VPN Servers

VPN Servers

A VPN (Virtual Private Network) creates an encrypted tunnel between clients and your server, allowing remote users to securely access private network resources as if they were physically on-site. On Ubuntu, WireGuard is the modern choice — it is built into the Linux kernel (no userspace daemon), uses modern cryptography, has a minimal attack surface (less than 4,000 lines of code vs OpenVPN's 100,000+), and achieves better performance than OpenVPN. OpenVPN remains relevant for client compatibility with older devices and complex network topologies.

VPN options on Ubuntu

WireGuard VPN setup

# Install WireGuard (included in kernel since 5.6, Ubuntu 20.04+):
sudo apt update
sudo apt install -y wireguard

# Generate server key pair:
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
sudo chmod 600 /etc/wireguard/privatekey
cat /etc/wireguard/privatekey    # Save this
cat /etc/wireguard/publickey     # Share this with clients

# Configure WireGuard interface:
sudo nano /etc/wireguard/wg0.conf

/etc/wireguard/wg0.conf — server configuration

[Interface]
PrivateKey = SERVER_PRIVATE_KEY_HERE
Address = 10.8.0.1/24              # VPN tunnel IP
ListenPort = 51820
PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]                             # One [Peer] block per client
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32          # IP assigned to this client

# Enable IP forwarding:
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

# Start WireGuard:
sudo systemctl enable --now wg-quick@wg0
sudo wg show    # Check status

wg show output

interface: wg0
  public key: SERVER_PUBLIC_KEY
  listening port: 51820

peer: CLIENT1_PUBLIC_KEY
  allowed ips: 10.8.0.2/32
  latest handshake: 1 minute, 23 seconds ago
  transfer: 45 MiB received, 12 MiB sent

WireGuard client configuration

# On the client device:
wg genkey | tee clientprivkey | wg pubkey > clientpubkey

# Client config (/etc/wireguard/wg0.conf or imported into WireGuard app):
# [Interface]
# PrivateKey = CLIENT_PRIVATE_KEY
# Address = 10.8.0.2/32
# DNS = 10.8.0.1            # Use server as DNS resolver
#
# [Peer]
# PublicKey = SERVER_PUBLIC_KEY
# Endpoint = your-server-ip:51820
# AllowedIPs = 0.0.0.0/0    # Route ALL traffic through VPN
# PersistentKeepalive = 25  # Keep NAT connection alive

OpenVPN overview

# Install OpenVPN with Easy-RSA (PKI management):
sudo apt install -y openvpn easy-rsa

# Use the openvpn-install script for faster setup:
wget https://get.vpnsetup.net/ovpn -O /tmp/openvpn-install.sh
# Review the script before running:
less /tmp/openvpn-install.sh
sudo bash /tmp/openvpn-install.sh    # Interactive wizard

# Check OpenVPN status:
sudo systemctl status openvpn@server
sudo journalctl -u openvpn@server -f

Conclusion

WireGuard is the best choice for new VPN deployments in 2025. Its kernel implementation means lower latency and higher throughput than OpenVPN, and the configuration is significantly simpler. Open UDP port 51820 on your firewall for WireGuard traffic. The PersistentKeepalive = 25 setting in client configurations is important for clients behind NAT — without it, the NAT mapping expires and the VPN connection silently drops after a period of inactivity.