WireGuard on Ubuntu (server) and Android (client)

WireGuard is lightweight VPN with extremely simple configuration. All below was tested on Ubuntu 18.04 as server and Anroid 8.0.0 as client.

Server

Installation from official ppa:

apt-add-repository ppa:wireguard/wireguard
apt update
apt install wireguard

Client and server authenticate each other with asymmetric keys (like in SSH). Keys are generated with management utility wg:

wg genkey

This will be server auth key (client auth key can be generated with the same command or in mobile application, you will need public part in config).

Add configuration file sudo vim /etc/wireguard/wg0.conf:

[Interface]
Address = 10.9.0.1/24
PrivateKey = <generaed by wg0 private key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <public key generated on client (android app)>
AllowedIPs = 10.9.0.2/32

And fix chmod:

chmod 600 /etc/wireguard/wg0.conf

This configuration includes routing internet requests from VPN clients. If you do not need it (communication between server and client is enough), omit MASQUERADE lines.

Enable systemd to autorun service:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload

Start it manually first time:

wg-quick up wg0

Enable web forwarding if you have kept MASQUERADE lines in the config:

vim /etc/sysctl.conf
net.ipv4.ip_forward=1

Client

Install application from Play

Create configuration from scratch.

Name is anything
Private key can be generated with “generate” button or with wg utility on server and copied from there
Addresses is the same as in client section of server (10.9.0.2/32 in this note)
Listen port is any, you can keep 51820 similar to server
DNS server - any, use Yandex’s 77.88.8.8 or Google’s 8.8.8.8
MTU copy from server (after starting wireguard service, run ifconfig wg0)

Peer section - server config:

Public key: public part of server key (you can extract it fdom private with echo public key | wg pubkey)
Allowed IPS: server IP 10.9.0.1 if do not want to route all traffic via server, or 0.0.0.0/0 if you want it
Endpoint: server_host:server port (like myhost.com:51820)