Setup WireGuard VPN Server and Client (KVM)

1. Install WireGuard on the VPN server
- Ubuntu ≥ 19.10
#sudo apt install wireguard
2. Generate the server keys, (server_private_key, server_public_key)
On Server
#umask 077
#wg genkey | tee server_private_key | wg pubkey > server_public_key
To list the server private and public key write:
(copy the keys to a text editor to use later on)
#cat server_private_key
Ex.   eJGzhO+/FQ4U0M6V9JeKdEAguebTaLvuNaPlVYYgA=
#cat server_public_key
Ex.   f2D+RMxLD5KMbjUSUTnAU/l4rJAtLfN8aRZoEb/BX=
3.a On the Server generate the config file wg0.conf
Ex. Ubuntu wireguard server cli write:
#nano /etc/wireguard/wg0.conf
And add this content:
Address =
SaveConfig = true
PrivateKey = <insert server_private_key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
PublicKey = <insert client_public_key>
AllowedIPs =
The above configuration assumes your network adapter is named ens18.
Chances are that your network adapter is not named the same and you will need to substitute ens18  in PostUp and PostDown to the name of the nic in your KVM.
You can check your network adapters on linux by typing any of the following:
#ip a
#ls /sys/class/net
3.b On the Client generate keys
#wg genkey | tee client_private_key | wg pubkey > client_public_key
List the keys:
#cat client_private_key
#cat client_public_key
Edit the wg0-client.conf file on client  and add the text from below.
Ex. Ubuntu wireguard client cli write: #nano /etc/wireguard/wg0-client.conf
Add the following content:
Address =
PrivateKey = <insert client_private_key>
PublicKey = <insert server_public_key>
Endpoint = <insert vpn_server_address>:51820
AllowedIPs =, ::/0
PersistentKeepalive = 21
Please note the data you need to substitute, (Client PrivateKey, Server Public key and vpn server address)
4. Enable the WireGuard interface on the server by writing:
#chown -v root:root /etc/wireguard/wg0.conf
#chmod -v 600 /etc/wireguard/wg0.conf
#wg-quick up wg0
#systemctl enable wg-quick@wg0.service
You can confirm you have a the new interface named wg0 by running ifconfig or ip a.
The output should be something similar like this:
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever
5. Enable IP forwarding on the wireguard server by editing the file sysctl.conf
#nano /etc/sysctl.conf
remove # from the line net.ipv4.ip_forward=1
To stop having to reboot the server do the following:
#sysctl -p
#echo 1 > /proc/sys/net/ipv4/ip_forward
That's it, you should now be able to connect to your WireGuard VPN.
If you feel you would like some help with setting this up, please don't hesitate to reach out to us.
Was this answer helpful? 7 Users Found This Useful (7 Votes)