View all products
Compute
Storage
Networking
Databases
Services
Solutions
Pricing
Library
Technical Resources
Community
Marketplace
What's New

Deploy WireGuard through the Linode Marketplace

Deploy in Cloud Manager
Updated

Quickly deploy a Compute Instance with many various software applications pre-installed and ready to use.

Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

WireGuard® is a simple, fast, and modern virtual private network (VPN) which uses state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec and it has a much smaller source code footprint.

Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server’s configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like eth0. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip.

The WireGuard Marketplace App provides two separate applications:

  1. WireGuard Server. Creates a Linode and sets up a WireGuard network device named wg0 on it. This device acts as the central hub for your WireGuard network.
  2. WireGuard Client. Creates a Linode that can connect to your WireGuard server. You can deploy multiple clients to connect to the same server.
Note
The WireGuard Server and Client apps can be deployed independently. If you already have a WireGuard server running, you can simply deploy the client app and configure it to connect to your existing server.

Deploying a Marketplace App

The Linode Marketplace lets you easily deploy software on a Compute Instance using Cloud Manager. See Get Started with Marketplace Apps for complete steps.

  1. Log in to Cloud Manager and select the Marketplace link from the left navigation menu. This displays the Linode Create page with the Marketplace tab pre-selected.

  2. Under the Select App section, select the app you would like to deploy.

  3. Complete the form by following the steps and advice within the Creating a Compute Instance guide. Depending on the Marketplace App you selected, there may be additional configuration options available. See the Configuration Options section below for compatible distributions, recommended plans, and any additional configuration options available for this Marketplace App.

  4. Click the Create Linode button. Once the Compute Instance has been provisioned and has fully powered on, wait for the software installation to complete. If the instance is powered off or restarted before this time, the software installation will likely fail.

To verify that the app has been fully installed, see Get Started with Marketplace Apps > Verify Installation. Once installed, follow the instructions within the Getting Started After Deployment section to access the application and start using it.

Note
Estimated deployment time: WireGuard should be fully installed within 2-5 minutes after the Compute Instance has finished provisioning.

Configuration Options

  • Supported distributions: Ubuntu 24.04 LTS
  • Suggested minimum plan: All plan types and sizes can be used. The plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN.

WireGuard Server Options

The WireGuard Server Marketplace form includes the following fields:

  • WireGuard Server Tunnel Address: Your WireGuard server’s tunnel IP address and subnet in CIDR notation. The default is: 10.0.0.1/24. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates.
  • WireGuard Listen Port: Your WireGuard server’s listening port number. The default is: 51820.

WireGuard Client Options

The WireGuard Client Marketplace form includes the following fields:

  • WireGuard Server Public Key: The public key of your WireGuard server. You can find it in /etc/wireguard/server_public.key on your server instance.
  • WireGuard Server Endpoint: The public IP address and port of your WireGuard server in the format IP:PORT (e.g., 192.0.2.1:51820).
  • WireGuard Client Tunnel IP: Your WireGuard client’s tunnel IP address with the /32 subnet. The default is: 10.0.0.2/32.
  • Allowed IPs: The IP addresses that should be routed through the WireGuard tunnel. The default is: 10.0.0.1/32.

Getting Started after Deployment

Server-Side Configuration

The deployment of the WireGuard Server Marketplace App automatically creates following files:

  • /etc/wireguard/server_private.key: The server’s private key.
  • /etc/wireguard/server_public.key: The server’s public key.
  • /etc/wireguard/wg0.conf: The server’s WireGuard configuration file.

The initial wg0.conf looks like this:

1
2
3
4

[Interface]
PrivateKey = <server-private-key>
Address = <server-tunnel-address>
ListenPort = <listen-port>

Client-Side Configuration

The deployment of the WireGuard Client Marketplace App automatically creates following files:

  • /etc/wireguard/client_private.key: The client’s private key.
  • /etc/wireguard/client_public.key: The client’s public key.
  • /etc/wireguard/wg0.conf: The client’s WireGuard configuration file.

The initial wg0.conf looks like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[Interface]
PrivateKey = <client-private-key>
Address = <client-tunnel-ip>
MTU = 1420
DNS = 8.8.8.8

[Peer]
PublicKey = <server-public-key>
AllowedIPs = <allowed-ips>
Endpoint = <server-endpoint>

Adding Clients to the Server

To add a new client to your WireGuard server:

  1. Deploy a new WireGuard Client instance using the Marketplace App.
  2. On the client instance, locate the client’s public key:
    1

    cat /etc/wireguard/client_public.key
  3. On the server instance, edit the WireGuard configuration:
    1

    sudo nano /etc/wireguard/wg0.conf
  4. Add a new [Peer] section for the client:
    1
2
3

    [Peer]
PublicKey = <client-public-key>
AllowedIPs = <client-tunnel-ip>
  5. Restart the WireGuard service on the server:
    1
2
3

    sudo systemctl restart wg-quick@wg0
sudo wg-quick down wg0
sudo wg-quick up wg0

Testing the Connection

To test the connection between your WireGuard client and server:

  1. From the client instance, ping the server’s tunnel IP:

    1

    ping <server-tunnel-ip>

  2. Check the WireGuard connection status:

    1

    sudo wg show

    You should see a similar output:

    interface: wg0
  public key: <server-public-key>
  private key: (hidden)
  listening port: 51820

peer: <client-public-key>
  endpoint: <client-ip>:<port>
  allowed ips: <client-tunnel-ip>
  latest handshake: 1 minute, 17 seconds ago
  transfer: 98.86 KiB received, 43.08 KiB sent

Software Included

SoftwareDescription
WireGuardVPN software.
UFW (UncomplicatedFireWall)Firewall utility. The port assigned during the deployment that allows outgoing and incoming traffic.
Note
Currently, Akamai doesn’t manage software and systems updates for Marketplace Apps. It is up to the user to perform routine maintenance on software deployed in this fashion.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on

cloud-manager linode platform security marketplace vpn

Your Feedback Is Important

Let us know if this guide was helpful to you.