Install WireGuard via whatever package manager you use. For me, I use apt. | |
$ sudo add-apt-repository ppa:wireguard/wireguard | |
$ sudo apt-get update | |
$ sudo apt-get install wireguard | |
MacOS | |
$ brew install wireguard-tools | |
Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
generated on any device, as long as you keep the private key on the source and | |
place the public on the destination. | |
$ wg genkey | tee privatekey | wg pubkey > publickey | |
example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. | |
# wg genpsk > preshared | |
Take the above private key, and place it in the server. And conversely, put the | |
public key on the peer. Generate a second key pair, and do the opposite, put the | |
public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it. | |
On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
so use whatever IP ranges and CIDR blocks that will work for your network. | |
################################ | |
[Interface] | |
Address = | |
DNS = | |
PrivateKey = [ServerPrivateKey] | |
ListenPort = 51820 | |
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
[Peer] | |
#Peer #1 | |
PublicKey = [Peer#1PublicKey] | |
AllowedIPs = | |
[Peer] | |
#Peer #2 | |
PublicKey = [Peer#2PublicKey] | |
AllowedIPs = | |
[Peer] | |
#Peer #3 | |
PublicKey = [Peer#3PublicKey] | |
AllowedIPs = | |
[Peer] | |
#Peer #4 | |
PublicKey = [Peer#4PublicKey] | |
AllowedIPs = | |
################################## | |
On each client, define a /etc/wireguard/mobile_user.conf - | |
################################### | |
[Interface] | |
Address = | |
PrivateKey = [PrivateKeyPeer#1] | |
[Peer] | |
PublicKey = [ServerPublicKey] | |
PresharedKey = [PresharedKey] | |
Endpoint = some.domain.com:51820 | |
AllowedIPs =, ::/0 | |
# if you want to do split tunnel, add your allowed IPs | |
# for example if your home network is | |
# AllowedIPs = | |
# This is for if you're behind a NAT and | |
# want the connection to be kept alive. | |
PersistentKeepalive = 25 | |
######################################## | |
sudo wg show | |
######################################### | |
peer: Peer #1 | |
endpoint: | |
allowed ips: | |
latest handshake: 4 minutes, 16 seconds ago | |
transfer: 57.58 KiB received, 113.32 KiB sent | |
peer: Peer #2 | |
endpoint: | |
allowed ips: | |
latest handshake: 5 minutes, 30 seconds ago | |
transfer: 92.98 KiB received, 495.89 KiB sent | |
################################################## | |
Start/stop interface | |
wg-quick up wg0 | |
wg-quick down wg0 | |
Start/stop service | |
$ sudo systemctl stop wg-quick@wg0.service | |
$ sudo systemctl start wg-quick@wg0.service | |
Instead of having to modify the file for every client you want to add to the | |
server you could also use the wg tool instead: | |
# add peer | |
wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
# verify connection | |
wg | |
# save to config | |
wg-quick save wg0 | |
######### EDIT ############## | |
I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine. | |
qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf | |
In 10.0.0.x/32
is the x
literally x
? Or should I substitute it with a number?
is thex
? Or should I substitute it with a number?
@tabatinga0x00 x would be whatever number you wish between 2 and 254.
From the Arch Wiki, use
wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey
So the private key is created not readable to others.
This is a great concise setup guide. Thanks for posting and maintaining it.
For those new to WireGuard and/or networking, some additional comments in the config files may be helpful:
# server config
# This is the server config file, so the [Interface] is on the server
# PrivateKey is the server private key generated during setup
PrivateKey = copy-and-paste-the-server-private-key-here
# Address is the server's VPN IP address and subnet range; /24 is 254 available addresses
Address =
#ListenPort is the server UDP port; for cloud implementations, open this port in the server's security group
ListenPort = 51820
#DNS is the server's DNS resolvers; the and DNS resolvers are hosted by Cloudflare
DNS =,
# PostUp and PostDown commands for iptables
# The next two commands open and close the required iptables routing rules on the server
# When the server's WireGuard network interface is up, the PostUp command is executed
# When the server's WireGuard network interface is down, the PostDown command is executed
# >>> Important <<< ensure that your server's network interface name is correct in the next two commands
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o copy-and-paste-the-server-network-interface-name-here -j MASQUERADE
# >>> Important <<< each client needs a [Peer] section with a unique AllowedIP VPN IP address
# Peer/client #1
# This is the server config file, so the [peer] is the client, e.g., your laptop
# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here
# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g.,,,, etc.
AllowedIPs =
# Peer/client #2
# This is the server config file, so the [peer] is the client, e.g., your laptop
# PublicKey is the public key of the client; on some clients, this is automatically generated by the client WireGuard app
PublicKey = copy-and-paste-the-client-public-key-here
# AllowedIPs is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique AllowedIP VPN IP address, e.g.,,,, etc.
AllowedIPs =
# client config
# This is the client config file, so the [Interface] is on the client, e.g., your laptop
#Address is the client VPN IP address; /32 is one specific IP address
# >>> Important <<< each client needs a unique VPN IP address, e.g.,,,, etc.
Address =
# PrivateKey is the client private key; on some clients, this is automatically generated by the client WireGuard app
PrivateKey = '>>>DO NOT<<<' overwrite the client app automatically generated client private key here; if there is no automatically generated client private key, copy-and-paste-the-client-private-key-here
# This is the client config file, so the [Peer] is the server
# PublicKey is the server's public key generated during the server WireGuard setup process
PublicKey = copy-and-paste-the-server-public-key-here
# Endpoint is the server's public IP address
Endpoint = copy-and-paste-the-server-public-IP-address-here:51820
# AllowedIPs: controls which network traffic enters and leaves the client
# AllowedIPs: acts as a routing table when sending and an Access Control List (ACL) when receiving
# AllowedIPs: for client-to-Internet-VPN scenario, use:, ::/0
# AllowedIPs:, ::/0 allows traffic from any source to any target
# AllowedIPs:, ::/0 allows traffic to and from the entire internet
# AllowedIPs: for client-to-server(s)-VPN scenario, use: server.IP.address, server(s).subnet.CIDR
# AllowedIPs: client-to-server(s)-VPN scenario example:,
# AllowedIPs:, allows traffic to and from a WireGuard server at and any server/device in the subnet
# AllowedIPs: /16 is 65,534 available IP addresses
AllowedIPs =, ::/0
# PersistentKeepalive is for a Network Address Translation (NAT) scenario; it keeps the client connection to the server alive
PersistentKeepalive = 25
This is a great concise setup guide. Thanks for posting and maintaining it.
For those new to WireGuard and/or networking, some additional comments in the config files may be helpful:
You are welcome to use it
Hi Chriss,
How to configure the wireguard VPN server in the load balancing scenario with multiple vpn servers in active-active mode ?. Wireguard peers should communicate between each other through multiple vpn server placed behind the udp load balancer?