This will take you less than 5 minutes to get a private VPN on your own Ubuntu server.
What you need to get started:
- a VPS (Ubuntu 20.04 LTS preferrably)
- docker and docker-compose installed
Setting up docker-compose
On the VPS, I suggest to do the following:
Create a folder
wireguard/config in your $HOME:
mkdir -p wireguard/config
wireguard folder (next to the
config folder), create the docker-compose file:
With the following contents:
version: "2.1" services: wireguard: image: linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Europe/Rome - SERVERURL=YOUR_IP_OR_DNS_NAME_OF_YOUR_SERVER #optional - SERVERPORT=51820 - PEERS=5 volumes: - /home/YOUR_USERNAME/wireguard/config:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: always
Simply change the
SERVERURL variable, or delete that line if you want to use the server IP.
Additionally, change the location of your wireguard config path in the
volumes section. (use
pwd to get the current path you are in).
For more info and environment variables, check out the official linuxserver/wireguard doc.
restart: always so that WireGuard comes up after a system restart.
PEERS to 5, so that I have 5 configurations available for my devices.
Launching the container
Start the container in the background with
docker-compose up -d
This will create the needed configurations in the
The structure of your
wireguard folder looks something like this
. ├── config │ ├── coredns │ │ └── Corefile │ ├── peer1 │ │ ├── peer1.conf │ │ ├── peer1.png │ │ ├── privatekey-peer1 │ │ └── publickey-peer1 ............................. │ ├── server │ │ ├── privatekey-server │ │ └── publickey-server │ ├── templates │ │ ├── peer.conf │ │ └── server.conf │ └── wg0.conf └── docker-compose.yml
If you’re using
ufw, simply enable the port
51820 so that you can connect to your server from outside:
ufw enable 51820 ufw reload
If you run
sudo ufw status you should see:
Status: active To Action From -- ------ ---- .................................................... 51820 ALLOW Anywhere 51820 (v6) ALLOW Anywhere (v6)
Now you can
scp the configurations individually to your devices.
The configurations are located in the
config/peerX folder, where
X represents the peer number.
E.g. I could
cat/scp the configuration in
wireguard/config/peer1/peer1.conf and put it in
/etc/wireguard/wg0.conf on my host machine.
View the configuration for peer 1 on your server with
and place it in
/etc/wireguard/wg0.conf on your host machine.
If you want to use
scp, you could run the following on your local machine:
scp [email protected]:/home/YOUR_USERNAME/wireguard/config/peer1/peer1.conf /etc/wireguard/wg0.conf
To connect to your newly created WireGuard VPN from one of your devices, you’ll need to install
apt install wireguard-tools ,
pacman -S wireguad-tools based on your distro
Now you can simply run
wg-quick up wg0 and you’re connected to your VPN.
Test it out by running
curl ipinfo.io and inspect the output.
Connecting mobile device with QR code
On your mobile device, install the WireGuard client.
Then add a new WireGuard tunnel by creating a new configuration scanning a QR code.
On your VPS run the following to output a QR code on the terminal that you can scan on your mobile device:
docker exec -it wireguard app/show-peer 1
If you want to understand who is connected and which profiles are in use, simply run the following on your VPS:
docker exec -it wireguard wg
This will give you more information about your connections with the following output:
interface: wg0 public key: (redacted) private key: (hidden) listening port: 51820 peer: (redacted) endpoint: (redacted):51820 allowed ips: (redacted)/32 latest handshake: 27 seconds ago transfer: 5.04 MiB received, 172.64 MiB sent ... peer: (redacted) allowed ips: (redacted)/32
This was most definitely the easiest way I found to connect computers and mobile devices to your own WireGuard VPN.
Let me know if you had troubles setting it up yourself!