WireGuard is a modern Virtual Private Network (VPN) server that allows you to securely route your data between your Android, iPhone phone, or Linux, Windows, or OSX computer. The older, open-source standard for creating your own VPN was OpenVPN which is, when compared to WireGuard, much harder to set up and configure.
In this guide, I will walk you through installing and configuring the WireGuard server and creating your first client configuration file. You can be up and running in 10 minutes or less because WireGuard was created to be secure by default obviating the need for complicated tweaking and tuning.
Step 1 - Installation
WireGuard is in the standard repositories of all the majour distributions. The Debian 11 server that I am using to write this guide the installation command is simply:
# apt update # apt install wireguard # reboot
The reboot is required because WireGuard is a kernel module that needs to get loaded into the kernel with a reboot.
Step 2 - Configure the server
The installation will create an empty directory at
/etc/wireguard. First, move into that directory:
Next, create the WireGuard server configuration with a text editor, here I have used
# nano wg0.conf
Use this template:
[Interface] Address = <PRIVATE_IP>/24 ListenPort = <PORT> PrivateKey = <SERVER_PRIVATE_KEY> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Interface] section is the server configuration. Later we will add a
[Peer] after we have created the first client configuration.
iptables commands are required to make sure your data is routed correctly from the Wireguard interface to your server’s public network interface.
You can choose any private IP address you want, I will go with
10.0.0.1/24 which gives you 255 IPs from
10.0.0.1 - 10.0.0.255 and I’m going to stick with the standard WireGuard port of
Now, you need to generate the server’s public and private keys. Open a new terminal to your server and run the following command to generate the private key. This command will print the private key and also save it into a file at
/etc/wireguard/server_private_key. An example public key output is also shown:
# wg genkey | tee /etc/wireguard/server_private_key QNogSc8aNEjYZyYhYdDKqwQK7CxT+PmFMz/sjr93uFM=
Next, use that private key to generate the public key, again I have shown the command with an example public key:
# cat "/etc/wireguard/server_private_key" | tee /etc/wireguard/server_public_key | wg pubkey mjGH9f0eVOZaKFoShw+40QAwtfTkqaEws+03JUW9VlI=
This will print the server’s public key to the terminal and also write it to a file at
/etc/wireguard/server_public_key as you will need it later.
You now have everything to complete the [Interface] section. Using the above information it will look like this:
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = QNogSc8aNEjYZyYhYdDKqwQK7CxT+PmFMz/sjr93uFM= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Save and exit the editor.
Step 4 - Configure a Client
First, create the directory to store all your client configuration files:
# mkdir /etc/wireguard/clients
The WireGuard client will load any file that ends in
.conf so you can give them descriptive names. My first client is going to be Jane’s phone so I will call it
jane_phone.conf. Open this with an editor:
# nano /etc/wireguard/clients/jane_phone.conf
This is the template for Jane’s client:
[Interface] Address = <CLIENT_IP>/24 ListenPort = 51820 PrivateKey = <CLIENT_PRIVATE_KEY> PublicKey = <CLIENT_PUBLIC_KEY> DNS = <OPTIONAL_PUBLIC_RESOLVER> [Peer] PublicKey = <SERVER_PUBIC_KEY> PresharedKey = <CLIENT_PRESHARED_KEY> AllowedIPs = 0.0.0.0/0 Endpoint = <SERVER_PUBLIC_IP>:51820
Address IP is one of the IPs from the range you have used. I will set this to
DNS line is optional and will be used as the DNS resolver for this client. I like to use the Cloudflare public resolver as it is fast and private. This is located at
Next, generate the keys as we did before:
# wg genkey OHuE5G29hXVkIHePvMb9RjWkobsWM5g19C+krqugbUQ= # echo 'OHuE5G29hXVkIHePvMb9RjWkobsWM5g19C+krqugbUQ=' | wg pubkey BlYw7mX+ZMm9S15tiakhlMIMTcM94Asnc5XRPOMBLSk=
Use the same command to generate a PresharedKey:
# wg genkey yP4KTyV6VZFg9aCqw1XQxMmlwnfyuv3wWIczg8NsA34=
Using this information Jane’s client config file will look like the following:
[Interface] Address = 10.0.0.2/24 ListenPort = 51820 PrivateKey = OHuE5G29hXVkIHePvMb9RjWkobsWM5g19C+krqugbUQ= PublicKey = BlYw7mX+ZMm9S15tiakhlMIMTcM94Asnc5XRPOMBLSk= DNS = 184.108.40.206 [Peer] PublicKey = mjGH9f0eVOZaKFoShw+40QAwtfTkqaEws+03JUW9VlI= PresharedKey = yP4KTyV6VZFg9aCqw1XQxMmlwnfyuv3wWIczg8NsA34= AllowedIPs = 0.0.0.0/0 Endpoint = 220.127.116.11:51820
Step 5 - Add the client to the server configuration
First, open the WireGuard server config file again:
# nano /etc/wireguard/wg0.conf
And add the following section at the bottom of the file:
[Peer] PublicKey = <CLIENT_PUBLIC_KEY> PresharedKey = <CLIENT_PRESHARED_KEY> AllowedIPs = 10.0.0.2/32
Use Jane’s public key, pre-shared key, and the IP you gave her to complete this. Using the details we already generated the entire server config will look like this:
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = QNogSc8aNEjYZyYhYdDKqwQK7CxT+PmFMz/sjr93uFM= PublicKey = mjGH9f0eVOZaKFoShw+40QAwtfTkqaEws+03JUW9VlI= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = BlYw7mX+ZMm9S15tiakhlMIMTcM94Asnc5XRPOMBLSk= PresharedKey = yP4KTyV6VZFg9aCqw1XQxMmlwnfyuv3wWIczg8NsA34= AllowedIPs = 10.0.0.2/32
Step 6 - Start WireGuard and enable it to start on boot
You will usually want WireGuard to start automatically when your server boots. Do this with systemd. First, enable the Wireguard service to start on boot:
# systemctl enable firstname.lastname@example.org Created symlink /email@example.com → /lib/systemd/system/wg-quick@.service.
Then you can start and stop WireGuard with the following commands:
# systemctl start firstname.lastname@example.org # systemctl stop email@example.com
You should be able to start WireGuard now using the
start command above.
Step 5 - Connect the client
Get a copy of the client configuration file e.g.:
/etc/wireguard/clients/jane_phone.conf to their device open the WireGuard application on the device, create a new tunnel, and point it to this file. They will then connect and all the data from that device will travel through your WireGuard VPN to your server.