بهترین لوکیشن سرور برای کاهش پینگ چیست؟

نزدیکترین دیتاسنتر به کاربر یا سرویس مقصد معمولاً بهترین گزینه برای کمترین پینگ است.

مقدار MTU مناسب برای WireGuard چقدر است؟

مقدار پیشفرض 1420 اغلب مناسب است؛ در شبکههای با overhead بیشتر ممکن است به 1380 نیاز داشته باشید.

چگونه IP forwarding را دائمی کنم؟

از طریق افزودن خط net.ipv4.ip_forward=1 در /etc/sysctl.conf یا یک فایل در /etc/sysctl.d/ میتوانید آن را دائمی کنید.

چرا handshake بین سرور و کلاینت انجام نمیشود؟

بررسی کنید پورت UDP (مثلاً 51820) روی فایروال و NAT provider باز باشد و Endpoint درست تنظیم شده باشد.

چگونه کلیدها را بدون قطعی گردش دهم؟

ابتدا Peer جدید را اضافه و تست کنید، سپس کلید قدیمی را حذف کنید تا از قطعی جلوگیری شود.

Installing and Configuring WireGuard on Ubuntu 22.04: A Comprehensive and Practical Guide

Why should you choose WireGuard on Ubuntu 22.04?

If you are looking for a VPN Modern, Style, Safe And with High efficiency To connect cloud servers, VPS for trading, gaming, or access GPU clusters, WireGuard It is one of the best options.

This guide provides step-by-step instructions for installing, configuring, optimizing, and security tips for setting up WireGuard on Ubuntu 22.04 Covers practical examples, Linux commands, and server/client configuration.

Prerequisites

Before you start you need:

A server Ubuntu 22.04 With root or sudo user access.
Open UDP port in firewall (default) 51820).
SSH access to the server machine.
Suggestion: Use one of the company's VPS or cloud servers with 85+ global locations For lowest ping and best BGP route.

Installing WireGuard on Ubuntu 22.04

In Ubuntu 22.04, the wireguard package is usually available in the official repositories. You can use PPA or backports if you need the latest version, but the official distribution package is usually sufficient and stable.

apt update && apt upgrade -y
apt install -y wireguard qrencode iptables-persistent

Generating keys and file structure

The following example shows the generation of server keys and a sample client. The files must be saved with appropriate permissions to protect the private keys.

mkdir -p /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
wg genkey | tee client_private.key | wg pubkey > client_public.key
chmod 600 /etc/wireguard/*key

Security warning: The private key should never be stored off the server or in unencrypted locations.

Server Configuration — Practical Example wg0.conf

A sample server configuration file in the path /etc/wireguard/wg0.conf It looks like this. Replace the values in brackets with the actual values for key and gateway. Note that in cloud environments, the network interface name may be eth0 Not (for example) ens3 Or ens5).

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <محتوای سرور_private.key>
SaveConfig = true

# NAT هنگام بالا آمدن اینترفیس
PostUp = ip -4 rule add from 10.10.0.0/24 table 51820 || true
PostUp = ip -4 route add default via <SERIAL_IF_GATEWAY> dev eth0 table 51820 || true
PostUp = iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE

Client configuration (Linux, Windows, mobile)

A sample configuration for a Linux or mobile client that creates a full-tunnel:

[Interface]
PrivateKey = <محتوای client_private.key>
Address = 10.10.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <محتوای server_public.key>
Endpoint = your.server.ip.or.hostname:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
MTU = 1420

To generate a QR code for mobile:

qrencode -t ansiutf8 < client.conf

Enabling IP Forwarding and NAT

For traffic to pass through the server, IP forwarding must be enabled and appropriate NAT rules must be set.

sysctl -w net.ipv4.ip_forward=1
# برای دائمی کردن:
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-wg-forward.conf

Firewall (UFW/nftables/iptables)

Here is a sample configuration for UFW and nftables. If you are using UFW, you should also enable ip_forward and add NAT rules.

ufw allow 51820/udp
ufw allow OpenSSH
echo "net/ipv4/ip_forward=1" > /etc/ufw/sysctl.conf
# اضافه کردن قوانین NAT ممکن است در /etc/ufw/before.rules یا با iptables-persistent انجام شود

nftables example (iptables alternative):

nft add table ip wg
nft 'add chain ip wg postrouting { type nat hook postroute priority 100; }'
nft add rule ip wg postrouting oifname "eth0" ip saddr 10.10.0.0/24 masquerade

Note: In cloud environments, the outgoing interface name may be different; before applying the rules, change the interface name to IP address Check.

Setting up the WireGuard service

After configuration, you can enable and run the service and check its status.

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
wg show
ip a show wg0

MTU, Keepalive and AllowedIPs optimization

MTU: Default value 1420 Often appropriate; in cases with higher overhead, it may be necessary to reduce to 1380 Be.

PersistentKeepalive: Amount 25 Suitable for clients to avoid NAT timeouts.

Allowed IPs: In WireGuard, it acts as both a router and a filter — configure it carefully.

Tunnel types and AllowedIPs

Two common patterns:

Full tunnel: AllowedIPs = 0.0.0.0/0, ::/0
Split tunnel: AllowedIPs only includes networks that must pass through the VPN (e.g. 10.10.0.0/24 or 192.168.1.0/24).

Expert recommendations for different use cases

1) VPS for trading (Forex/Crypto)

For trading, it is important to choose a location close to the exchange servers. Out of 85+ locations, choose the closest data center with a low-latency BGP route to reduce latency.

Configuration: Full tunnel with restrictive firewall and standard MTU, fixed keepalive.

Security: Restrict SSH access to the VPN's internal IP and use a dedicated server or VPS with Anti-DDoS.

2) Gaming VPS

For gaming, choose a location close to the game servers or the gamer's ISP. Split tunneling to send only game traffic through the VPN can provide better ping.

Reduce ping: It is recommended to use UDP, appropriate MTU, and a server with a 10Gbps network interface.

3) GPU Cloud, AI and Rendering

WireGuard is suitable for secure and fast access to GPU servers or rendering clusters. Choosing a location with direct connections to AI data centers or network backbones is important for large data transfers.

Configuration: AllowedIPs are limited to the cluster subnet and use QoS parameters at the network level.

4) Web hosting and database

You can use WireGuard as an isolated private network for secure communication between web servers and databases. Management traffic is kept on the public network via VPN and the public web.

Security, key circulation and monitoring

Key maintenance and safety tips:

Key maintenance: The private key should never be published; using an encrypted filesystem is recommended for sensitive servers.
Key Rotation: Have a schedule for renewing keys; add new peers before deleting old keys to avoid disruption.
Logging and monitoring: From tools such as wgUse iptables, fail2ban, and Prometheus/Grafana logs for monitoring.
Restrict access: Restrict each Peer to a specific IP/service and avoid global AllowedIPs without reason.

Vital point: Before changing or rotating keys, have rollback and emergency access methods ready to quickly restore access in the event of an error.

Multi-peer configuration and use in production environment

To add multiple clients, simply click on the section [Peer] Add a block server for each client. WireGuard is suitable for a large number of peers, but at scale to thousands of clients, orchestration or a load-balancer should be used.

[Peer]
PublicKey = <client1_pubkey>
AllowedIPs = 10.10.0.2/32

[Peer]
PublicKey = <client2_pubkey>
AllowedIPs = 10.10.0.3/32

Quick troubleshooting

Troubleshooting tips and instructions:

wg show: Check status, RX/TX statistics and last handshake.
journalctl -u wg-quick@wg0 -e: View service logs.
tcpdump -i wg0: Checking packages inside the tunnel.
If the handshake doesn't work, make sure the UDP port is open on your firewall and NAT provider (some home NAT networks require port forwarding).

Practical and experimental tips

Practical experiences for sustainable startups:

In networks with Carrier NAT, unusual ports or the use of a relay/bridge may be required.
For mobile clients and clients with dynamic IP, using PersistentKeepalive is useful.
Placing the WireGuard gateway in a location with a direct connection to the CDN can optimize load and latency.

Connection to company services (85+ locations and services)

If you want to implement WireGuard on a global infrastructure, consider 85+ locations You can choose the closest location to the company's data center to reduce ping and improve the route. Services provided include:

VPS for trading with low ping and Anti-DDoS
Gaming VPS with low-latency network interface
Graphics server (GPU Cloud) for AI and rendering with secure access via WireGuard
Dedicated and cloud servers with BGP/Direct Connect and CDN connectivity for web traffic
GitLab and database hosting on WireGuard internal network for added security

Conclusion

WireGuard is a fast, simple, and secure VPN that is easy to install and configure on Ubuntu 22.04. By following the tips above, you can provide a secure, low-latency, and reliable tunnel for trading, gaming, AI, or internal networks.

For safety always private key Protect your network, set up a proper firewall, and AllowedIPs Keep it limited.

View plans and support

You can choose from the company’s VPS, dedicated server, and GPU Cloud plans to launch on a globally-capable infrastructure. The company’s technical team is ready to provide support for professional configuration, optimal location selection, and WireGuard network setup, if needed.