How to setup a VPN with Wireguard

Tags: vpn howto tutorial wireguard

Generate a key pair on your server:

server$ wg genkey | tee private | wg pubkey > public

And do the same on your client:

client$ wg genkey | tee private | wg pubkey > public

(There is no need to keep these files once the configuration is set up).

On the server, create /etc/wireguard/wg0.conf with the following contents:

Address =
ListenPort = 51820
PostUp = ufw route allow in on %i out on eth0 from
PostUp = ufw route allow in on eth0 out on %i to
PostDown = ufw route delete allow in on %i out on eth0 from
PostDown = ufw route delete allow in on eth0 out on %i to

AllowedIPs =

Replace SERVER_PRIVATE_KEY with the server's private key (the contents of private on the server from above) and CLIENT_PUBLIC_KEY with the client's public key (the contents of public on the client from above). In this example, the peers on the VPN will use the subnet, but you can set this to anything you want.

Now, on the server run

server# wg-quick up wg0

This will create the wg0 network interface, assign it the IP address you provided, and begin listening on port 51820. It will also create the firewall rules listed in the PostUp sections in wg0.conf (if you are not using ufw then delete those lines from the configuration file).

If your client is another Linux server, then repeat the previous steps on the client. Otherwise, use the Wireguard application available for your OS to create a new configuration file. The contents of this file will be similar to the one for the server:

Address =
ListenPort = 51820

AllowedIPs =, ::/0
Endpoint =

In the client's configuration file, we use AllowedIps =, ::/0 to route all traffic over the VPN. To only route traffic for certain IP addresses, adjust AllowedIPs as desired.

The Endpoint option is the remote address of the VPN server.

To add more clients, simply add new Peer sections to the server's wg0.conf file (modifying the public key and AllowedIPs setting for each client).