WireGuard on Ubuntu (server) and Android (client)

#howto #ubuntu #VPN #server

WireGuard is lightweight VPN with extremely simple configuration. All below was tested on Ubuntu 18.04 as server and Anroid 8.0.0 as client.

§ Server

Installation from official ppa:

apt-add-repository ppa:wireguard/wireguard
apt update
apt install wireguard

Client and server authenticate each other with asymmetric keys (like in SSH). Keys are generated with management utility wg:

wg genkey

This will be server auth key (client auth key can be generated with the same command or in mobile application, you will need public part in config).

Add configuration file sudo vim /etc/wireguard/wg0.conf:

Address =
PrivateKey = <generaed by wg0 private key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PublicKey = <public key generated on client (android app)>
AllowedIPs =

And fix chmod:

chmod 600 /etc/wireguard/wg0.conf

This configuration includes routing internet requests from VPN clients. If you do not need it (communication between server and client is enough), omit MASQUERADE lines.

Enable systemd to autorun service:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload

Start it manually first time:

wg-quick up wg0

Enable web forwarding if you have kept MASQUERADE lines in the config:

vim /etc/sysctl.conf

§ Client

Install application from Play

Create configuration from scratch.

  • Name is anything
  • Private key can be generated with “generate” button or with wg utility on server and copied from there
  • Addresses is the same as in client section of server ( in this note)
  • Listen port is any, you can keep 51820 similar to server
  • DNS server - any, use Yandex’s or Google’s
  • MTU copy from server (after starting wireguard service, run ifconfig wg0)

Peer section - server config:

  • Public key: public part of server key (you can extract it fdom private with echo public key | wg pubkey)
  • Allowed IPS: server IP if do not want to route all traffic via server, or if you want it
  • Endpoint: server_host:server port (like myhost.com:51820)