WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
1. Install Wireguard on Ubuntu
sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update sudo apt-get install wireguard-dkms wireguard-tools
Generate public key and private key
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Create configuration file
sudo nano /etc/wireguard/wg0.conf
[Interface] PrivateKey = YOUR_PRIVATE_KEY ListenPort = 5555 SaveConfig = false Address = 10.0.0.1/24
sudo wg-quick up wg0
Type this command to show Wireguard status
interface: wg0 public key: SERVER_PUBLIC_KEY private key: (hidden) listening port: 5555
2. Set-up on Android
Download and install Wireguard from Google Play
Launch Wireguard, and create a new connection profile
- Click the + button
- "Create from scratch"
- Give a name (without using any special character)
- Click "GENERATE" beside "Private key", to generate the private-key and the public-key
- Fill in "10.0.0.2/32" for "Addresses"
- Fill in "126.96.36.199,188.8.131.52" or "184.108.40.206,220.127.116.11", etc for "DNS servers"
Add the server (peer) information
- Click "ADD PEER"
- Fill in the server-public-key
- Fill in "0.0.0.0/0" for "Allowed IPs"
- Fill in the IP or domain-name with port-number for "Endpoint"
- (e.g.123:456:789:123:5555 or mydomain.com:5555)
3. Finishing the configuration on the server
On Wireguard Android app
Click on "Public key" field on the upper "Interface" part, to copy the key
Paste the key on the server configuration file
Edit the file /etc/wireguard/wg0.conf on your server
[Interface] PrivateKey = YOUR_PRIVATE_KEY ListenPort = 5555 SaveConfig = false Address = 10.0.0.1/24 [Peer] PublicKey = PUBLIC_KEY_ON_ANDROID AllowedIPs = 10.0.0.2/32
Save it, and restart Wireguard
sudo wg-quick down wg0 sudo wg-quick up wg0
Now you can try connecting the server on your Android phone.
If the connection is established, you can see something like this
interface: wg0 public key: SERVER_PUBLIC_KEY private key: (hidden) listening port: 5555 peer: PHONE_PUBLIC_KEY endpoint: PHONE_IP:PHONE_PORT allowed ips: 10.0.0.2/32 latest handshake: 3 seconds ago transfer: 148 B received, 92 B sent
To make Wireguard starts-up automatically, run this
sudo systemctl enable [email protected]
Re-route Internet traffic
sudo nano /etc/wireguard/wg0.conf
[Interface] PrivateKey = YOUR_PRIVATE_KEY ListenPort = 5555 SaveConfig = false Address = 10.0.0.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
(eth0 is the network interface)
Enable packet forward
sudo nano /etc/sysctl.conf
Add these two lines if you haven't done this before
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1
Save the file, reboot or enable it immediately with this
sudo sysctl -p