A virtual private network (VPN) tunnel allows a client, such as a Windows desktop computer, to privately exchange data with a server that has been configured for secure VPN communication. The client might only need to securely access resources on the server itself, in which case the client and server are only exchanging data with each other. Typically, however, the VPN server acts as a gateway for the client so that the client can privately access other systems and resources, such as websites. Those websites “see” the VPN server’s IP address as opposed to that of the client, whose IP address is effectively masked by the VPN server.
WireGuard is a popular, open-source VPN that is relatively simple to install and configure. That being said, both the WireGuard client and server must be configured properly so that they can communicate with each other via a secure tunnel. This includes the generation and exchange of encryption keys. If the client and server are misconfigured, it will not be possible to establish a VPN tunnel between them.
This tutorial explains how to install and configure WireGuard on a Windows client system using IPv4 so that the client can establish a secure VPN tunnel with an existing Ubuntu WireGuard server to access the Internet. The guide also walks through the configuration of the Ubuntu WireGuard server to communicate with the Windows client system.
To follow this tutorial, you will need:
This tutorial configures WireGuard server and client systems using IPv4 addresses. However, the same steps can be followed to configure systems using IPv6 addresses.
In the first step, you need to gather and save some configuration information related to the Ubuntu WireGuard VPN server. This information will be used to configure the Windows client. Most of the data you need will be stored in the WireGuard server configuration file, usually wg0.conf
, and the WireGuard public key file public.key
. Both of these files should be located in /etc/wireguard
.
Copy the name of the WireGuard service interface chosen when setting up the Ubuntu WireGuard server. The service interface name typically used is wg0
and can be easily determined by inspecting the WireGuard server configuration file name, e.g. wg0.conf
, located in /etc/wiregaurd
.
Copy the IP address range chosen for the WireGuard server tunnel interface and for clients . Open the WireGuard server configuration file, and write down the value for the Address
key. In the following example, you would copy the IPv4 address range 10.8.0.1/24
.
[Interface]
...
Address = 10.8.0.1/24
...
Copy the listening port assigned to the WireGuard service. Open the WireGuard server configuration file, and write down the value for the ListenPort
key. In the following example, you would copy the port number 51820
.
[Interface]
...
ListenPort = 51820
...
A public key was generated and stored in the public.key
file when WireGuard was installed on the Ubuntu server. Open public.key
and copy the server’s public key:
# This is just a sample public key; your key will be different.
b9FjbupGC7fomO5U4jL5Irt1ZV5rq4c+utGKj53HXgU=
Copy the external IPv4 address of the Ubuntu WireGuard server. The external IPv4 address of the Ubuntu server can be retrieved by looking at the inet
entry of the server's network adapter.
sudo ip addr show
Download WireGuard for Windows from Wireguard’s installation page.
Click on the Download Windows Installer button to download and execute the WireGuard installer for Windows. Alternatively, click on the Browse MSIs link to select a particular Windows Installer Package file for the client machine.
Once WireGuard is installed on the Windows system, open the application. From here, you need to create a new empty tunnel using CTRL-N
. Alternatively, click on the Add Tunnel button in the lower-left corner of the application GUI to open the drop-down menu, and then select Add Empty Tunnel.
A new, empty tunnel dialog window will open after completing the previous step. Although, the window is not completely empty since opening it creates two encryption keys for our Windows client: a public key and a private key. As with the Ubuntu WireGuard server public and private keys, the Windows client keys are expressed in base-64 encoding. Copy the public key as you will need it later when configuring the Ubuntu server to work with the Windows client. The new tunnel configuration will comprise a new set of key/value pairs that you will configure step-by-step.
The new tunnel needs a name, which can be anything. Enter the chosen name in the Name field.
An [Interface]
configuration label will be above the private key in the new tunnel dialog window. This section of the Windows client configuration is used to configure the WireGuard interface on the Windows system just as the [Interface]
section of the WireGuard server configuration file specifies the configuration of the WireGuard interface for the server. You need to add an IPv4 address for the Windows client interface that falls within the address range chosen for the WireGuard server tunnel interface that was copied in Step 1b. In this guide, you will assume an IPv4 address range of 10.8.0.0/24 and that the IPv4 address assigned to the WireGuard server tunnel interface is 10.8.0.1. You can choose any IPv4 address in the range for the Windows client that is not 10.8.0.1. For this step, you will choose a Windows client interface address of 10.8.0.2 and add it to the empty tunnel dialog window below the private key line in the tunnel dialog window:
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
You also need to configure the DNS servers used for address resolution by the client interface. For the purposes of this tutorial, you will specify Cloudflare's DNS servers with IPv4 addresses of 1.1.1.1 and 1.0.0.1.
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1
With the client interface configured in the previous step, you now need to add the configuration details for the WireGuard server which is a peer of the Windows client. You will start by adding the label [Peer]
below the [Interface]
section.
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1
[Peer]
For the [Peer]
section, you need to first add the public key for the WireGuard server copied in step 1d of the prerequisite tutorial.
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = your_wireguard_server_public_key_goes_here
Next, you need to set the external IPv4 address of the Ubuntu WireGuard server and the listening port number for the WireGuard service on the server using the Endpoint
key. For example, if the server's external IP address, copied in Step 1e, is 203.0.113.0 and the listening port number for the WireGuard service on the server, copied in Step 1c, is 51820, you would set the Endpoint
value to 203.0.113.0:51820
.
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = your_wireguard_server_public_key_goes_here
Endpoint = your_server_ip_goes_here:your_wireguard_service_port_number_goes_here
Finally, you need to specify those internal IPv4 addresses that the Windows client will accept from the Ubuntu WireGuard server. Any server packets with addresses that fall outside of this range will be dropped by the client. You can permit any address from the Ubuntu WireGuard server using 0.0.0.0/0
.
[Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = your_wireguard_server_public_key_goes_here
Endpoint = your_server_ip_goes_here:your_wireguard_service_port_number_goes_here
AllowedIPs = 0.0.0.0/0
The Windows client WireGuard tunnel configuration is complete. Click on Save within the dialog window to save the new tunnel configuration.
You need to add a configuration for the new Windows client on the Ubuntu WireGuard server so that the server will accept traffic from the client. However, you need to first ensure the WireGuard interface on the server is up. If the interface is down, it can be brought up with the following command using the WireGuard service interface name copied in Step 1a:
sudo wg-quick up wg0
Now, you can set up the Windows client as a peer to the Ubuntu WireGuard server. You need the Windows client's public key that was copied at the beginning of step 4, as well as the Windows client interface address chosen in step 4b, which was 10.8.0.2
. You can complete the Windows client configuration on the WireGuard server using:
sudo wg set wg0 peer your_windows_client_public_key_goes_here allowed_ips 10.8.0.2
You can check that the Windows client configuration was successful using:
sudo wg show wg0
If the WireGuard service is not running on the Ubuntu WireGuard server, you can start it using:
sudo systemctl start [email protected]
You can also can check that the WireGuard service is active on the server using:
sudo systemctl status [email protected]
Now, you can activate a new VPN tunnel between the WireGuard server and the Windows client. Highlight the new tunnel that was created on the Windows client, and click on Activate. The tunnel is now active which is confirmed by periodic handshakes between the Windows client and the Ubuntu WireGuard server. You can also Google "what is my ip" from the Windows client system to confirm that the IP address "seen" by Google is actually the external IP address of the Ubuntu WireGuard server.
In this tutorial, you installed WireGuard on a Windows client and configured the client to establish a secure VPN tunnel with an existing Ubuntu WireGuard server interface. You also configured the existing Ubuntu WireGuard server to communicate with the Windows client.