How to Self-Host a WireGuard VPN on Linode

This tutorial will show you how to deploy a Ubuntu 20.04 Linode and configure it as a VPN using WireGuard. This will give you all the advantages of paid VPN services with less cost.

Step 1: Deploy Ubuntu 20.04 Linode

Login to your Linode account. If you don’t have an account, you can get $100 free credit by using the following affiliate link.

Linode* <– $100 Credit.

After logging in, go to the Create Linode screen and create a new Linode by choosing Ubuntu 20.04 LTS for the distribution, selecting a region and plan.

Scroll down and give the Linode a label, assign the root password and attach an SSH key then click Create Linode.

You will be redirected to the new Linodes overview screen where you can see the provisioning status and the public IP address. Make a note of the IP as we will use it later to connect via SSH and configure WireGuard.

Step 2: Configure Firewall

The next step is to configure firewall rules for the Ubuntu Linode. We will create a rule for SSH that only allows your IP address to connect and a rule for WireGuard so that allows any IP address to connect.

Go to the Firewalls page then click Create Firewall.

Give the firewall a name, select the Linode you created in Step 1, then click Create Firewall.

Click on the name of the firewall you just created.

Change the Inbound policy to Drop, then click Save Changes. This will block all inbound traffic by default. Let’s allow SSH by clicking Add an Inbound Rule.

1. Select SSH as the preset.
2. Give the rule a label.
3. Change the source to IP / Netmask
4. Enter your home or office IP address.
5. Click Add Rule.

You should now be able to connect to the Linode with SSH from the specified IP address. Let’s add the WireGuard rule by clicking Add an Inbound Rule.

1. Give the rule a label.
2. Change the protocol to UDP.
3. Select Custom for ports.
4. Enter 51820 for the port range.
5. Either select All IPv4, All IPv6 for the Sources so that all IP addresses can connect to WireGuard or repeat what you did for the SSH rule so that only you can connect.
6. Click Add Rule.

Click Save Changes.

We are now ready to install and configure WireGuard on the Ubuntu Linode.

Step 3: Connect to Ubuntu Linode with SSH

Open a Terminal session (On Unix-like operating systems or Putty on Windows) then connect to the Linode using the public IP address you made a note of at the end of Step 1.

ssh root@172.105.254.235

Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 11 Jan 2022 01:45:02 PM UTC

  System load:           0.0
  Usage of /:            10.8% of 24.05GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             108
  Users logged in:       0
  IPv4 address for eth0: 172.105.254.235
  IPv6 address for eth0: 2400:8907::f03c:92ff:fe96:2075

50 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


*** System restart required ***

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@localhost:~# 

Step 4: Enable Port Forwarding

The first thing we need to do after connecting to the server is enable port forwarding so that traffic from the client can access the internet through the VPN server. To enable port forwarding, create a file called 10-wireguard.conf in /etc/sysctl.d by running the command.

sudo vim /etc/sysctl.d/10-wireguard.conf

Then add the following contents to the file.

net.ipv4.ip_forward=1

Port forwarding will now be enabled when the server boots. To enable it now, run the following command.

sudo sysctl -p /etc/sysctl.d/10-wireguard.conf

Step 5: Install WireGuard & Generate Keys

Run the following command to install WireGuard.

sudo apt update && sudo apt install wireguard -y

Generate server and client keys.

sudo -i
cd /etc/wireguard/
wg genkey | tee server.key | wg pubkey > server.pub
wg genkey | tee client.key | wg pubkey > client.pub

You should now see a list of files.

/etc/wireguard# ls -l
total 16
-rw------- 1 root root 45 Sep 29 10:32 client.key
-rw------- 1 root root 45 Sep 29 10:32 client.pub
-rw------- 1 root root 45 Sep 29 10:32 server.key
-rw------- 1 root root 45 Sep 29 10:32 server.pub

We will use the contents of these files when creating the server and client config files in the upcoming steps.

Step 6: Create WireGuard Server Config

Now we need to create the WireGuard config file before we start the service.

sudo vim wg0.conf

Add the following to wg0.conf. Use the contents of server.key for the PrivateKey value and the contents of client.pub for the peers PublicKey value.

[Interface]
Address = 10.1.1.1/24
ListenPort = 51820
PrivateKey = [replace_with_contents_of_server.key]
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = [replace_with_contents_of_client.pub]
AllowedIPs = 10.1.1.2/32

Enable the WireGuard service when the server boots.

sudo systemctl enable wg-quick@wg0

Start the WireGuard service now.

sudo systemctl start wg-quick@wg0

We are now ready to install and configure a client to connect to the WireGuard VPN.

Step 7: Install and Configure WireGuard Client

There are clients available for Windows, Linux, iOS, Android and most operating systems. In this tutorial, I will demonstrate using the macOS WireGuard client but the config file should work on other systems.

Open the App Store, search for WireGuard, install the client then click Open.

Click + then Add Empty Tunnel…

Enter a name for the VPN, for example USA, then add the following config.

[Interface]
PrivateKey = [replace_with_contents_of_client.key]
Address = 10.1.1.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = [replace_with_contents_of_server.pub]
AllowedIPs = 0.0.0.0/0
Endpoint = [replace_with_server_public_ip]:51820
PersistentKeepalive = 15

Replace the PrivateKey, PublicKey and Endpoint IP address with your values.

Click Activate to connect to the VPN and switch your IP address from your ISPs to the VPNs.

When data is being sent and received, it should be working. We will test it in the next step.

Step 8: Test Internet Connection

If everything is configured correctly, you should be able to ping the client from the server.

ping 10.1.1.2

PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=245 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=266 ms

--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 244.832/255.412/265.992/10.580 ms

And you should be able to ping the server from the client.

ping 10.1.1.1

PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=92.378 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=89.811 ms

--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 89.811/90.799/92.378/1.040 ms

If port forwarding is configured and the PostUp script is correct, you should be able to browse the internet on the client and websites will think you are visiting from the server IP address. You can test this by searching for what is my ip in DuckDuckGo.

As you can see from the screenshot above, DuckDuckGo sees my IP address as the one assigned to the Ubuntu Linode created in Step 1.

Conclusion

In this tutorial, we created a private WireGuard VPN server on Ubuntu 20.04.

Connecting a client to the VPN allows us to bypass geo-blocks and make browsing the internet from public networks secure. With these instructions, there’s no need to pay for an expensive VPN provider and share an IP with people that might be doing things that are illegal.

Another benefit of self-hosting your VPN on Linode* is the ability to pay as you go. Once you have finished with the VPN, you can destroy the Linode, and you only pay for the duration it existed.