How To Securely Manage Secrets with HashiCorp Vault on Ubuntu 16.04


WireGuard is a contemporary, superior VPN built to be simple to use while supplying security that is robust. WireGuard focuses only on providing a connection that is secure events over a network screen encrypted with general public key verification. Which means, unlike many VPNs, no topology is enforced therefore various designs is possible by manipulating the networking configuration that is surrounding. This model offers power that is great freedom which can be used in accordance with your own requirements.

One associated with the easiest topologies that WireGuard may use is a connection that is point-to-point. This establishes a secure link between two machines without mediation by a server that is central. This sort of connection may also be used between a lot more than two users to ascertain a mesh VPN topology, in which each server that is individual talk to its peers directly. These two topologies are best suited for establishing secure messaging between servers as opposed to using a single server as a gateway to route traffic through.( because each host is on equal footing*******)

In this guide, we shall show just how to establish a VPN that is point-to-point connection WireGuard using two Ubuntu 16.04 servers. We will start by installing the software and then generating key that is cryptographic for every single host. Afterward, we shall produce a configuration that is short to define the peer’s connection information. Once we start up the interface, we will be able to send messages that are secure the servers within the WireGuard screen.


To follow in addition to this guide, you’ll need use of two Ubuntu 16.04 servers. For each host, you need to produce a user that is non-root sudo privileges to perform administrative actions. You will also need a firewall that is basic for each system. You’ll satisfy these demands by doing these ( that is tutorial*******)

if you are willing to carry on, log into each host along with your sudo individual.

Installing the program

The WireGuard task provides a PPA with up-to-date packages for Ubuntu systems. We shall need to install WireGuard on both of our servers before we can continue. On each server, perform the actions that are following

First, include the WireGuard PPA towards system to configure use of the task’s packages:

  • sudo add-apt-repository ppa:wireguard/wireguard

Press ENTER whenever prompted to incorporate the brand new package supply towards apt setup. When the PPA was added, upgrade the package that is local to pull straight down information regarding the newly available packages then install the WireGuard kernel module and userland elements:

  • sudo apt-get change
  • sudo apt-get install wireguard-dkms wireguard-tools

Next, we are able to start WireGuard that is configuring on of our servers.

Creating an exclusive Key

Each participant in a WireGuard VPN authenticates to its peers utilizing keys that are public. Connections between new peers can be established by exchanging public keys and performing configuration that is minimal

To produce a key that is private compose it right to a WireGuard setup file, kind these on each host:

  • (umask 077 && printf "[Interface]nPrivateKey = " > /dev/null)
  • wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo/etc/wireguard/publickey that is tee

The very first demand writes the original articles of a setup file to /etc/wireguard/wg0.conf. The umask value in a sub-shell making sure that we create the file with limited permissions without impacting our regular environment.

The 2nd demand creates a personal key utilizing WireGuard’s wg demand and writes it right to our limited setup file. We additionally pipe one of the keys back to the wg pubkey demand to derive the associated key that is public which we write to a file called /etc/wireguard/publickey for easy reference. We will need to exchange the key in this file with the server that is second we define our setup.

Creating an configuration that is initial*********)

Next, we shall start the setup file in an editor to setup additional details:

  • sudo nano /etc/wireguard/wg0.conf

Inside, you ought to see your generated personal key defined in a part called [Interface]. This area provides the setup the side that is local of connection.

Configuring the Interface Section

We should determine the VPN ip this node uses and also the slot it will pay attention in for connections from peers. Start with incorporating ListenPort and SaveConfig lines which means that your file seems like this:


PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = real

This sets the slot that WireGuard will pay attention in. This is any free, bindable slot, in this guide we shall set our VPN up on slot 5555 for both servers. Set the ListenPort for each host towards slot you have chosen:

We additionally set SaveConfig to true. This may inform the wg-quick solution to immediately save yourself its configuration that is active to file at shutdown.

Note: whenever SaveConfig is enabled, the wg-quick solution will overwrite the articles associated with the /etc/wireguard/wg0.conf File whenever the ongoing service shuts down. The/etc/wireguard/wg0.conf if you need to modify the WireGuard configuration, either shut down the wg-quick service prior to editing file or result in the modifications towards service that is running the wg demand (these will undoubtedly be become conserved within the file whenever solution shuts down). Any modifications designed to the setup file whilst the solution is operating will undoubtedly be overwritten whenever wg-quick shops its active setup.

Next, include an original Address meaning every single host so the wg-quick solution can set the system information with regards to introduces the WireGuard screen. We’ll utilize the subnet once the target area for the VPN. For every computer, you need to select a address that is unique this range ( to and specify the target and subnet utilizing CIDR notation.

We gives our first host a target of, that will be represented as in CIDR notation:

/etc/wireguard/wg0.conf on very first host

PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = real
Target =

On our second host, we shall determine the target as, which provide us with a CIDR representation of

/etc/wireguard/wg0.conf on 2nd host

PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = real
Target =

This could be the end associated with the [Interface] area.

We can enter the knowledge towards host’s peers either inside the setup file or by hand utilizing the wg demand down the road. As stated above, the wg-quick solution utilizing the SaveConfig choice set to true means your peer information will be written to eventually the file with either technique.

To indicate both methods of determining peer identities, we shall produce a [Peer] area within the 2nd host’s setup file although not the very first. You’ll save yourself and shut the setup apply for the first host (the main one defining the target) now.

Defining the Peer Section

In the setup file that is nevertheless available, create a part called [Peer] underneath the entries within the [Interface] area.

Begin by establishing the PublicKey towards value associated with the first host’s general public key. You will find this value by typing cat /etc/wireguard/publickey on server that is opposite. We shall additionally set AllowedIPs towards internet protocol address details which can be legitimate within the tunnel. We can input that directly, ending with /32 to indicate a range that contains single IP value:( since we know the specific IP address that the first server is using,*******)

/etc/wireguard/wg0.conf on 2nd host

. . .

PublicKey = public_key_of_first_server
AllowedIPs =

Finally, we are able to set the Endpoint towards server that is first public IP address and the WireGuard listening port (we used port 5555 in this example). WireGuard will update this value if it receives traffic that is legitimate this peer on another target, permitting the VPN to adjust to wandering conditions. We set the value that is initial that this host can start contact:

/etc/wireguard/wg0.conf on 2nd host

. . .

PublicKey = public_key_of_first_server
AllowedIPs =
Endpoint = public_IP_of_first_server:5555

if you are completed, save yourself and shut the file to come back towards demand prompt.

Starting the VPN and Connecting to Peers

We’re now willing to begin WireGuard for each host and configure the text between our two peers.

Opening the Firewall and beginning the VPN

First, start the WireGuard port up within the firewall for each host:

Now, begin the wg-quick solution utilizing the wg0 screen file we defined:

This begins associated with the wg0 system screen on device. We are able to verify this by typing:

Output on very first host

6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN team standard qlen 1 link/none inet range wg0 that is global valid_lft forever preferred_lft forever

We may use the wg device to look at information regarding the active setup associated with the VPN:

On the host without a definition that is peer the display will appear something similar to this:

Output on very first host

interface: wg0 general public key: public_key_of_this_server personal key: (concealed) paying attention slot: 5555

On the host with a peer setup currently defined, the production also include that information:

Output on 2nd host

interface: wg0 general public key: public_key_of_this_server personal key: (concealed) paying attention slot: 5555 peer: public_key_of_first_server endpoint: public_IP_of_first_server:5555 permitted ips:

To finish the text, we have now should include the server that is second peering information towards very first host utilizing the wg demand.

Adding the Missing Peer home elevators the Command Line

On the first host (the one which does not show peer information), enter the peering information by hand utilizing the format that is following. The second server's public key can be found in the output of sudo wg from the server:( that is second*******)

  • sudo wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips

You can concur that the knowledge is currently within the active setup by typing sudo wg once more on server:( that is first*******)

Output on very first host

interface: wg0 general public key: public_key_of_this_server personal key: (concealed) paying attention slot: 5555 peer: public_key_of_second_server endpoint: public_IP_of_second_server:5555 permitted ips:

Our point-to-point connection should now be around. Take to pinging the VPN target associated with the 2nd host through the ( that is first*******)

Output on very first host

PING ( 56(84) bytes of information. 64 bytes from icmp_seq=1 ttl=64 time=0.635 ms 64 bytes from icmp_seq=2 ttl=64 time=0.615 ms 64 bytes from icmp_seq=3 ttl=64 time=0.841 ms --- ping data --- 3 packets sent, 3 received, 0per cent packet loss, time 1998ms rtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 ms

If all things are working precisely, you are able to save yourself the setup on server that is first to the /etc/wireguard/wg0.conf File by restarting the ongoing solution:

(you can enable the service on each machine by typing:

If you want to start the tunnel at boot,*******)

The VPN tunnel should now be immediately started whenever the equipment shoes.


WireGuard is an excellent choice for numerous usage instances because freedom, light-weight execution, and cryptography that is modern. In this guide, we installed WireGuard on two Ubuntu 16.04 servers and configured each host as a server with a connection that is point-to-point its peer. This topology is great for developing server-to-server interaction with peers in which each part is an participant that is equal in which hosts may need to establish ad-hoc connections to many other servers.


Please enter your comment!
Please enter your name here