After setting up a Wireguard VPN Server, the next step was of course to use it with my notebook. Even though it’s 2025, I’m (still) running Ubuntu 22.04 for cross-familiy OS compatibility. Even though Wireguard has been around for quite some years now, Ubuntu 22.04 does not come with native Wireguard NetworkManager support. However, the Debian repository contains at least a number of Wireguard command line tools to bring up a connection. So let’s have a look at those.
Getting a Wireguard network interface up and running is actually quite straight forward. First, wireguard and openresolv need to be installed:
sudo apt install wireguard wireguard-tools openresolvOpenresolv is required to make changes to the DNS configuration during Wireguard network interface (i.e. tunnel) establishment and teardown. One more thing that is required is a ‘client’ profile, which can be created with the Wireguard Server’s admin web-ui. For details on the server side see my previous post. After downloading the profile to the notebook, it has to be placed in the /etc/wireguard directory and permissions have to be changed:
sudo -s
cp MY-WG-CONFIG.conf /etc/wireguard
chmod 600 /etc/wireguard/MY-WG-CONFIG.confOnce done, the tunnel can be started as follows:
sudo wg-quick up MY-WG-CONFIGAnd that’s it, the Wireguard tunnel is up! Once no longer required, the network interface (i.e. the tunnel) can be removed again as follows:
sudo wg-quick down MY-WG-CONFIGThe Cool Things
Compared to my OpenVPN setup I use today, I noticed a number of things that are better when using Wireguard: First, the Wireguard network interface is persistent, it survives Wi-Fi network changes and even suspend / resume cycles when closing the notebook lid. Thus, one can’t accidentally loose the VPN this way. Unfortunately, there is a nasty side effect of this. More on this below.
Two other cool things I have noticed are that reverse ssh tunnels and BBB video calling sessions work well over the Wireguard link, which is not the case with my OpenVPN solution today, probably due to MTU size issues.
The Downsides
Unfortunately, there are a number of issues with this solution on Ubuntu 22.04 as well. I emphasize the OS version again at this point, because things have significantly improved in 24.04, which I will have a look at in the next post. But I’m still on 22.04, and while I’m happy to use the command line, it’s not an option for the rest of the family. This is not only because it’s the command line, but also because there is no indication in the status bar at the top of the screen that a VPN connection is up. I’m afraid that this makes it non-usable for a larger audience.
IPv6 Leakage
Apart from this usability issue, there is another problem: IPv6 leakage. In my setup, only IPv4 is configured for Wireguard. If the underlying interface has an IPv6 address, DNS requests that return an IPv6 address will establish IPv6 connections that bypass the Wireguard network interface and go directly over the physical interface. In other words, leakage.
There are of course fixes for this: Perhaps there is a way to get IPv6 connectivity through the Wireguard tunnel and block IPv6 communication below. Or, as I have done with OpenVPN, which has the same problem on Ubuntu, is to use a dedicated DNS server for the VPN, and block IPv6 AAAA answers. I’m not inclined to go either way, it would require too much effort. Another option is to temporarily disable IPv6 on the underlying network interface. This works, but it’s a bit tricky to maintain, particularly for Wi-Fi, as a new Wi-Fi network profile always has IPv6 enabled by default. It’s easy to forget to disable this. Another option could be to disable IPv6 completely on my notebook with a kernel parameter in the GRUB command line. That hurts quite a bit as well. So no straight forward solution here. Perhaps blocking the AAAA answers is still the best solution.
DNS Leakage
Another issue is DNS leakage after a connectivity change! When initially establishing a Wireguard network interface, openresolv is used to change the DNS configuration to only perform DNS requests through the Wireguard network interface. When the physical network interface below is changed, however, e.g. because of a suspend / resume of the notebook, or because the Wi-Fi network changes, the Wireguard network interfaces stays in place, but DNS requests are suddenly performed through the physical underlying network interface again. This can be fixed by manually issuing the following command:
echo "nameserver 8.8.8.8" | sudo resolvconf -a MY-WG-CONFIG -m 0 -xWhile this works, it’s obviously too easy to forget this in a dynamic environment.
Summary
Yes, Wireguard works nicely with command line utilities in Ubuntu 22.04, but it is unfortunately not integrated into the overall OS and GUI. Apart from usability issues for ‘normal’ people, the IPv6 and DNS leakage issues limit its use quite significantly. So much for now. In the next post, I’ll have a look at if and how things have improved in Ubuntu 24.04.