Requirements

Before starting the VPN deployment, ensure the following requirements are available.

Infrastructure Requirements

• A VPS with a public IPv4 address
• Root or sudo access to the VPS
• Ubuntu 22.04 or newer installed on the server
• Open UDP port capability on the provider firewall
• Stable internet connectivity

Recommended VPS Specifications

• 1 vCPU or higher
• 1 GB RAM minimum (2 GB recommended for multiple users)
• 20 GB storage or more
• At least 100 Mbps network connectivity

Client Requirements

• WireGuard client application installed on Windows, macOS, Linux, iOS, or Android
• Permission to import VPN configuration profiles

Required Skills

• Basic Linux command-line knowledge
• Ability to edit configuration files via terminal editors such as nano or vim
• Basic networking understanding (IP addressing and routing)

Once these requirements are met, the VPN server can be configured and client connections added securely.

Architecture Overview

The VPN server runs on a VPS with a public IP. Clients connect securely and route their traffic through the VPS.

• VPS public IP: VPS_PUBLIC_IP
• VPN network: 10.8.0.0/24
• VPN server interface: 10.8.0.1
• First client IP: 10.8.0.2
• Protocol: WireGuard over UDP port 51820

All client traffic will pass through the VPS (full tunnel).

Step 1: Prepare the VPS Server

Log in via SSH and update packages.

sudo apt update && sudo apt -y upgrade

Install required tools:

sudo apt -y install wireguard iptables-persistent resolvconf qrencode

Enable IP forwarding so traffic can pass through the server:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Make it permanent:

sudo sed -i 's/^#\?net.ipv4.ip_forward=.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sysctl -p

Step 2: Generate WireGuard Server Keys

WireGuard uses public and private key pairs. Keep them protected.

sudo mkdir -p /etc/wireguard
cd /etc/wireguard
umask 077

Generate keys:

sudo wg genkey | sudo tee server_private.key | sudo wg pubkey | sudo tee server_public.key

View the public key:

sudo cat server_public.key

Step 3: Detect the Internet Interface

Find which network interface provides internet access:

ip route get 1.1.1.1 | awk '{print $5; exit}'

Common values include eth0 or ens3.

Step 4: Create WireGuard Server Configuration

Create the server configuration file:

sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Step 5: Open Firewall Port

Using UFW

sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw allow 51820/udp
sudo ufw enable

Using iptables

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo netfilter-persistent save

Step 6: Start WireGuard Service

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg

Step 7: Create Client Keys

cd /etc/wireguard
umask 077
sudo wg genkey | sudo tee client1_private.key | sudo wg pubkey | sudo tee client1_public.key

Step 8: Add Client to Server

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32

Step 9: Create Client Configuration

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = VPS_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Step 10: Import Configuration to Devices

sudo qrencode -t ansiutf8 < client1.conf

Step 11: Test VPN Connection

curl ifconfig.me
sudo wg

Security Hardening Recommendations

• Disable SSH password login
• Use SSH keys
• Install Fail2Ban
• Keep server updated