All Articles

Privacy with wireguard and Stubby

What is Wireguard

Wireguard is VPN tunnelling software aiming to bring simplicity, speed and privacy to your network. It operates at layer 3 (network layer) of the OSI model. It also boasts high standards for security as stated in the whitepaper states:

The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK,and handles all session creation transparently to the user.

Wireguard uses asymmetric key cryptography but unlike openvpn, you don’t need to explicitly manage certificates. Also wireguard has improved network speeds over openvpn.

In this post i will go over setting up a simple wireguard server on Vultr.’

Setting Up a server


Vultr is a Global Cloud Hosting providing that allows users to set up cloud instances for a variety of instances from compute to running apps like Drupal CMS. You can use my referral link to set up an account so you can get started. A cheap 5 compute instance running ubuntu at a location of your choice will be enough. Its also worthwhile to set up an SSH key that is available on the first boot.

Once the server is up and running we can begin setting up the required tools for our VPN. These include:

  • Wireguard: (For the wireguard kernel module)
  • Net-tools: (For extra network debugging tools)

Get access to a shell and input these commands

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install wireguard net-tools

These commands will fetch any pending updates and upgrade the current installation and finally install wireguard and the net-tools package.

Configure the server peer

Wireguard is a modern point to point VPN so clients will need to connect to a peer server. We would need a public-private key pair to uniquely identify our server. Run these commands to achieve this.

mkdir ~/.wg && cd ~/.wg
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

What this does first is create and check into a directory where our keys will be stored. The umask command sets the file mode creation mask. This sets the permission bits to rw only for the current user. You can run ls -alh to confirm this. After which we use the wg utility to read create a key pair and pipe them to files as appropriate.

Finally we create an interface file with the settings of our peer.The file should be in the /etc/wireguard/ directory.

PrivateKey = <Private Key>
ListenPort = $PORT
PostUp = iptables -A FORWARD -i $IF_NAME -j ACCEPT; iptables -t nat -A POSTROUTING -o $LAN_NAME -j MASQUERADE; ip6tables -A FORWARD -i $IF_NAME -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $LAN -j MASQUERADE
PostDown = iptables -D FORWARD -i $IF_NAME -j ACCEPT; iptables -t nat -D POSTROUTING -o $LAN_NAME -j MASQUERADE; ip6tables -D FORWARD -i $IF_NAME -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $LAN -j MASQUERADE
SaveConfig = true

The private key can be obtained from the file we created earlier. The address section can be a valid internal IP e.g where 24 hints the way you would like to subnet. You should check out Subnetting for more info on this but for 1 client 30 is an ok value. The $PORT should be a valid port, prefferably > 1024 e.g 51820. $IF_NAME should be the name of the interface that should also be the name of the file e.g wg0. $LAN_NAME should be the connected interface e.g en3 or enplo1 etc…

You can us ip addr to check the available interfaces. Now you can start the wireguard peer using.

wg-quick up $IF_NAME

where $IF_NAME is the interface name e.g wg0.

Configure the client peer

The client in this case will be a linux laptop with wireguard also installed. The name of the file should be the name of the interface e.g wg0 and located at /etc/wireguard/ directory

PrivateKey =  $PRIVATE_KEY
Address    =  $INTERNAL_IP/24

PersistentKeepalive = 61
AllowedIPs =, ::/0

Similar to our server but now we put the IP address of our server and port configured earlier to connect to it at the peer section. Allowed IP’s is alist of addresses to route to the tunnel. If you set it to, all traffic will be sent to the peer. You can similarly add a peer section to the server config with the client information as follows.


Starting wireguard

You should now be able to start the interface. Ensure that the Wireguard server is running and ip forwarding (/etc/sysctl.conf -> net.ipv4.ip_forward = 0 ) is enabled.

Enable the wireguard service on boot i.e systemctl enable wg-quick@wg0 and start the interface on the client

wg-quick up wg0

wireguard service image

Also check that your peer is connected by running *sudo wg show*

Your traffic should now be encrypted.


Published Apr 26, 2020

From Embedded systems to the web