Introduction A virtual private network (VPN) allows a client, such as a Windows desktop computer, to privately exchange data with a server that has been configured for secure VPN communication.  The client might only need to securely access resources on the server itself, in which case the client and server are only exchanging data with each other.  Typically, however, the VPN server acts as a gateway for the client so that the client can privately access other systems and resources, such as websites.  Those websites “see” the VPN server’s IP address as opposed to that of the client, whose IP address is effectively masked by the VPN server. tunnel is a popular, open-source VPN that is relatively simple to install and configure.  That being said, both the WireGuard client and server must be configured properly so that they can communicate with each other via a secure tunnel. This includes the generation and exchange of .  If the client and server are misconfigured, it will not be possible to establish a VPN tunnel between them. WireGuard encryption keys This tutorial explains how to install and configure WireGuard on a Windows client system using IPv4 so that the client can establish a secure VPN tunnel with an existing Ubuntu WireGuard server to access the Internet.  The guide also walks through the configuration of the Ubuntu WireGuard server to communicate with the Windows client system. Prerequisites To follow this tutorial, you will need: To have already installed WireGuard VPN on an Ubuntu server that can access the Internet. To be running one of WireGuard’s supported versions of Windows on the Windows client that you want to set up.  Currently, WireGuard is available for Windows 7, 8.1, 10, and 11, as well as Windows Server 2008R2, 2012R2, 2016, 2019, and 2022. Administrator privileges on the Windows client. This tutorial configures WireGuard server and client systems using IPv4 addresses.  However, the same steps can be followed to configure systems using IPv6 addresses. Step 1 - Retrieving WireGuard Server Configuration In the first step, you need to gather and save some configuration information related to the Ubuntu WireGuard VPN server.   This information will be used to configure the Windows client.  Most of the data you need will be stored in the WireGuard server configuration file, usually , and the WireGuard public key file .   Both of these files should be located in . wg0.conf public.key /etc/wireguard Step 1a - Copying WireGuard Service Interface Name Copy the name of the WireGuard service interface chosen when setting up the Ubuntu WireGuard server.  The service interface name typically used is and can be easily determined by inspecting the WireGuard server configuration file name, e.g. , located in . wg0 wg0.conf /etc/wiregaurd Step 1b - Copying WireGuard Server IP Address Range Copy the IP address range chosen for the WireGuard server tunnel interface and for clients .  Open the WireGuard server configuration file, and write down the value for the key.  In the following example, you would copy the IPv4 address range . Address 10.8.0.1/24 [Interface]
...
Address = 10.8.0.1/24
... Step 1c - Copying WireGuard Server Listening Port Copy the listening port assigned to the WireGuard service.  Open the WireGuard server configuration file, and write down the value for the key.  In the following example, you would copy the port number . ListenPort 51820 [Interface]
...
ListenPort = 51820
... Step 1d - Copying WireGuard Server Public Key A public key was generated and stored in the file when WireGuard was installed on the Ubuntu server.  Open and copy the server’s public key: public.key public.key # This is just a sample public key; your key will be different.
b9FjbupGC7fomO5U4jL5Irt1ZV5rq4c+utGKj53HXgU= Step 1e - Copying WireGuard Server External IPv4 Address Copy the external IPv4 address of the Ubuntu WireGuard server.  The external IPv4 address of the Ubuntu server can be retrieved by looking at the entry of the server's network adapter. inet sudo ip addr show Step 2 - Installing WireGuard on Windows Download WireGuard for Windows from . Wireguard’s installation page Click on the button to download and execute the WireGuard installer for Windows.  Alternatively, click on the link to select a particular Windows Installer Package file for the client machine. Download Windows Installer Browse MSIs Step 3 - Creating A New Empty Tunnel on the Windows Client Once WireGuard is installed on the Windows system, open the application.  From here, you need to create a new empty tunnel using .  Alternatively, click on the button in the lower-left corner of the application GUI to open the drop-down menu, and then select . CTRL-N Add Tunnel Add Empty Tunnel Step 4 - Configuring The Empty Tunnel on the Windows Client A new, empty tunnel dialog window will open after completing the previous step.  Although, the window is not completely empty since opening it creates two encryption keys for our Windows client: a public key and a private key.  As with the Ubuntu WireGuard server public and private keys, the Windows client keys are expressed in base-64 encoding.  Copy the public key as you will need it later when configuring the Ubuntu server to work with the Windows client.  The new tunnel configuration will comprise a new set of key/value pairs that you will configure step-by-step. Step 4a - Choosing A Name The new tunnel needs a name, which can be anything.  Enter the chosen name in the field. Name Step 4b - Configuring The WireGuard Interface on the Windows Client An configuration label will be above the private key in the new tunnel dialog window.  This section of the Windows client configuration is used to configure the WireGuard interface on the Windows system just as the section of the WireGuard server configuration file specifies the configuration of the WireGuard interface for the server.  You need to add an IPv4 address for the Windows client interface that falls within the address range chosen for the WireGuard server tunnel interface that was copied in Step 1b.  In this guide, you will assume an IPv4 address range of 10.8.0.0/24 and that the IPv4 address assigned to the WireGuard server tunnel interface is 10.8.0.1.  You can choose any IPv4 address in the range for the Windows client that is not 10.8.0.1.  For this step, you will choose a Windows client interface address of 10.8.0.2 and add it to the empty tunnel dialog window below the private key line in the tunnel dialog window: [Interface] [Interface] [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2 You also need to configure the DNS servers used for address resolution by the client interface.  For the purposes of this tutorial, you will specify Cloudflare's DNS servers with IPv4 addresses of 1.1.1.1 and 1.0.0.1. [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1 Step 4c - Configuring the WireGuard Server on the Windows Client With the client interface configured in the previous step, you now need to add the configuration details for the WireGuard server which is a of the Windows client.  You will start by adding the label below the section. peer [Peer] [Interface] [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1

[Peer] For the section, you need to first add the public key for the WireGuard server copied in step 1d of the prerequisite tutorial. [Peer] [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = your_wireguard_server_public_key_goes_here Next, you need to set the external IPv4 address of the Ubuntu WireGuard server and the listening port number for the WireGuard service on the server using the key.  For example, if the server's external IP address, copied in Step 1e, is 203.0.113.0 and the listening port number for the WireGuard service on the server, copied in Step 1c, is 51820, you would set the value to . Endpoint Endpoint 203.0.113.0:51820 [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = your_wireguard_server_public_key_goes_here
Endpoint = your_server_ip_goes_here:your_wireguard_service_port_number_goes_here Finally, you need to specify those internal IPv4 addresses that the Windows client will accept from the Ubuntu WireGuard server.  Any server packets with addresses that fall outside of this range will be dropped by the client.  You can permit any address from the Ubuntu WireGuard server using . 0.0.0.0/0 [Interface]
...
PrivateKey = your_windows_client_private_key_will_be_here
Address = 10.8.0.2
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = your_wireguard_server_public_key_goes_here
Endpoint = your_server_ip_goes_here:your_wireguard_service_port_number_goes_here
AllowedIPs = 0.0.0.0/0 The Windows client WireGuard tunnel configuration is complete.  Click on within the dialog window to save the new tunnel configuration. Save Step 5 - Configuring the Windows Client on the Ubuntu WireGuard Server You need to add a configuration for the new Windows client on the Ubuntu WireGuard server so that the server will accept traffic from the client.  However, you need to first ensure the WireGuard interface on the server is up.  If the interface is down, it can be brought up with the following command using the WireGuard service interface name copied in Step 1a: sudo wg-quick up wg0 Now, you can set up the Windows client as a to the Ubuntu WireGuard server.  You need the Windows client's public key that was copied at the beginning of step 4, as well as the Windows client interface address chosen in step 4b, which was .  You can complete the Windows client configuration on the WireGuard server using: peer 10.8.0.2 sudo wg set wg0 peer your_windows_client_public_key_goes_here allowed_ips 10.8.0.2 You can check that the Windows client configuration was successful using: sudo wg show wg0 Step 6 - Starting the WireGuard Service on the Ubuntu WireGuard Server If the WireGuard service is not running on the Ubuntu WireGuard server, you can start it using: sudo systemctl start wg-quick@wg0.service You can also can check that the WireGuard service is active on the server using: sudo systemctl status wg-quick@wg0.service Step 7 - Activating a New Windows Client Tunnel Now, you can activate a new VPN tunnel between the WireGuard server and the Windows client.  Highlight the new tunnel that was created on the Windows client, and click on .  The tunnel is now active which is confirmed by periodic handshakes between the Windows client and the Ubuntu WireGuard server.  You can also Google "what is my ip" from the Windows client system to confirm that the IP address "seen" by Google is actually the external IP address of the Ubuntu WireGuard server. Activate Conclusion In this tutorial, you installed WireGuard on a Windows client and configured the client to establish a secure VPN tunnel with an existing Ubuntu WireGuard server interface.  You also configured the existing Ubuntu WireGuard server to communicate with the Windows client.

How to Set Up a Windows IPv4 Client With an Ubuntu WireGuard Server

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

3 Ways to Easily Visualize Keras Machine Learning Models

104 Stories To Learn About Go

105 Stories To Learn About Functional Programming

100+ Free Pluralsight Courses to learn Python, Java, and Spring Boot

10 Websites to Learn JavaScript for Beginners

104 Stories To Learn About Programming Top Story

3 Ways to Easily Visualize Keras Machine Learning Models

104 Stories To Learn About Go

105 Stories To Learn About Functional Programming

100+ Free Pluralsight Courses to learn Python, Java, and Spring Boot

10 Websites to Learn JavaScript for Beginners

104 Stories To Learn About Programming Top Story

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps