Setting up WireGuard on a VPS

Disclaimer

The information in this article is provided solely for educational and technical purposes. WireGuard is a network security tool and can be used to secure connections, administer servers, and set up private networks. The author and 3v-Hosting are not liable for the use of the instructions provided herein for purposes that violate the law, the terms of use of internet services, or the rules of internet service providers. The user is solely responsible for complying with the laws of their country and applicable regulatory requirements when using VPN technologies.

 

 

VPN has long ceased to be a tool exclusively for system administrators, but recently, due to the gradual segmentation of the internet, the use of various VPN services has been gaining popularity among ordinary users as well. Today, it is used for remote work, secure access to corporate infrastructure, server administration, setting up private networks between services, as well as for accessing blocked websites and services.

However, not all VPNs are equally convenient. Classic solutions like OpenVPN are very powerful, but often difficult to configure and quite resource-intensive. That is why more and more professionals are switching to WireGuard - a modern VPN protocol that combines ease of configuration and use, high performance and speed, as well as strong cryptography.

In this article, we’ll explore what WireGuard is, how it works, why we recommend deploying it on a VPS, and walk through setting up your own VPN server step by step. This approach gives you full control over your internet connection and frees you from dependence on third-party services.

 

 

 

 

What is WireGuard and why has it become popular

WireGuard is a modern VPN protocol designed to create secure network tunnels between devices. It allows you to connect servers, computers, and mobile devices via an encrypted channel, making the transmitted traffic inaccessible to unauthorized observation. Essentially, WireGuard allows you to build a virtual private network (VPN) within which devices interact as if they were on the same local network.

This model is often used for server administration, connecting to a company’s internal services, or linking multiple data centers into a single private network. For example, developers can connect to a staging environment or a database via a secure tunnel without exposing these services to the public internet.

The main feature of WireGuard is its minimalist architecture. The protocol was originally designed as a simple and fast solution, free from the excessive complexity characteristic of many traditional VPNs. It runs over UDP, uses modern cryptographic algorithms, and integrates into the operating system’s network stack. On Linux, WireGuard can run directly at the kernel level, which improves performance and reduces latency.

When compared to classic VPN solutions, the difference is immediately apparent. For example, OpenVPN consists of tens of thousands of lines of code, whereas the WireGuard core is significantly more compact. This simplifies security audits, reduces the likelihood of errors, and makes the protocol’s behavior more predictable.

WireGuard configuration is also significantly simpler. Instead of a complex certificate system, it uses a public-private key model, where each device has its own key pair, and network access is determined by configuration settings. Thanks to this, deploying a VPN server takes literally just a few minutes.

In practice, this means that a WireGuard-based VPN can provide high bandwidth even on an inexpensive VPS. Often, the connection speed through the tunnel is almost indistinguishable from that of a regular internet connection, and the system itself remains stable even when handling multiple clients.

It is precisely this combination of high speed, ease of setup, and compact architecture that has made WireGuard one of the most popular VPN solutions for modern server infrastructures in recent times.

 

 

 

How WireGuard Works

As mentioned above, WireGuard is built on a network model that is as simple as possible. Unlike many traditional VPN solutions, which rely on complex certificate infrastructure and additional protocol layers, WireGuard is based on a straightforward system of nodes and cryptographic keys.

Every network participant, whether a server or a client, is treated as a peer. A pair of keys - public and private - is used for identification. The private key is stored only on the owner’s device, while the public key is used by other network participants to establish a secure connection.

When a client connects to a server, an encrypted tunnel is created between them over UDP. All network traffic is transmitted through this tunnel and encrypted using modern cryptographic algorithms. Upon receiving these packets, the server decrypts them and forwards them to the intended recipient, such as an internal network or the internet.

From a technical standpoint, WireGuard creates a virtual network interface in the system, commonly referred to as wg0. This interface functions just like a regular network adapter, meaning it is assigned an IP address, traffic passes through it, and the system can route network packets through it.

The main components of WireGuard are:

• wg0 - a virtual network interface through which VPN traffic passes;
• UDP port - used to transmit the encrypted tunnel between nodes;
• Public and Private Keys - the mechanism for identifying network participants;
• AllowedIPs - a configuration parameter that determines which IP addresses or networks should be transmitted via the VPN.

The AllowedIPs parameter plays two roles at once, as it simultaneously defines the routes for sending traffic and the list of addresses that a specific network participant is allowed to use. Thanks to this, WireGuard can effectively manage routing without resorting to complex rules and additional settings.

In simplified terms, the connection looks like this:

This allows you to create not only VPN access to the internet, but also full-fledged private networks between servers.

 

 

 

 

When Does It Make Sense to Run WireGuard on a VPS

Deploying your own VPN server on a VPS is a fairly common practice among system administrators, developers, and DevOps engineers. In this case, the virtual server becomes the central access point to the company’s infrastructure, through which you can securely connect to internal services, servers, and administrative panels.

Using WireGuard on a VPS is particularly convenient because such a server is accessible from anywhere in the world and has a public IP address. This allows you to create a secure tunnel between your devices and the server infrastructure without exposing sensitive services directly to the internet.

In practice, WireGuard on a VPS is used in a wide variety of scenarios. One of the most common is secure server administration. For example, SSH access, control panels, or internal services can be kept closed to public access and accessed only via VPN.

Another typical scenario is consolidating services into a private network. This could be a development infrastructure, a staging environment, or internal APIs. In this case, servers and developers connect to a single virtual network and interact with each other as if they were on the same local infrastructure.

WireGuard is also frequently used to connect multiple servers or data centers into a single network. This approach is used when building distributed systems where services are located in different locations but need to exchange data over a secure channel.

And another popular use case is secure remote work. By connecting to a VPN, employees gain access to corporate services, databases, and internal control panels without having to expose them to the public internet.

Of course, we’ve only provided a few examples, including some from our own experience, but WireGuard’s applications are by no means limited to these.

 

At the same time, WireGuard remains a very lightweight solution in terms of resources. It doesn’t require a powerful server to run, so often a standard, inexpensive VPS with a basic configuration is sufficient. In most cases, a single virtual CPU, about 512 MB of RAM, and a few gigabytes of disk space are enough. Virtually any modern Linux server, such as Ubuntu or Debian, with a kernel version 5.6 or newer and a public IP address, will work.

Thanks to this efficiency, even a small VPS can serve dozens of VPN clients without a noticeable load on the system or network. This makes WireGuard one of the most practical solutions for setting up your own VPN server.

 

 

 

 

Preparing the VPS for WireGuard Installation

Almost any VPS is suitable for deploying WireGuard. However, the most common option is, of course, a Linux server, such as Ubuntu or Debian. We will base the practical part of this guide on this option.

Before installation, you must perform basic system preparation.

First, update the packages:

sudo apt update

sudo apt upgrade

 

Then install WireGuard:

sudo apt install wireguard

 

After installation, two utilities will appear in the system:

• wg - management of WireGuard interfaces;
• wg-quick - simplified launch of VPN configurations.

 

The next step is to enable IP forwarding so that the server can forward network traffic between clients and the internet. To do this, open the configuration file /etc/sysctl.conf and find the line:

net.ipv4.ip_forward=1

 

If it is commented out, uncomment it. And if the parameter is set to 0, change it to 1. Then apply the changes by entering the following command in the console:

sudo sysctl -p

 

Now the server is ready for VPN configuration. As you can see, it’s extremely simple.

 

 

 

 

WireGuard Key Generation

As we mentioned earlier, WireGuard uses public-key cryptography, where each VPN participant has their own key pair. Let’s generate them on the server:

wg genkey | tee server_private.key | wg pubkey > server_public.key

 

After running this command, two files will appear on the server:

• server_private.key - the server's private key;
• server_public.key - the public key.

 

To view the key, you can run the command:

cat server_private.key

 

Important!!! The private key must not be shared with other network participants.

 

 

 

 

VPN Interface Configuration

Now let’s create the main WireGuard configuration file.

sudo nano /etc/wireguard/wg0.conf

 

Here is an example of the minimum required configuration:

[Interface]

Address = 10.10.0.1/24

ListenPort = 51820

PrivateKey = SERVER_PRIVATE_KEY

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT

PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

 

Let’s review the main configuration parameters:

• Address - The IP address of the VPN interface. This is the server’s internal address within the VPN network, through which it will communicate with connected clients;
• ListenPort - The port on which WireGuard accepts incoming connections. By default, UDP port 51820 is most commonly used, but it can be changed if necessary;
• PrivateKey - the server’s private key. It is used to encrypt the connection and identify the node within the WireGuard network. This key must be stored only on the server and must not be shared with other network participants;
• PostUp - a command executed after the WireGuard interface starts. It is typically used to add NAT or routing rules so that clients can access the internet via the server;
• PostDown - a command executed when the interface is stopped. It removes previously added NAT rules and restores the system’s network settings to their original state.

 

After saving the file, set the correct permissions on it:

chmod 600 /etc/wireguard/wg0.conf

 

 

 

 

Starting and Verifying WireGuard

After creating the configuration file, you can start the WireGuard VPN interface. To do this, use the wg-quickutility, which automatically applies all settings from the configuration.

 

Start the interface with the command:

sudo wg-quick up wg0

 

If the configuration is correct, the system will create a virtual network interface wg0, apply routing and NAT rules, and then the VPN server will begin accepting connections.

 

To view the current WireGuard status and verify that the interface is working, you can run the command:

sudo wg show

 

In response, you will see information about the VPN interface, including the server’s public key, the port being used, and a list of connected clients (if any).

 

You should also verify that the interface has actually appeared in the system. You can check this with the command:

ip a | grep wg0

If the interface is running correctly, it will be listed among the network devices.

 

After that, you can test the network connection within the VPN. For example, if the server has an internal address 10.10.0.1, you can run:

ping 10.10.0.1

 

When the client connects to the VPN, you should also check the external IP address to ensure that traffic is passing through the server:

curl ifconfig.me

 

If the command output shows your VPS’s IP address, it means the VPN tunnel is working correctly and all traffic is passing through the server.

 

To have WireGuard start automatically after a server reboot, enable the corresponding systemd service:

sudo systemctl enable wg-quick@wg0

 

After that, the VPN interface will start automatically at system boot.

 

 

 

Adding a VPN Client

Now that we’ve set up the server, we can move on to adding and configuring the client. In WireGuard, each network participant has their own pair of cryptographic keys, so we first need to generate keys for the client. Run the following command:

wg genkey | tee client_private.key | wg pubkey > client_public.key

 

This command generates the client's private key and saves it to the file client_private.key. A public key is then automatically generated based on this private key and saved to the file client_public.key. The private key will be used in the client configuration, and the public key must be added to the server.

 

Now let’s add the client to the WireGuard configuration on the server. To do this, open the wg0.conf file and add the following block:

[Peer]

PublicKey = CLIENT_PUBLIC_KEY

AllowedIPs = 10.10.0.2/32

 

The PublicKey parameter contains the client’s public key, which allows the server to recognize the device when it connects. The AllowedIPs parameter specifies the client’s internal IP address within the VPN network. In this example, the client will receive and use the address 10.10.0.2.

 

After changing the configuration, you must restart the WireGuard interface to apply the new settings:

sudo wg-quick down wg0

sudo wg-quick up wg0

 

The first command stops the VPN interface, and the second restarts it with the updated configuration.

 

Now let’s create the client-side configuration. It might look like this:

[Interface]

PrivateKey = CLIENT_PRIVATE_KEY

Address = 10.10.0.2/24

DNS = 1.1.1.1

 

[Peer]

PublicKey = SERVER_PUBLIC_KEY

Endpoint = SERVER_IP:51820

AllowedIPs = 0.0.0.0/0

PersistentKeepalive = 25

 

The Interface section specifies the client's private key and its IP address within the VPN network. The DNS parameter specifies the DNS server to be used when connecting via the VPN.

The Peer section describes the server to which the client will connect. Here, you specify the server’s public key, its external IP address, and port. The AllowedIPs = 0.0.0.0/0 parameter means that all of the client’s internet traffic will pass through the VPN. The PersistentKeepalive parameter helps keep the connection active, which is especially important for mobile networks and NAT.

After creating the configuration file, simply import it into the WireGuard app on the client device. After that, the client will be able to connect to the server and use a secure VPN tunnel.

 

 

 

Importing a Configuration into the WireGuard App

After creating the client configuration file, you need to import it into the WireGuard app on the device from which the connection will be made. WireGuard supports most modern platforms, so the same server can be used to connect various devices.

 

Official WireGuard clients are available for:

• Windows
• macOS
• Linux
• Android
• iOS

On desktop systems, it is usually sufficient to install the WireGuard app and import the configuration file (.conf). After importing, a new VPN profile will appear in the app, which can be activated with a single toggle.

On mobile devices, a more convenient method is often used: importing the configuration via a QR code. This allows you to quickly add a VPN profile without manually copying keys and settings.

 

You can generate a QR code from the configuration file directly on the server using the qrencode utility:

qrencode -t ansiutf8 < client.conf

 

This command generates a QR code in the terminal based on the contents of the client.conf file. Open the WireGuard app on your smartphone, select “Add New Tunnel” via QR code scanning, and point the camera at the terminal screen.

After scanning, the app will automatically create a VPN profile with all the necessary settings, and the device will be ready to connect to your WireGuard server.

 

 

 

 

Configuring the firewall for WireGuard

In order for the VPN server to accept connections from clients, you must allow incoming connections on the WireGuard port. By default, WireGuard uses UDP port 51820, so this port must be open in the server’s firewall.

If the server uses UFW (Uncomplicated Firewall), you can add the following rule with this command:

sudo ufw allow 51820/udp

 

This command allows incoming UDP connections on port 51820, which will allow clients to establish a VPN tunnel with the server.

 

If network rules are managed via iptables, the rule can be added as follows:

iptables -A INPUT -p udp --dport 51820 -j ACCEPT

 

Here, the rule is added to the INPUT chain and allows all incoming UDP packets destined for the WireGuard port.

In most cases, this is sufficient for the server to start accepting VPN connections. However, additional restrictions are often applied in production environments. For example, if the VPN is used only within a team or company, you can allow access to the WireGuard port only from specific IP addresses or networks. This reduces the likelihood of scanning and unauthorized connection attempts to the server.

 

 

 

Common Issues When Setting Up WireGuard

Despite WireGuard’s simplicity, typical issues related to network configuration or tunnel settings sometimes arise during the initial setup. Below are several common scenarios and ways to troubleshoot them.

 

The client connects, but there is no internet

One of the most common issues is that the client successfully connects to the VPN but cannot access the internet. This is usually due to missing or incorrectly configured NAT on the server.

In this case, you should check whether address translation rules are in effect:

iptables -t nat -L

 

If there are no MASQUERADE rules, client traffic is not being forwarded through the server’s network interface. You should also ensure that IP forwarding is enabled on the system (net.ipv4.ip_forward=1).

 

Server Not Responding

If a client cannot establish a connection with the server, first check whether the WireGuard interface is running:

sudo wg show

 

This command displays active interfaces, keys in use, and a list of connected clients.

 

If the interface is running, the next step is to verify that the server is actually listening on the correct port. You can check this with the command:

sudo ss -ulnp | grep 51820

 

If the port does not appear in the list, it means WireGuard is not running or the configuration was applied incorrectly. You should also check your firewall rules and make sure that UDP port 51820 is open.

 

WireGuard won't start

Sometimes the interface fails to start due to errors in the configuration file. Most often, this is caused by an incorrect key, an error in the IP address, or a syntax error in the configuration.

To troubleshoot, you can manually start the interface:

sudo wg-quick up wg0

 

If there is an error in the configuration, the system will display a message describing the problem. After correcting the wg0.conf file, you can restart the interface.

In most cases, such issues can be resolved by checking the configuration, firewall rules, and routing settings.

 

 

 

FAQ

 

Can WireGuard be used instead of OpenVPN?

In many cases, yes. WireGuard is easier to configure and generally offers higher performance. However, OpenVPN is sometimes used in infrastructures that require a complex authentication system.

 

How many clients can a VPS handle?

Even a small VPS is capable of handling dozens of connections. The limitation is more often related to network bandwidth.

 

Can multiple servers be connected via WireGuard?

Yes. WireGuard is often used for site-to-site VPNs and mesh networks between servers.

 

How secure is WireGuard?

WireGuard uses modern cryptographic algorithms and has a compact codebase, which simplifies security audits.

 

Can I use WireGuard on a smartphone?

Yes. Official apps are available for Android and iOS, and setup usually takes just a few minutes.

 

Do I need to install WireGuard on both the server and the client?

Yes. The VPN only works when WireGuard is installed on both ends of the connection.

 

Can multiple clients be used simultaneously?

Yes. A separate Peer entry and a unique IP address within the VPN network are created for each client.

 

Does WireGuard work in Docker?

Yes. There are ready-made containers and images for running WireGuard within a Docker environment.

 

Can access to the server be restricted to the VPN only?

Yes. Often, SSH and administrative panels are only accessible within the VPN network, completely blocking them from the public internet.

 

 

 

Conclusion

WireGuard is a modern VPN protocol that combines high performance, simple configuration, and robust cryptography. Thanks to its minimalist architecture, it can be easily deployed even on a small VPS and does not require complex certificate infrastructure or lengthy configuration.

A self-hosted VPN server based on WireGuard allows you to securely connect to server infrastructure, protect administrative access, and integrate various services into a private network. This approach is particularly convenient for developers, system administrators, and small teams who need to control access to internal systems.

An additional advantage is flexibility. WireGuard can be used not only for remote server access but also for connecting multiple servers, setting up private networks between data centers, or working securely from public networks.

As a result, you get a simple and effective tool for building a secure network infrastructure. And thanks to its ease of configuration - which you’ve surely experienced firsthand - and high performance, WireGuard remains one of the most practical solutions for running your own VPN on a VPS.