WireGuard VPN on Ubuntu 24.04 LTS by cloudimg. Pre configured with a per VM server keypair generated at first boot, IP forwarding enabled, listening on UDP 51820, and a documented peer add workflow. 24/7 expert support.
## WireGuard VPN on Ubuntu 24.04 by cloudimg
WireGuard VPN on Ubuntu 24.04 LTS (Noble Numbat), purpose built for Microsoft Azure and maintained by cloudimg. WireGuard is the modern open source VPN protocol baked into the Linux kernel since 5.6 — dramatically simpler than OpenVPN and IPsec, with state of the art cryptography (Curve25519, ChaCha20Poly1305) and a tiny attack surface.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response for all requests and one hour average for critical issues. Contact support@cloudimg.co.uk
* Production Ready from Launch Pre configured, security patched, and validated before publication
* Azure Native Integration Built with Azure Linux Agent, cloud init, and Gen2 Hyper V support
* Per VM Server Keypair Generation A fresh Curve25519 keypair is generated at first boot and written to /etc/wireguard/wg0.conf. The public key is exposed in /stage/scripts/wireguard-credentials.log for sharing with peer client devices. No two virtual machines ever share key material
What is Included
* WireGuard kernel module (in tree on Linux 5.6+) and the wireguard-tools userland (wg, wg-quick) from the official Ubuntu noble main repository
* wg-quick@wg0.service systemd unit auto starting on boot once firstboot generates the config
* wireguard-firstboot.service systemd oneshot that generates the server keypair and writes the default /etc/wireguard/wg0.conf
* IP forwarding (net.ipv4.ip_forward and net.ipv6.conf.all.forwarding) enabled at install time via /etc/sysctl.d/99-wireguard.conf
* Default server VPN address 10.50.0.1/24, listening on UDP 51820
* /etc/wireguard tightened to mode 0700 root only; wg0.conf mode 0600 root only
* Ubuntu 24.04 LTS base with latest security patches applied at build time
* Azure Linux Agent for seamless cloud integration and SSH key injection
Default Topology
The shipped image is a server only deployment. There are no peer blocks in the default config — customers add a [Peer] block to /etc/wireguard/wg0.conf for each client device that should be allowed to connect, then reload with sudo systemctl reload wg-quick@wg0. The user guide walks through the full peer add workflow.
By default WireGuard works as a private peer to peer overlay only. To make WireGuard act as an internet gateway for clients, customers uncomment the PostUp and PostDown iptables MASQUERADE lines pre seeded in wg0.conf and replace the placeholder eth0 with the real WAN interface from ip route show default.
Use Cases
* Site to site VPN between Azure VNets and on premises networks
* Remote access VPN for engineering and support teams
* Private overlay between application servers across cloud providers (Azure to AWS to GCP) with no public internet exposure
* Bastion replacement for SSH only access to private subnets
* Drop in replacement for OpenVPN where simpler config and better performance matter
Technical Specifications
* Operating System: Ubuntu 24.04 LTS (Noble Numbat)
* WireGuard: kernel module (in tree on Linux 5.6+) + wireguard-tools userland from Ubuntu noble main
* Server VPN Address: 10.50.0.1/24
* Listen Port: UDP 51820
* Config File: /etc/wireguard/wg0.conf (mode 0600 root only)
* Default User: azureuser (sudo enabled)
* Service Management: systemd (wg-quick@wg0.service, wireguard-firstboot.service)
* Recommended Size: Standard_B2s for typical small office and team deployments; Standard_D2s_v3 or larger for high throughput backbones
* VM Generation: Hyper V Gen2 with UEFI boot
Support
cloudimg provides 24/7/365 expert technical support. Contact support@cloudimg.co.uk or visit www.cloudimg.co.uk for the latest documentation and deployment guides.