><\/pre>\n\n\nstrip<\/code> subcommand returns a plain wg<\/code>-compatible config with the wg-quick<\/code> extensions removed, which is exactly what syncconf<\/code> expects. No restart, no dropped traffic.<\/p>\n\nStep 10: Bring the client tunnel up<\/h2>\n\n
sudo systemctl enable --now wg-quick@wg0<\/code><\/pre>\n\n\nwg<\/code> should show a handshake:<\/p>\n\n\nsudo wg<\/code><\/pre>\n\n\n![\"WireGuard](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/04\/wm-wireguard-client-handshake-ubuntu-2604.png\" "\\"\\"")
<\/figure>\n\n\nStep 11: Verify the tunnel end to end<\/h2>\n\n
ping -c 4 10.100.0.1<\/code><\/pre>\n\n\nPING 10.100.0.1 (10.100.0.1) 56(84) bytes of data.\n64 bytes from 10.100.0.1: icmp_seq=1 ttl=64 time=0.808 ms\n64 bytes from 10.100.0.1: icmp_seq=2 ttl=64 time=0.766 ms\n64 bytes from 10.100.0.1: icmp_seq=3 ttl=64 time=0.709 ms\n64 bytes from 10.100.0.1: icmp_seq=4 ttl=64 time=0.816 ms\n\n--- 10.100.0.1 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3080ms<\/code><\/pre>\n\n\ncurl -s ifconfig.me<\/code><\/pre>\n\n\n203.0.113.10<\/code><\/pre>\n\n\nsudo wg<\/code> shows the peer’s traffic counters climbing, which is the final sanity check that packets flow both ways:<\/p>\n\n\n![\"WireGuard](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/04\/wm-wireguard-server-status-ubuntu-2604.png\" "\\"\\"")
<\/figure>\n\n\nFull tunnel versus split tunnel<\/h2>\n\n
AllowedIPs<\/code> directive on the client controls which traffic enters the tunnel. Two common choices:<\/p>\n\n\n
0.0.0.0\/0<\/code>): every packet from the client goes through WireGuard. Use this for privacy on untrusted Wi-Fi and for forcing company traffic through an office egress.<\/li>\n10.100.0.0\/24, 10.0.0.0\/16<\/code>): only traffic to specific networks traverses the VPN. Everything else uses the local gateway. Use this for reaching internal resources without backhauling Netflix.<\/li>\n<\/ul>\n\nAdding more clients<\/h2>\n\n
\/32<\/code> address inside 10.100.0.0\/24<\/code>, and its own [Peer]<\/code> block on the server. Here is a small helper script that generates everything for one new client:<\/p>\n\n\nsudo tee \/usr\/local\/sbin\/wg-add-client > \/dev\/null <<'SH'\n#!\/usr\/bin\/env bash\nset -euo pipefail\nNAME=${1:?usage: wg-add-client NAME VPN_IP}\nIP=${2:?usage: wg-add-client NAME VPN_IP}\nSERVER_PUB=$(cat \/etc\/wireguard\/server_public.key)\nENDPOINT=203.0.113.10:51820\ncd \/etc\/wireguard\numask 077\nwg genkey | tee clients\/${NAME}.key | wg pubkey > clients\/${NAME}.pub\ncat > clients\/${NAME}.conf <<CFG\n[Interface]\nAddress = ${IP}\/24\nPrivateKey = $(cat clients\/${NAME}.key)\nDNS = 1.1.1.1\n\n[Peer]\nPublicKey = ${SERVER_PUB}\nEndpoint = ${ENDPOINT}\nAllowedIPs = 0.0.0.0\/0\nPersistentKeepalive = 25\nCFG\n\ncat >> \/etc\/wireguard\/wg0.conf <<PEER\n\n[Peer]\n# ${NAME}\nPublicKey = $(cat clients\/${NAME}.pub)\nAllowedIPs = ${IP}\/32\nPEER\n\nwg syncconf wg0 <(wg-quick strip wg0)\necho \"Client config: \/etc\/wireguard\/clients\/${NAME}.conf\"\nSH\nsudo chmod +x \/usr\/local\/sbin\/wg-add-client\nsudo mkdir -p \/etc\/wireguard\/clients<\/code><\/pre>\n\n\nsudo wg-add-client laptop 10.100.0.3<\/code><\/pre>\n\n\n\/etc\/wireguard\/clients\/laptop.conf<\/code> can be scp’d or pasted into the WireGuard mobile app (install qrencode<\/code> and run qrencode -t ansiutf8 < clients\/laptop.conf<\/code> to show a scannable QR code in the terminal).<\/p>\n\nTroubleshooting<\/h2>\n\n
No handshake ever happens<\/h3>\n\n
sudo wg<\/code> on the client shows latest handshake:<\/code> with no value, or the client’s transfer<\/code> stays at zero sent, packets are not reaching the server. Check the server’s firewall first:<\/p>\n\n\nsudo ss -ulnp | grep 51820<\/code><\/pre>\n\n\nUNCONN<\/code> state bound to 0.0.0.0<\/code>. If nothing listens, wg-quick@wg0<\/code> did not start. If it listens but handshake still fails, the upstream provider or cloud security group is blocking UDP\/51820. Cloud VPCs, AWS security groups and some ISPs silently drop unsolicited UDP.<\/p>\n\nHandshake works but no internet<\/h3>\n\n
10.100.0.1<\/code> works, but curl ifconfig.me<\/code> from the client times out. This is almost always a missing masquerade rule or disabled forwarding. Verify both on the server:<\/p>\n\n\nsysctl net.ipv4.ip_forward\nsudo iptables -t nat -L POSTROUTING -n -v<\/code><\/pre>\n\n\n1<\/code>, and the POSTROUTING chain must show a MASQUERADE rule tied to your outbound interface. If the rule is missing, systemctl restart wg-quick@wg0<\/code> reruns the PostUp<\/code> hook and reinstates it.<\/p>\n\nDNS does not resolve inside the tunnel<\/h3>\n\n
ping 1.1.1.1<\/code> works but ping google.com<\/code> does not. The DNS<\/code> directive in the client config requires resolvconf<\/code> or systemd-resolved<\/code> to apply. Install it if missing:<\/p>\n\n\nsudo apt install -y openresolv<\/code><\/pre>\n\n\n\/etc\/resolv.conf<\/code> or run a small resolver on the server (dnsmasq<\/code> or unbound<\/code>) and set DNS = 10.100.0.1<\/code>.<\/p>\n\nError: “Unable to access interface: Protocol not supported”<\/h3>\n\n
uname -r<\/code> that you are running a 6.x or 7.x kernel.<\/p>\n\nGoing further<\/h2>\n\n
\n
10.100.0.1<\/code>.<\/li>\nwg show dump<\/code> via a small exporter. See the Prometheus on Ubuntu 26.04 guide<\/a>.<\/li>\n