Introduction
WireGuard is a modern VPN protocol built directly into the Linux kernel since version 5.6. It creates encrypted tunnels between your devices and your server using state-of-the-art cryptography — Curve25519 for key exchange, ChaCha20 for encryption, and BLAKE2s for hashing. The entire codebase is roughly 4,000 lines of code, compared to over 100,000 for OpenVPN, which makes WireGuard easier to audit, faster to run, and simpler to configure.
By running a WireGuard server on your Raff VM, you can securely access internal services like databases, admin panels, and monitoring dashboards without exposing them to the public internet. You can also encrypt all your traffic when working from public Wi-Fi, route your internet through your server's IP address, or build a private network between multiple Raff VMs across different deployments.
In this tutorial, you will install WireGuard on your Raff Ubuntu 24.04 VM, generate server and client key pairs, configure the WireGuard interface, enable IP forwarding for traffic routing, configure the firewall for VPN traffic, and connect a client device through the tunnel. We use WireGuard on our own infrastructure for secure access to management interfaces — on a Raff VM, the kernel-level implementation adds negligible CPU overhead even under sustained VPN traffic, and unmetered bandwidth means tunnel usage never generates overage charges.
Step 1 — Install WireGuard
WireGuard is included in Ubuntu 24.04's default repositories and its kernel module is already compiled into the default kernel. Install the userspace tools:
bashsudo apt update
sudo apt install -y wireguard
Verify that the WireGuard kernel module is available:
bashsudo modprobe wireguard
lsmod | grep wireguard
You should see wireguard listed in the output, confirming the kernel module is loaded.
Step 2 — Generate Server Keys
WireGuard uses public/private key pairs for authentication — similar to SSH keys but specific to the WireGuard protocol. Each peer (server and every client) needs its own key pair.
Create a directory for the keys and set strict permissions:
bashsudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
Generate the server's private and public keys:
bashwg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Lock down the private key so only root can read it:
bashsudo chmod 600 /etc/wireguard/server_private.key
Display the keys — you will need these in the next steps:
bashsudo cat /etc/wireguard/server_private.key
sudo cat /etc/wireguard/server_public.key
Warning
The private key is the single most sensitive component of your VPN. Anyone with the server's private key can impersonate your VPN server. Never share it, commit it to version control, or transmit it over unencrypted channels.
Step 3 — Configure the WireGuard Server Interface
Create the WireGuard configuration file:
bashsudo nano /etc/wireguard/wg0.conf
Add the following configuration. Replace SERVER_PRIVATE_KEY with the contents of /etc/wireguard/server_private.key:
ini[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Key settings explained:
Address = 10.0.0.1/24— The server's IP address inside the VPN tunnel. Clients will get addresses in the10.0.0.xrange.ListenPort = 51820— The UDP port WireGuard listens on. This is the default and standard port.PostUp/PostDown— iptables rules that enable NAT (Network Address Translation) so VPN clients can access the internet through the server. These rules are added when the interface starts and removed when it stops.
Note
If your server's primary network interface is not eth0, replace eth0 in the PostUp/PostDown lines with your actual interface name. Check with ip route show default — the interface name appears after "dev" (commonly eth0, ens3, or enp0s3 on Raff VMs).
Set strict permissions on the configuration file:
bashsudo chmod 600 /etc/wireguard/wg0.conf
Step 4 — Enable IP Forwarding
By default, Linux does not forward packets between network interfaces. Enable IP forwarding so VPN clients can route traffic through the server:
bashsudo nano /etc/sysctl.conf
Find and uncomment (remove the #) this line:
net.ipv4.ip_forward = 1
If you also want IPv6 forwarding, uncomment:
net.ipv6.conf.all.forwarding = 1
Apply the changes without rebooting:
bashsudo sysctl -p
You should see the settings echoed back:
net.ipv4.ip_forward = 1
Verify the setting is active:
bashcat /proc/sys/net/ipv4/ip_forward
The output should be 1.
Step 5 — Configure the Firewall
Allow WireGuard's UDP port through UFW:
bashsudo ufw allow 51820/udp
Verify the rule:
bashsudo ufw status
You should see 51820/udp listed as ALLOW.
Tip
WireGuard uses UDP, not TCP. If you see connection issues, verify you allowed /udp specifically — sudo ufw allow 51820 without the protocol suffix defaults to both TCP and UDP, which works but is less precise.
Step 6 — Generate Client Keys and Add the Peer
Each device that connects to your VPN needs its own key pair. Generate client keys on the server (you can also generate them on the client device — either works):
bashwg genkey | sudo tee /etc/wireguard/client1_private.key | wg pubkey | sudo tee /etc/wireguard/client1_public.key
sudo chmod 600 /etc/wireguard/client1_private.key
Display the client public key:
bashsudo cat /etc/wireguard/client1_public.key
Add the client as a peer to the server configuration:
bashsudo nano /etc/wireguard/wg0.conf
Add this block at the end of the file. Replace CLIENT1_PUBLIC_KEY with the contents of client1_public.key:
ini[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
The AllowedIPs = 10.0.0.2/32 assigns this client the VPN IP address 10.0.0.2 and restricts it to only that address. For additional clients, increment the IP: 10.0.0.3/32, 10.0.0.4/32, and so on.
Step 7 — Start the WireGuard Interface
Start the WireGuard interface and enable it to start at boot:
bashsudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Verify the interface is running:
bashsudo wg show
You should see output showing the interface, listening port, and the configured peer:
interface: wg0
public key: <server_public_key>
private key: (hidden)
listening port: 51820
peer: <client1_public_key>
allowed ips: 10.0.0.2/32
Verify the network interface exists:
baship addr show wg0
You should see 10.0.0.1/24 assigned to the wg0 interface.
Step 8 — Configure the Client
Create a configuration file on your client device. On Linux, save it as /etc/wireguard/wg0.conf. On macOS, Windows, or mobile, import it into the WireGuard app.
Replace the placeholder values with your actual keys and server IP:
ini[Interface]
PrivateKey = CLIENT1_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = your_server_ip:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Key settings:
PrivateKey— The client's private key (fromclient1_private.key).Address = 10.0.0.2/24— The client's VPN IP address. Must match theAllowedIPsin the server's Peer block.DNS— DNS servers to use when the VPN is active. Cloudflare (1.1.1.1) and Google (8.8.8.8) are reliable defaults.Endpoint— Your Raff VM's public IP address and WireGuard port.AllowedIPs = 0.0.0.0/0, ::/0— Routes ALL traffic through the VPN tunnel (full tunnel mode). To only route VPN subnet traffic, change this to10.0.0.0/24(split tunnel mode).PersistentKeepalive = 25— Sends a keepalive packet every 25 seconds to maintain the connection through NAT devices and firewalls.
On a Linux client, start the connection:
bashsudo wg-quick up wg0
On macOS, Windows, or mobile, open the WireGuard app, import the configuration file (or scan a QR code), and activate the tunnel.
Step 9 — Verify the VPN Connection
From the client, ping the server's VPN address:
bashping 10.0.0.1
You should see replies. If using full tunnel mode (AllowedIPs = 0.0.0.0/0), verify your public IP has changed:
bashcurl -4 icanhazip.com
The output should show your Raff VM's public IP, not your local IP — confirming all traffic is routing through the VPN tunnel.
On the server, check the connection status:
bashsudo wg show
Under the client's peer section, you should see latest handshake with a recent timestamp and transfer showing bytes sent and received. If latest handshake shows no value, the client has not connected successfully — verify keys, endpoint, and firewall rules.
To disconnect the VPN on a Linux client:
bashsudo wg-quick down wg0
Conclusion
You have installed WireGuard on your Raff Ubuntu 24.04 VM, configured the server and a client peer, enabled IP forwarding and NAT, and established an encrypted VPN tunnel. Your server now provides secure, private access to internal services and encrypted internet routing.
From here, you can:
- Add more client peers by generating additional key pairs and adding
[Peer]blocks towg0.conf - Use split tunneling (
AllowedIPs = 10.0.0.0/24) to only route private traffic through the VPN while keeping internet traffic local - Restrict access to services like Redis, PostgreSQL, or admin panels to the WireGuard subnet only using UFW rules
- Connect multiple Raff VMs through WireGuard for a private mesh network between your cloud infrastructure
Raff VMs include unmetered bandwidth on all tiers, which means VPN traffic — even when routing all client internet traffic through the tunnel — never generates overage charges. Combined with AMD EPYC processors handling the ChaCha20 encryption at wire speed, WireGuard on a Raff VM delivers both security and performance.
This tutorial was tested and verified by our security engineering team on a Raff CPU-Optimized Tier 2 VM with WireGuard kernel module.