Skip to content

[Update] Wireguard Marketplace Documentation #7304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Aug 7, 2025
Merged

[Update] Wireguard Marketplace Documentation #7304

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5d7debb
update wireguard docs with new distro and instructions
josephcardillo-akamai Jun 11, 2025
68d5245
Merge branch 'develop' into update/wireguard-marketplace-distro-and-i…
josephcardillo-akamai Jul 8, 2025
f0e3899
update modified date in wireguard marketplace doc
josephcardillo-akamai Jul 8, 2025
da4d37f
update wireguard marketplace doc with new instructions for client
josephcardillo-akamai Jul 16, 2025
3ea7402
editorial review
Jul 22, 2025
ae2c52e
editorial review
Jul 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 115 additions & 108 deletions docs/marketplace-docs/guides/wireguard/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
title: "Deploy WireGuard through the Linode Marketplace"
description: 'Deploy a WireGuard Server on Linode with Marketplace Apps.'
description: 'Deploy a WireGuard Server or Client on Linode with Marketplace Apps.'
published: 2019-03-28
modified: 2022-03-08
modified: 2025-07-08
keywords: ['vpn','wireguard','tunnel']
tags: ["cloud-manager","linode platform","security","marketplace","vpn"]
bundles: ['network-security']
Expand All @@ -18,16 +18,16 @@ marketplace_app_id: 401706
marketplace_app_name: "WireGuard"
---

WireGuard® is a simple, fast, and modern virtual private network (VPN) which uses state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, and it has a much smaller source code footprint.
WireGuard® is a simple, fast, and modern virtual private network (VPN) which uses state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec and it has a much smaller source code footprint.

Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server's configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like `eth0`. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip.
Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server's configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like `eth0`. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as `ifconfig` and `ip`.

The WireGuard Marketplace App will create a Linode instance and set up a WireGuard network device named `wg0` on it. This device will have a simple configuration which can send and receive traffic to/from a single WireGuard peer (which will also be referred to as your WireGuard *client*).
The WireGuard Marketplace App provides two separate applications:
1. **WireGuard Server**. Creates a Linode and sets up a WireGuard network device named `wg0` on it. This device acts as the central hub for your WireGuard network.
2. **WireGuard Client**. Creates a Linode that can connect to your WireGuard server. You can deploy multiple clients to connect to the same server.

{{< note >}}
The peer configurations provided by the Marketplace App and this guide will allow you to directly connect your WireGuard server and client. This configuration will *not* enable forwarding of all of your client's traffic through the WireGuard server to the public Internet (though that arrangement is possible with WireGuard).

Your WireGuard configuration can be adjusted after you first set up your Marketplace App; review the [WireGuard man page](https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html) for more information about the options that are available.
The WireGuard Server and Client apps can be deployed independently. If you already have a WireGuard server running, you can simply deploy the client app and configure it to connect to your existing server.
{{< /note >}}

## Deploying a Marketplace App
Expand All @@ -42,120 +42,127 @@ Your WireGuard configuration can be adjusted after you first set up your Marketp

## Configuration Options

- **Supported distributions:** Ubuntu 22.04 LTS
- **Recommended minimum plan:** All plan types and sizes can be used. The plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN.

### WireGuard Options

The WireGuard Marketplace form includes fields for your WireGuard client's [*public key*](https://www.wireguard.com/quickstart/#key-generation) and for your client's *endpoint IP* (which is your client's public IP address). If you have already set up your client and installed the WireGuard software on it before setting up your WireGuard Marketplace App, then you may already have this information. If you do have the key and the endpoint IP for the client, you can enter them into the app's creation form, and your server's configuration will be pre-populated with those values.

{{< note >}}
A public key generated by WireGuard will not resemble [a public key that you might use for SSH connections](/docs/guides/use-public-key-authentication-with-ssh/); when in doubt, leave the form's **Public Key (Client)** field blank.
{{< /note >}}

If you do not have the values for these fields, you can leave them empty. After the app is deployed, visit the [Configure and Connect your WireGuard Client and Server](#configure-and-connect-your-wireguard-client-and-server) section to set up your client and generate a key. The instructions in that section will also show you how to insert the key and the endpoint IP for your client into your server's configuration.

- **Port:** Set your WireGuard server's listening port number. The default is: `51820`.
- **Tunnel IP:** Your WireGuard server's tunnel IP address and subnet in CIDR notation. The default is: `10.0.1.1/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates.
- **WireGuard Public Key (Client):** Your WireGuard client's public key.
- **Tunnel IP (Client):** Your WireGuard client's tunnel IP address and subnet in CIDR notation. The default is: `10.0.1.2/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates.
- **Endpoint IP (Client):** The Internet address of your WireGuard client. If your WireGuard client is another Linode, then the Endpoint IP is the public IP of that Linode, which is visible in the Linode's dashboard in the Linode Cloud Manager.

## Getting Started after Deployment

### Configure and Connect your WireGuard Client and Server

After your Marketplace App has provisioned your WireGuard server, you can proceed with setting up your WireGuard client and establishing a connection to the server.

If you did not provide a public key for WireGuard when you first set up your Marketplace App, you will need to follow the next set of steps. These instructions will set up your client and inform your server of your client's public key. If you did provide a public key when deploying the Marketplace App and have set up your client, skip to the second collection of steps in this section.


1. Follow the [WireGuard Client](/docs/guides/set-up-wireguard-vpn-on-ubuntu/#wireguard-client) section of our WireGuard guide to generate a public/private keypair for your client, and to set up the WireGuard network interface configuration on your client.

1. [Connect to your Marketplace App's Linode via SSH](/docs/products/compute/compute-instances/guides/set-up-and-secure/#connect-to-the-instance).

1. Bring down the `wg0` interface on the server:

wg-quick down wg0

1. Open the `/etc/wireguard/wg0.conf` file in a text editor ([nano](/docs/quick-answers/linux/use-nano-to-edit-files-in-linux/), for example).

1. You will see a line that reads `PublicKey = ` under the `[Peer]` section. Append your client's public key to this line.
- **Supported distributions:** Ubuntu 24.04 LTS
- **Suggested minimum plan:** All plan types and sizes can be used. The plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN.

1. You will also see a line that reads `Endpoint = `. Append your client's Internet address to this line and then save the file. If your WireGuard client is also a Linode, user your Linode's public IP. If your client is on your home computer, visit a site like [whatismyip.com](https://www.whatismyip.com) to get your address.
### WireGuard Server Options

1. Bring the `wg0` interface back up on the server:
The WireGuard Server Marketplace form includes the following fields:

wg-quick up wg0
- **WireGuard Server Tunnel Address:** Your WireGuard server's tunnel IP address and subnet in CIDR notation. The default is: `10.0.0.1/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates.
- **WireGuard Listen Port:** Your WireGuard server's listening port number. The default is: `51820`.

{{< note >}}
`wg-quick` is a convenient wrapper for many of the common functions in `wg`. To learn more about all the available commands for each utility, issue the `wg --help` and `wg-quick --help` commands from your Linode's command line.
{{< /note >}}
### WireGuard Client Options

You should now have your server configuration completed. At this point, you still need to complete your client's configuration; specifically, you need to add your server as a peer to the client:
The WireGuard Client Marketplace form includes the following fields:

1. [Connect to your Marketplace App's Linode via SSH](/docs/products/compute/compute-instances/guides/set-up-and-secure/#connect-to-the-instance).
- **WireGuard Server Public Key:** The public key of your WireGuard server. You can find it in `/etc/wireguard/server_public.key` on your server instance.
- **WireGuard Server Endpoint:** The public IP address and port of your WireGuard server in the format `IP:PORT` (e.g., `192.0.2.1:51820`).
- **WireGuard Client Tunnel IP:** Your WireGuard client's tunnel IP address with the `/32` subnet. The default is: `10.0.0.2/32`.
- **Allowed IPs:** The IP addresses that should be routed through the WireGuard tunnel. The default is: `10.0.0.1/32`.

1. Just like your client, your server also has a public/private keypair of its own. The Marketplace App script leaves a copy of these keys in the root user's home folder:

ls /root

```output
wg-private.key wg-public.key
```

1. Use the `cat` command to get the value of the server's WireGuard public key:

cat /root/wg-public.key

1. You should see a random string similar to:

```output
FngGVypEJ13KU8+OeBGG1sOd2i+aazsj7qPL3ZxacG8=
```

1. Copy the output of your server's public key, then use it to complete **steps 1 and 2** of the [Connect the Client and Server](/docs/guides/set-up-wireguard-vpn-on-ubuntu/#connect-the-client-and-server) section of our WireGuard guide. These steps will tell you to append `[Peer]` section to your client's existing WireGuard configuration and then how to enable the service on your client.

Enter your server's WireGuard tunnel IP (using the `/24` CIDR notation) as the value for the `AllowedIPs` setting, and set the server's public IP address and WireGuard port to be the Endpoint. Here's an example template for a completed client configuration:

```file
[Interface]
PrivateKey = <Your client WireGuard private key>
Address = 10.0.1.2/24

[Peer]
PublicKey = <Your server WireGuard public key>
AllowedIPs = 10.0.1.1/24
Endpoint = <Your WireGuard server public IP>:51820
```

After you complete steps 1 and 2 from that section, you will have established the server as the client's peer.

### Test your WireGuard Client's Connection

This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client's peer information:

1. Access your WireGuard client and ping the WireGuard server. Replace `10.0.1.1` with the tunnel IP address you assigned to the WireGuard server in the Marketplace App creation form:

ping 10.0.1.1

1. Use the WireGuard utility to verify your client's latest handshake:

wg show

The last two lines of the output from running the wg command should be similar to:
## Getting Started after Deployment

```output
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent
```
### Server-Side Configuration

The deployment of the WireGuard Server Marketplace App automatically creates following files:

- `/etc/wireguard/server_private.key`: The server's private key.
- `/etc/wireguard/server_public.key`: The server's public key.
- `/etc/wireguard/wg0.conf`: The server's WireGuard configuration file.

The initial `wg0.conf` looks like this:

```file
[Interface]
PrivateKey = <server-private-key>
Address = <server-tunnel-address>
ListenPort = <listen-port>
```

### Client-Side Configuration

The deployment of the WireGuard Client Marketplace App automatically creates following files:

- `/etc/wireguard/client_private.key`: The client's private key.
- `/etc/wireguard/client_public.key`: The client's public key.
- `/etc/wireguard/wg0.conf`: The client's WireGuard configuration file.

The initial `wg0.conf` looks like this:

```file
[Interface]
PrivateKey = <client-private-key>
Address = <client-tunnel-ip>
MTU = 1420
DNS = 8.8.8.8

[Peer]
PublicKey = <server-public-key>
AllowedIPs = <allowed-ips>
Endpoint = <server-endpoint>
```

### Adding Clients to the Server

To add a new client to your WireGuard server:

1. Deploy a new WireGuard Client instance using the Marketplace App.
2. On the client instance, locate the client's public key:
```bash
cat /etc/wireguard/client_public.key
```
3. On the server instance, edit the WireGuard configuration:
```bash
sudo nano /etc/wireguard/wg0.conf
```
4. Add a new `[Peer]` section for the client:
```file
[Peer]
PublicKey = <client-public-key>
AllowedIPs = <client-tunnel-ip>
```
5. Restart the WireGuard service on the server:
```bash
sudo systemctl restart wg-quick@wg0
sudo wg-quick down wg0
sudo wg-quick up wg0
```

### Testing the Connection

To test the connection between your WireGuard client and server:

1. From the client instance, ping the server's tunnel IP:
```bash
ping <server-tunnel-ip>
```

2. Check the WireGuard connection status:
```bash
sudo wg show
```

You should see a similar output:
```output
interface: wg0
public key: <server-public-key>
private key: (hidden)
listening port: 51820

peer: <client-public-key>
endpoint: <client-ip>:<port>
allowed ips: <client-tunnel-ip>
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent
```

### Software Included

| **Software** | **Description** |
|--------------|-----------------|
| [**WireGuard**](https://www.wireguard.com) | VPN software. |
| [**UFW (UncomplicatedFireWall)**](https://wiki.ubuntu.com/UncomplicatedFirewall) | Firewall utility. The Port assigned during the [WireGuard Options](#wireguard-options) step of the deployment will allow outgoing and incoming traffic. |
| [**UFW (UncomplicatedFireWall)**](https://wiki.ubuntu.com/UncomplicatedFirewall) | Firewall utility. The port assigned during the deployment that allows outgoing and incoming traffic. |

{{% content "marketplace-update-note-shortguide" %}}

Expand Down