Configuring WireGuard

Learn how to configure WireGuard, a modern & fast VPN that will allow you to access your home/office network remotely as if you were physically there.

What's WireGuard?

WireGuard is a modern, fast VPN that’s simple to set up. In this post I’ll walk you through a basic server + client setup on Linux (Ubuntu), show key commands, explain the config file fields, and give firewall/NAT and troubleshooting tips. Example configs included. (WireGuard)

With WireGuard, you can:

• Create secure VPN tunnels

• Enjoy high performance — WireGuard is lightweight and much faster than traditional VPNs like OpenVPN or IPSec.

• Connect across platforms — it works on Linux, Windows, macOS, Android, iOS, and even routers.

• Access your home/office network remotely as if you were physically there.

• Bypass NAT and firewalls easily, since it only needs a single UDP port open on the server.

• And much more!

---

How it will work

Configuration

Prerequisites

• A Linux machine to act as the server (a VPS or a home server)

• A client device (Linux, Windows, macOS...)

• A public IP or port-forward from your router to the server (UDP port, default 51820). DDNS is also okay.

---

1

Install WireGuard

In this example, we're using Ubuntu as the server. It should also work for Debian.

sudo apt update
sudo apt install wireguard wireguard-tools

2

Generate keys (server & client)

WireGuard uses asymmetric cryptography. A pair of keys is mandatory. Generate a private/public keypair for each peer.

Do this on each machine (both the server and your client).

# I recommend to execute this command as ROOT user in /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

Save the private key somewhere safe (only readable by root).

3

Server config

On your server, create the file /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PrivateKey = <SERVER_PRIVATE_KEY_HERE>
ListenPort = 51820

# Example PostUp/PostDown for NAT & forwarding (replace eth0 with your public interface)
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# One client (peer) example:
[Peer]
PublicKey = <CLIENT_PUBLIC_KEY_HERE>
AllowedIPs = 10.0.0.2/32

PrivateKey = <SERVER_PRIVATE_KEY_HERE>

Copy the server's private key in this field.

PublicKey = <CLIENT_PUBLIC_KEY_HERE>

Copy the client's public key in this field.

4

Enable IP forwarding and NAT (server)

Enable IPv4 forwarding immediately:

sudo sysctl -w net.ipv4.ip_forward=1

Make it persistent (add to /etc/sysctl.d/99-sysctl.conf or /etc/sysctl.conf):

net.ipv4.ip_forward=1

Add NAT so clients can reach the Internet through the server (adjust interface name):

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

5

Client config

On your client, create the file /etc/wireguard/wg0.conf

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = your.server.public.ip:51820
AllowedIPs = 0.0.0.0/0, ::/0    # route all traffic through the VPN (full tunnel)
# AllowedIPs = 10.0.0.0/24     # <-- example for split tunnel (only access VPN subnet)
PersistentKeepalive = 25       # helpful if client is behind NAT

PrivateKey = CLIENT_PRIVATE_KEY_HERE

Copy the client's private key in this field

PublicKey = SERVER_PUBLIC_KEY_HERE

Copy the server's private key in this field

6

Bring the interface up and enable at boot

Manually bring up:

# start
sudo wg-quick up wg0

# stop
sudo wg-quick down wg0

Enable systemd service (auto-start on boot):

sudo systemctl enable --now wg-quick@wg0

Check status and peer handshakes:

sudo wg         # shows peers, public keys, endpoints, latest handshake, transfer bytes
ip a show wg0   # shows the interface and addresses
sudo journalctl -u wg-quick@wg0 -e   # view logs if it fails

---