WireGuard Configuration as VPN: Complete Setup Guide

Introduction

In an era of increasing online surveillance, data breaches, and geo-restrictions, Virtual Private Networks (VPNs) have become essential tools for privacy-conscious users and organizations. WireGuard represents the next generation of VPN technology, offering a revolutionary approach that combines exceptional performance, robust security, and remarkable simplicity compared to traditional VPN solutions like OpenVPN and IPSec.

Developed by Jason A. Donenfeld and officially merged into the Linux kernel in version 5.6, WireGuard has rapidly gained adoption across the industry. Major VPN providers have integrated WireGuard into their offerings, and system administrators worldwide are replacing legacy VPN infrastructure with this modern alternative. The entire codebase consists of approximately 4,000 lines of code, making it auditable and maintainable compared to OpenVPN's 100,000+ lines.

This comprehensive guide provides everything needed to deploy a production-ready WireGuard VPN server on Linux. You'll learn installation procedures across major distributions, cryptographic key management, network configuration for various topologies, client setup for multiple platforms, performance optimization, security hardening, and troubleshooting techniques.

Whether securing remote work connections, creating a privacy-focused browsing solution, building site-to-site corporate networks, accessing geo-restricted content, or establishing secure access to home networks while traveling, WireGuard provides the foundation for fast, secure, and reliable VPN connectivity.

Use Case Overview

Why Choose WireGuard?

WireGuard offers compelling advantages over traditional VPN technologies:

Exceptional Performance: WireGuard operates entirely in kernel space on Linux, eliminating context switching overhead. Benchmarks show 3-4x throughput improvements over OpenVPN and near-native networking speeds, often achieving 1+ Gbps on modest hardware.

Modern Cryptography: Built exclusively on state-of-the-art cryptographic primitives including Curve25519 for key exchange, ChaCha20 for symmetric encryption, Poly1305 for authentication, and BLAKE2s for hashing. No outdated or vulnerable algorithms, no configuration options for weaker encryption.

Minimal Attack Surface: The compact codebase (4,000 lines vs OpenVPN's 100,000+) reduces vulnerability potential. Less code means fewer bugs and easier security audits by cryptographers and security researchers.

Stealth and Censorship Resistance: WireGuard's UDP-based protocol with no handshake makes it difficult to detect and block. Silent when not in use, it doesn't respond to unauthorized packets, making port scanning ineffective.

Battery Efficiency: Mobile devices benefit from WireGuard's efficient design, consuming significantly less power than OpenVPN, crucial for smartphones and tablets on battery power.

Seamless Roaming: Handles network changes gracefully. Switch from WiFi to cellular data without connection drops, perfect for mobile users moving between networks.

Simple Configuration: Text-based configuration files with minimal parameters. No complex certificate infrastructure, no confusing TLS settings, no arcane iptables rules to debug.

Cross-Platform Support: Native implementations for Linux, Windows, macOS, iOS, Android, FreeBSD, and more. First-party clients maintained by the WireGuard project ensure consistency.

Common Deployment Scenarios

Remote Work VPN: Employees securely access corporate resources from home, coffee shops, or while traveling, with end-to-end encryption protecting sensitive business data.

Privacy and Security: Route all internet traffic through a VPS to hide your IP address from websites, encrypt traffic on untrusted networks, and prevent ISP monitoring.

Bypass Geo-Restrictions: Access region-locked content by routing traffic through servers in different countries, useful for streaming services, research, or avoiding censorship.

Site-to-Site VPN: Connect multiple office locations or data centers, allowing resources at each site to communicate securely as if on the same local network.

Secure Home Access: Access home network resources (NAS, home automation, security cameras) securely while away without exposing services directly to the internet.

Developer Access: Provide contractors, consultants, and remote developers secure access to development environments without exposing infrastructure publicly.

IoT Device Security: Create isolated networks for IoT devices, routing their traffic through VPN to prevent local network exposure and enhance privacy.

Technical Architecture

WireGuard implements a point-to-point VPN model:

• Peer-to-Peer Design: No client/server distinction at protocol level; all endpoints are peers
• Static IP Assignment: Each peer receives a static VPN IP address
• Public Key Authentication: Peers identify each other via public keys, no usernames or passwords
• Allowed IPs Routing: Cryptokey routing determines which traffic uses VPN based on destination IP
• NAT Traversal: Built-in NAT traversal and hole punching for connections through firewalls
• Layer 3 Operation: Functions at network layer, creating virtual network interface

Requirements

System Requirements

Minimum Requirements (Personal VPN, 1-5 users):

• CPU: 1 core at 1.5+ GHz
• RAM: 512MB
• Storage: 5GB
• Network: 10 Mbps bandwidth
• OS: Linux kernel 5.6+ (WireGuard integrated) or 3.10+ (kernel module installation)

Recommended Requirements (Small Business VPN, 10-50 users):

• CPU: 2 cores at 2.0+ GHz
• RAM: 2GB
• Storage: 10GB
• Network: 100 Mbps bandwidth with low latency
• OS: Ubuntu 22.04 LTS or Debian 12

High-Performance Requirements (Large Organization, 100+ users):

• CPU: 4+ cores at 2.5+ GHz
• RAM: 4GB+
• Storage: 20GB SSD
• Network: 1 Gbps dedicated bandwidth
• OS: Ubuntu 22.04 LTS with kernel optimizations

Operating System Compatibility

Officially Supported:

• Ubuntu 20.04/22.04 LTS
• Debian 11/12
• CentOS Stream 8/9
• Rocky Linux 8/9
• AlmaLinux 8/9
• Fedora 35+
• Arch Linux
• OpenSUSE Leap 15.3+

Kernel Requirements:

• Linux kernel 5.6+ (WireGuard built-in)
• Linux kernel 3.10-5.5 (WireGuard kernel module via DKMS)

Network Requirements

Server Public IP: Static public IP address or dynamic DNS for clients to connect.

UDP Port: WireGuard uses a single UDP port (default 51820, configurable).

Firewall Access: Ability to configure server firewall to allow UDP traffic on WireGuard port.

IPv4/IPv6: Supports both protocols; dual-stack configuration recommended.

Client Requirements

WireGuard clients available for:

• Linux: Command-line tools, NetworkManager integration, systemd service
• Windows: Official WireGuard Windows client
• macOS: Official WireGuard macOS client, Homebrew installation
• iOS: WireGuard app from App Store
• Android: WireGuard app from Google Play Store
• ChromeOS: Android app via Play Store

Prerequisites Knowledge

• Basic Linux command-line skills
• Understanding of IP networking and subnets
• Familiarity with firewall configuration
• SSH access to server
• Text editor proficiency (nano, vim)

Step-by-Step Setup

Step 1: Install WireGuard

Ubuntu 20.04/22.04 and Debian 11/12:

# Update package list
sudo apt update

# Install WireGuard
sudo apt install wireguard -y

CentOS Stream 8/9 and Rocky/AlmaLinux 8/9:

# Enable EPEL repository
sudo dnf install epel-release elrepo-release -y

# Install WireGuard tools
sudo dnf install wireguard-tools -y

# If kernel < 5.6, install kernel module
sudo dnf install kmod-wireguard -y

Verify installation:

wg version

Should display WireGuard version information.

Step 2: Enable IP Forwarding

WireGuard server must forward packets between VPN clients and internet:

# Enable IPv4 forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

# Enable IPv6 forwarding (optional)
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee -a /etc/sysctl.conf

# Apply changes immediately
sudo sysctl -p

Verify:

sysctl net.ipv4.ip_forward

Should return net.ipv4.ip_forward = 1.

Step 3: Generate Server Keys

Create directory for WireGuard configuration:

sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard

Generate private and public keys:

# Generate private key
wg genkey | sudo tee /etc/wireguard/server_private.key
sudo chmod 600 /etc/wireguard/server_private.key

# Generate public key from private key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

View keys (you'll need them for configuration):

# Server private key
sudo cat /etc/wireguard/server_private.key

# Server public key
sudo cat /etc/wireguard/server_public.key

Step 4: Create Server Configuration

Identify your server's network interface:

ip -o -4 route show to default | awk '{print $5}'

Typically eth0, ens3, enp0s3, or similar. Note this for later use.

Create WireGuard configuration file:

sudo nano /etc/wireguard/wg0.conf

Add the following configuration (replace placeholders):

[Interface]
# Server private key
PrivateKey = SERVER_PRIVATE_KEY_HERE

# VPN subnet for WireGuard network
Address = 10.0.0.1/24

# WireGuard listening port
ListenPort = 51820

# Save current network state
SaveConfig = false

# PostUp: Rules to execute when WireGuard starts
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PostDown: Rules to execute when WireGuard stops
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1 configuration
[Peer]
# Client public key (generate on client device)
PublicKey = CLIENT1_PUBLIC_KEY_HERE

# Allowed IPs for this client
AllowedIPs = 10.0.0.2/32

# Keep connection alive
PersistentKeepalive = 25

Important: Replace SERVER_PRIVATE_KEY_HERE with your actual server private key from Step 3, and replace eth0 with your actual network interface.

Set proper permissions:

sudo chmod 600 /etc/wireguard/wg0.conf

Step 5: Configure Firewall

UFW (Ubuntu/Debian):

# Allow WireGuard port
sudo ufw allow 51820/udp

# Allow SSH (prevent lockout)
sudo ufw allow 22/tcp

# Enable firewall if not already enabled
sudo ufw enable

Firewalld (CentOS/Rocky):

# Allow WireGuard port
sudo firewall-cmd --permanent --add-port=51820/udp

# Enable masquerading
sudo firewall-cmd --permanent --add-masquerade

# Reload firewall
sudo firewall-cmd --reload

Step 6: Start WireGuard Server

Enable and start WireGuard:

# Enable WireGuard to start on boot
sudo systemctl enable wg-quick@wg0

# Start WireGuard now
sudo systemctl start wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

Verify WireGuard interface is running:

sudo wg show

Should display interface configuration and connected peers.

Check interface:

ip addr show wg0

Should show wg0 interface with IP 10.0.0.1/24.

Step 7: Generate Client Keys

On your client device (or generate on server for distribution):

Linux/macOS Client:

# Install WireGuard first if not installed
# Ubuntu/Debian: sudo apt install wireguard
# macOS: brew install wireguard-tools

# Generate client private key
wg genkey > client_private.key
chmod 600 client_private.key

# Generate client public key
cat client_private.key | wg pubkey > client_public.key

Windows Client:

Use the official WireGuard Windows client GUI, which generates keys automatically.

Mobile Clients (iOS/Android):

Use the official WireGuard app, which generates keys when creating a new tunnel.

Step 8: Create Client Configuration

Create client configuration file:

nano client.conf

Add the following (replace placeholders):

[Interface]
# Client private key
PrivateKey = CLIENT_PRIVATE_KEY_HERE

# Client VPN IP address
Address = 10.0.0.2/32

# DNS server (optional, use VPN server or public DNS)
DNS = 1.1.1.1, 8.8.8.8

[Peer]
# Server public key
PublicKey = SERVER_PUBLIC_KEY_HERE

# Server public IP and port
Endpoint = SERVER_PUBLIC_IP:51820

# Route all traffic through VPN (0.0.0.0/0)
# Or specific subnets for split tunneling
AllowedIPs = 0.0.0.0/0, ::/0

# Keep connection alive through NAT
PersistentKeepalive = 25

Configuration Breakdown:

• PrivateKey: Client's private key (generated in Step 7)
• Address: Client's VPN IP address (10.0.0.2, 10.0.0.3, etc. for additional clients)
• DNS: DNS servers to use when connected (prevents DNS leaks)
• PublicKey: Server's public key (from Step 3)
• Endpoint: Server's public IP address and WireGuard port
• AllowedIPs: 0.0.0.0/0 routes all traffic through VPN (full tunnel); use specific IPs for split tunnel
• PersistentKeepalive: Keeps connection alive through NAT firewalls (25 seconds recommended)

Step 9: Add Client to Server Configuration

On the server, add the client peer to /etc/wireguard/wg0.conf:

sudo nano /etc/wireguard/wg0.conf

Add new [Peer] section:

[Peer]
PublicKey = CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

Reload WireGuard configuration:

sudo systemctl restart wg-quick@wg0

# Or reload without stopping:
sudo wg syncconf wg0 <(wg-quick strip wg0)

Step 10: Connect Client

Linux Client:

# Copy configuration to WireGuard directory
sudo cp client.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf

# Start WireGuard
sudo wg-quick up wg0

# Check connection
sudo wg show

To enable on boot:

sudo systemctl enable wg-quick@wg0

Windows Client:

1. Open WireGuard Windows client
2. Click "Import tunnel(s) from file"
3. Select client.conf
4. Click "Activate"

macOS Client:

1. Open WireGuard macOS client
2. Click "+" and "Add from file"
3. Select client.conf
4. Click "Activate"

Mobile Clients:

1. Open WireGuard app
2. Tap "+" to add tunnel
3. Choose "Create from file or archive" or scan QR code
4. Toggle connection on

Step 11: Test VPN Connection

Check VPN interface on client:

ip addr show wg0

Should show wg0 interface with IP 10.0.0.2/32.

Ping VPN server:

ping 10.0.0.1

Should receive responses from VPN server.

Check public IP:

curl ifconfig.me

Should display server's public IP, not client's original IP.

DNS leak test:

curl https://www.dnsleaktest.com/

Or visit dnsleaktest.com in browser to verify DNS queries route through VPN.

Configuration

Split Tunneling Configuration

Route only specific traffic through VPN instead of all traffic:

Client Configuration for Split Tunneling:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/32

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = SERVER_PUBLIC_IP:51820

# Only route specific networks through VPN
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24, 172.16.0.0/16

PersistentKeepalive = 25

This routes only private networks through VPN while leaving other traffic (internet) through default gateway.

Multiple Client Setup

Add multiple clients by creating unique peer sections:

Server Configuration with Multiple Clients:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

# Client 2
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

# Client 3
[Peer]
PublicKey = CLIENT3_PUBLIC_KEY
AllowedIPs = 10.0.0.4/32

# Client 4
[Peer]
PublicKey = CLIENT4_PUBLIC_KEY
AllowedIPs = 10.0.0.5/32

Each client needs unique VPN IP address within the subnet (10.0.0.x).

Site-to-Site VPN Configuration

Connect two networks together (e.g., home network and office network):

Server A Configuration (Office - 192.168.1.0/24):

[Interface]
PrivateKey = OFFICE_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = HOME_PUBLIC_KEY
Endpoint = HOME_PUBLIC_IP:51820
AllowedIPs = 10.0.0.2/32, 192.168.2.0/24
PersistentKeepalive = 25

Server B Configuration (Home - 192.168.2.0/24):

[Interface]
PrivateKey = HOME_PRIVATE_KEY
Address = 10.0.0.2/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = OFFICE_PUBLIC_KEY
Endpoint = OFFICE_PUBLIC_IP:51820
AllowedIPs = 10.0.0.1/32, 192.168.1.0/24
PersistentKeepalive = 25

This allows devices on 192.168.1.0/24 to communicate with devices on 192.168.2.0/24 through VPN.

IPv6 Support

Enable IPv6 alongside IPv4:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24, fd42:42:42::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32, fd42:42:42::2/128

Client configuration:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32, fd42:42:42::2/128

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0

QR Code Generation for Mobile Clients

Generate QR code for easy mobile device setup:

Install qrencode:

sudo apt install qrencode -y

Generate QR code:

qrencode -t ansiutf8 < client.conf

Displays QR code in terminal. Scan with WireGuard mobile app to import configuration.

For PNG image:

qrencode -t png -o client.png < client.conf

Dynamic DNS Configuration

If server has dynamic IP address, use DDNS service:

Install ddclient:

sudo apt install ddclient -y

Configure DDNS provider (Cloudflare, No-IP, DynDNS, etc.) in /etc/ddclient.conf.

Update client configuration endpoint:

Endpoint = your-hostname.ddns.net:51820

Optimization

MTU Optimization

Find optimal MTU to prevent fragmentation:

# Test from client to server
ping -M do -s 1472 10.0.0.1

If packets don't reach, reduce size until successful. Add 28 bytes (IP + ICMP headers) for final MTU.

Set MTU in WireGuard configuration:

[Interface]
MTU = 1420

Common WireGuard MTU values:

• 1420: Standard for most networks
• 1400: Conservative for problematic networks
• 1280: Minimum IPv6 MTU

Kernel Parameters Tuning

Optimize network performance:

sudo nano /etc/sysctl.conf

Add:

# Increase buffer sizes
net.core.rmem_max = 26214400
net.core.wmem_max = 26214400
net.core.rmem_default = 26214400
net.core.wmem_default = 26214400

# Optimize connection handling
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_slow_start_after_idle = 0

# Reduce TIME_WAIT sockets
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1

# BBR congestion control (kernel 4.9+)
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

Apply:

sudo sysctl -p

Multi-Core Performance

Enable multi-queue on WireGuard interface:

Check CPU cores:

nproc

Set queue size based on cores:

sudo ethtool -L wg0 combined 4

Replace 4 with your CPU core count.

Connection Keep-Alive Optimization

Adjust PersistentKeepalive based on NAT timeout:

• 25 seconds: Recommended default for most NAT devices
• 15 seconds: Aggressive NAT with short timeouts
• 60 seconds: Conservative setting, reduces overhead
• 0: Disable (only for stable, non-NAT connections)

PreSharedKey for Post-Quantum Security

Add pre-shared keys for additional security layer:

Generate PSK:

wg genpsk

Add to server peer configuration:

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
PresharedKey = GENERATED_PSK_HERE
AllowedIPs = 10.0.0.2/32

Add to client peer configuration:

[Peer]
PublicKey = SERVER_PUBLIC_KEY
PresharedKey = GENERATED_PSK_HERE
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0

PSK provides protection against potential future quantum computer attacks on Curve25519.

Troubleshooting

Connection Fails to Establish

Check WireGuard service status:

sudo systemctl status wg-quick@wg0

Verify interface is up:

ip link show wg0

Should show state UNKNOWN or UP.

Check for configuration errors:

sudo wg-quick up wg0

Look for error messages indicating misconfigurations.

Verify firewall allows UDP port:

# Check UFW
sudo ufw status

# Check firewalld
sudo firewall-cmd --list-all

# Test port with netcat from client
nc -u SERVER_IP 51820

Check server public IP:

curl ifconfig.me

Ensure client configuration uses correct server IP.

Verify keys are correct:

Double-check that:

• Server has correct private key
• Client has correct private key
• Server peer section has correct client public key
• Client peer section has correct server public key

No Internet Access Through VPN

Check IP forwarding:

sysctl net.ipv4.ip_forward

Must return net.ipv4.ip_forward = 1.

Verify NAT rules:

sudo iptables -t nat -L -n -v

Should show MASQUERADE rule for WireGuard interface.

Check server interface name:

Ensure PostUp and PostDown rules use correct network interface (eth0, ens3, etc.):

ip route | grep default

Test routing from server:

# On server, ping from VPN interface
ping -I wg0 8.8.8.8

If this works, server routing is correct. Issue is with client.

Check DNS:

# On client, test DNS resolution
nslookup google.com

If fails, add DNS to client configuration:

DNS = 1.1.1.1, 8.8.8.8

High Latency or Packet Loss

Check MTU settings:

# From client
ping -M do -s 1400 10.0.0.1

Reduce MTU if experiencing fragmentation:

[Interface]
MTU = 1400

Measure actual latency:

ping 10.0.0.1

Compare with ping to server's public IP:

ping SERVER_PUBLIC_IP

WireGuard adds minimal overhead (typically <1ms).

Check server CPU usage:

top

High CPU usage indicates performance bottleneck.

Monitor network interface errors:

ip -s link show wg0

Look for dropped packets or errors.

Peer Not Showing as Connected

Check peer status:

sudo wg show

Look for "latest handshake" timestamp. If shows "(none)" or very old timestamp, no recent communication.

Verify AllowedIPs:

Client must send traffic destined for IPs in server's AllowedIPs for that peer. Similarly, server must send traffic to IPs in client's AllowedIPs.

Check PersistentKeepalive:

If peer behind NAT, ensure PersistentKeepalive is set:

PersistentKeepalive = 25

Restart WireGuard:

sudo systemctl restart wg-quick@wg0

Check system logs:

sudo journalctl -u wg-quick@wg0 -f

Permission Denied Errors

Check file permissions:

ls -la /etc/wireguard/

Configuration and key files should be:

sudo chmod 600 /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/*_private.key

Check ownership:

sudo chown root:root /etc/wireguard/wg0.conf

Port Already in Use

Check what's using port 51820:

sudo netstat -tulpn | grep 51820

Stop conflicting service or change WireGuard port:

ListenPort = 51821

Update client Endpoint to match new port.

Security Considerations

Key Management Best Practices

• Never share private keys: Private keys must remain on device they were generated for
• Rotate keys periodically: Generate new keys every 6-12 months for sensitive applications
• Secure key storage: Store keys with 600 permissions, owned by root
• Backup keys securely: Encrypt backups of private keys
• Separate keys per device: Each client device should have unique keypair

Firewall Hardening

Restrict WireGuard to specific IPs (if client IPs are static):

# UFW
sudo ufw allow from CLIENT_IP to any port 51820 proto udp

# iptables
sudo iptables -A INPUT -p udp --dport 51820 -s CLIENT_IP -j ACCEPT
sudo iptables -A INPUT -p udp --dport 51820 -j DROP

Rate limit connection attempts:

# iptables
sudo iptables -A INPUT -p udp --dport 51820 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p udp --dport 51820 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Traffic Isolation

Prevent VPN clients from accessing each other:

# Add to PostUp
iptables -A FORWARD -i wg0 -o wg0 -j DROP

This prevents lateral movement between VPN clients.

DNS Leak Prevention

Force all DNS through VPN:

[Interface]
DNS = 10.0.0.1
PostUp = iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PostDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Audit Logging

Log WireGuard connections:

sudo nano /etc/rsyslog.d/wireguard.conf

Add:

:msg, contains, "wireguard" /var/log/wireguard.log
& stop

Restart rsyslog:

sudo systemctl restart rsyslog

Monitor connections:

tail -f /var/log/wireguard.log

Advanced Configuration

Web Management Interface

Install wg-easy for web-based management:

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# Run wg-easy
docker run -d \
  --name=wg-easy \
  -e WG_HOST=YOUR_SERVER_IP \
  -e PASSWORD=admin \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  weejewel/wg-easy

Access web interface at http://YOUR_SERVER_IP:51821.

Failover Configuration

Setup automatic failover between multiple VPN servers:

Client Configuration with Multiple Peers:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32

# Primary server
[Peer]
PublicKey = PRIMARY_SERVER_PUBLIC_KEY
Endpoint = primary.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

# Backup server (will be used if primary fails)
[Peer]
PublicKey = BACKUP_SERVER_PUBLIC_KEY
Endpoint = backup.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

WireGuard will automatically use available peer.

Monitoring and Alerting

Monitor WireGuard with Prometheus:

Install prometheus-wireguard-exporter:

go install github.com/MindFlavor/prometheus_wireguard_exporter@latest

Run exporter:

prometheus_wireguard_exporter -n /etc/wireguard/wg0.conf

Access metrics at http://localhost:9586/metrics.

Conclusion

You now have a fully operational WireGuard VPN server providing secure, high-performance connectivity for remote users, privacy protection, or network bridging. This modern VPN solution delivers enterprise-grade security with minimal complexity and exceptional performance.

Key accomplishments from this guide:

• Modern cryptography using Curve25519, ChaCha20, and Poly1305
• Production-ready server with proper firewall, routing, and systemd integration
• Multi-client support with unique keys and IP addresses per device
• Cross-platform compatibility for Linux, Windows, macOS, iOS, and Android
• Performance optimization through MTU tuning, kernel parameters, and efficient configuration
• Security hardening with proper key management, traffic isolation, and DNS leak prevention
• Flexible topologies supporting full-tunnel, split-tunnel, and site-to-site configurations

WireGuard's simplicity doesn't compromise functionality. The straightforward configuration allows easy management while the modern cryptography provides robust security. Unlike legacy VPN solutions requiring complex certificate infrastructure and confusing configuration options, WireGuard achieves better results with less complexity.

Regular maintenance includes monitoring connected peers, reviewing logs for unauthorized access attempts, updating WireGuard packages, and periodically rotating keys for high-security applications. The minimal codebase means updates are infrequent but important for security.

As WireGuard continues gaining adoption across the industry, staying current with best practices through the official documentation at wireguard.com and the mailing list ensures your VPN infrastructure remains secure and efficient.

Whether protecting remote workers, securing personal internet traffic, or building complex network topologies, WireGuard provides the foundation for fast, secure, and reliable VPN connectivity.

Stay secure!