Find us on social media

Client area
VPNWireGuardPrivacy7 min read

Configure VPN with WireGuard

WireGuard installation, key generation, server and client configuration, and multi-device connection.

What is WireGuard?

WireGuard is a modern, fast and secure VPN protocol. It uses state-of-the-art cryptography and has a minimal codebase (~4000 lines), reducing the attack surface.

Step 1: Install WireGuard

bash
sudo apt update
sudo apt install -y wireguard

Step 2: Generate server keys

bash
cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Step 3: Server configuration

Create /etc/wireguard/wg0.conf:

ini
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Step 4: Enable IP forwarding

bash
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 5: Start WireGuard

bash
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

Step 6: Client configuration

Generate client keys:

bash
wg genkey | tee client_private.key | wg pubkey > client_public.key

Client config file:

ini
[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Open firewall port

bash
sudo ufw allow 51820/udp

Connect from different devices

  • Windows/Mac/Linux: Download the official app from wireguard.com and import the .conf file
  • Android/iOS: Download WireGuard from the store, scan a QR code:
bash
sudo apt install -y qrencode
qrencode -t ansiutf8 < client.conf

Add more clients

For each new client:

  1. Generate a key pair
  2. Add a [Peer] block on the server with the public key and unique IP
  3. Restart: sudo systemctl restart wg-quick@wg0

Recommendations

  • Use a different IP for each client (10.0.0.2, 10.0.0.3, etc.)
  • Store private keys securely
  • Use PersistentKeepalive = 25 for clients behind NAT
  • Monitor connections with sudo wg show
  • Consider using private DNS (Pi-hole) through the VPN
Was this guide helpful?
← Back to Security