WireGuard: an alternative to OpenVPN

This week I’ve been experimenting with WireGuard, which is a relatively new alternative to OpenVPN. It claims to be faster and more secure than other VPN products, partly because its codebase is very small compared to other VPN products.

WireGuard is easy to configure. It is compatible with many Linux distro’s, including Ubuntu. For my testing purposes, I’ve set up a new Ubuntu 18.04 LTS VM with Hardware Enablement.

First, make sure you’ve installed WireGuard correctly:
apt-get install wireguard

You should now be able to use wg and wg-quick
Let’s create a public and private key, which we’ll be using to set up a secure connection:

wg genkey | tee privatekey | wg pubkey > publickey

On the server VM, create a new configuration file /etc/wireguard/wg0.conf
Add the private key you just generated in the PrivateKey section.

This should contain configuration like this:

PrivateKey = <private key>
Address =
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
SaveConfig = false

PublicKey = <public key>
AllowedIPs =

The next thing you’ll need to do is add the Peers that will be able to connect to this server. Simply create another VM (Windows, Linux or MacOS) and follow the same steps:

  • install WireGuard
  • generate private and public key
  • create a new /etc/wireguard/wg0.conf configuration file
PrivateKey = <private key>
Address =

PublicKey = <public key of the server>
Endpoint = <ip4-of-server>:51820
AllowedIPs =, ::/0 # Forward all traffic to server

The AllowedIPs instructs WireGuard to forward all traffic through the tunnel.

Finally, you can start up WireGuard on both the server and client:

wg-quick up /etc/wireguard/wg0.conf

Now both VMs should be connected and able to ping each other.
You can check the status of the connection with:

wg show

I saw a notable increase in throughput compared to OpenVPN. Try it out yourself and let me know in the comments.


Speeding up your OpenVPN tunnel

Here are some settings to speed up the transmission rate through your OpenVPN tunnel:

  • proto udp
  • mssfix 0
  • fragment 0

mssfix: Even though MSS itself is a TCP feature, this OpenVPN option targets encapsulated UDP packets. It will change the MSS value of the TCP protocol inside the tunnel in such a way that after UDP encryption/encapsulation, the resulting UDP packet size (minus IP/UDP headers), will not exceed the mssfix value.
By setting the value to 0, we disable this feature.

fragment: This will disable OpenVPN’s internal fragmentation routines (OpenVPN 2.x actually does this by default).

Another improvement is raising the MTU (Maximum Transmission Units), which is the maximum datagram size in bytes that can be sent unfragmented over a network path.

First make sure your OpenVPN server has set the same MTU size:

ip link set eth0 mtu 9000

Next, add this to your OpenVPN configuration:

tun-mtu 9000


A gateway to forward all traffic to a remote VPN server

Suppose you’ve setup a VM and configured it as a site-to-site VPN with OpenVPN, using iroute and staticclients. You are using this VM as a default gateway for other VMs and now want to forward all traffic from the VMs not through the default gateway‘s adapter, but through the VPN tunnel.

Why would you want to do this? One use-case might be because you want your VMs to have the same originating IP address as the VPN server.

To get started, make sure you add these commands in a terminal on your default gateway:

  • ip route add ip-address-of-vpn-server/32 via default-gateway-ip dev enp0s5 (providing enp0s5 is your current adapter)
  • ip route del default
  • ip route add default via dev tun0 (providing is the private IP you got from your VPN)

The commands above will make sure your gateway can still reach the VPN server. Once the default route is deleted, we add a new default route that goes through the tunnel.

On the other side of the tunnel, on your VPN server, you will need to add these commands:

  • iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  • iptables -I FORWARD -i tun0 -o eth0 -s -m conntrack --ctstate NEW -j ACCEPT
  • iptables -t nat -I POSTROUTING -s -o eth0 -j MASQUERADE
  • iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
  • iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
  • iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
  • iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Now the VMs will be able to connect through the VPN tunnel and use the VPN server as default gateway.