Skip to main content
โšก Calmops
๐Ÿค– AI ๐Ÿ—๏ธ Architecture ๐ŸŒ Web ๐Ÿ—ƒ๏ธ Database โš™๏ธ DevOps ๐ŸŒ Network ๐Ÿ’ป Programming ๐Ÿงฎ Algorithms ๐Ÿ“ Software Eng. โ˜๏ธ Cloud ๐Ÿ”’ Security ๐Ÿ“ˆ Finance More โ†’

WireGuard VPN: Modern, Fast, Secure VPN

Created: February 27, 2026 CalmOps 5 min read

WireGuard is a modern, simple, and fast VPN protocol designed to be easier to use than IPSec while providing better performance. This comprehensive guide covers everything you need to know about setting up and using WireGuard.

What is WireGuard?

WireGuard is an open-source VPN protocol that aims to be simpler and more performant than existing solutions.

# Simple WireGuard server config
[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32

Key Features

  • Simple - ~4,000 lines of code (vs 400,000+ for OpenVPN)
    • Fast - State-of-the-art cryptography, minimal overhead
    • Secure - Modern cryptographic primitives
    • Cross-platform - Linux, macOS, Windows, iOS, Android
    • Minimal attack surface - Small codebase, easy to audit

Installation

Linux (Ubuntu/Debian)

# Install WireGuard
sudo apt update
sudo apt install wireguard

# Verify installation
wg --version

macOS

# Via Homebrew
brew install wireguard-tools

# Or via App Store: WireGuard

Windows

# Via winget
winget install WireGuard.WireGuard

# Or download from https://www.wireguard.com/install/

Server Setup

Generate Keys

# Generate server key pair
wg genkey | tee server-private.key | wg pubkey > server-public.key

# Generate client key pair
wg genkey | tee client-private.key | wg pubkey > client-public.key

# View keys
cat server-private.key
cat server-public.key

Server Configuration

# Create server config
sudo nano /etc/wireguard/wg0.conf

[Interface]
# Server's private key
PrivateKey = <server-private-key>

# Server's IP address in VPN network
Address = 10.0.0.1/24

# UDP port
ListenPort = 51820

# Post-up rules (optional)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Post-down rules (optional)
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client's public key
PublicKey = <client-public-key>

# Client's IP address (must be unique)
AllowedIPs = 10.0.0.2/32

Start Server

# Set correct permissions
sudo chmod 600 /etc/wireguard/wg0.conf

# Start WireGuard
sudo wg-quick up wg0

# Check status
sudo wg

# Enable on boot
sudo systemctl enable wg-quick@wg0

# Stop server
sudo wg-quick down wg0

Client Configuration

Linux Client

[Interface]
# Client's private key
PrivateKey = <client-private-key>

# Client's IP address
Address = 10.0.0.2/24

# DNS server
DNS = 1.1.1.1

[Peer]
# Server's public key
PublicKey = <server-public-key>

# Server's endpoint
Endpoint = your-server-ip:51820

# Allow all traffic through VPN
AllowedIPs = 0.0.0.0/0

# Keepalive (optional, for NAT)
PersistentKeepalive = 25

# Connect
sudo wg-quick up wg0

# Disconnect
sudo wg-quick down wg0

Mobile Client

  1. Install WireGuard app from App Store/Play Store
  2. Import config via QR code or file
# Generate QR code for mobile
qrencode -t ansiutf8 < client.conf

Windows Client

  1. Install WireGuard from winget or website
  2. Import the configuration file
  3. Click Connect

Advanced Configuration

Multiple Peers

[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer] # Client 1
PublicKey = <client1-public-key>
AllowedIPs = 10.0.0.2/32

[Peer] # Client 2
PublicKey = <client2-public-key>
AllowedIPs = 10.0.0.3/32

[Peer] # Client 3 - allows entire subnet
PublicKey = <client3-public-key>
AllowedIPs = 10.0.0.4/32, 192.168.100.0/24

Split Tunnel

# Only route specific traffic through VPN
[Peer]
PublicKey = <server-public-key>
AllowedIPs = 10.0.0.0/24  # Only VPN network
# Or specific IPs
# AllowedIPs = 10.0.0.5/32, 10.0.0.10/32

Preshared Keys (Post-Quantum)

# Generate preshared key
wg genpsk > preshared.key

[Peer]
PublicKey = <client-public-key>
PresharedKey = <preshared-key>
AllowedIPs = 10.0.0.2/32

Management Commands

Check Status

# Show interface status
sudo wg

# Show detailed info
sudo wg show

# Show interface config
sudo wg showconf wg0

Add/Remove Peers

# Add peer dynamically
sudo wg set wg0 peer <public-key> allowed-ips 10.0.0.4/32

# Remove peer
sudo wg set wg0 peer <public-key> remove

# Show all peers
sudo wg show wg0

Logging

# View kernel messages
sudo journalctl -u wg-quick@wg0 -f

# Or
sudo tail -f /var/log/syslog

Firewall Configuration

UFW (Ubuntu)

# Allow WireGuard port
sudo ufw allow 51820/udp

# Enable forwarding
sudo nano /etc/ufw/sysctl.conf
# Uncomment: net/ipv4/ip_forward=1

sudo ufw reload

firewalld (CentOS/RHEL)

# Add wireguard zone
sudo firewall-cmd --permanent --new-zone=wireguard

# Add service
sudo firewall-cmd --permanent --zone=wireguard --add-service=wireguard

# Reload
sudo firewall-cmd --reload

Performance Tuning

MTU Optimization

[Interface]
MTU = 1420

Kernel Parameters

# /etc/sysctl.conf
net.core.rmem_max = 2500000
net.core.wmem_max = 2500000
net.ipv4.tcp_rmem = 4096 87380 2500000
net.ipv4.tcp_wmem = 4096 65536 2500000

# Apply
sudo sysctl -p

Use Cases

Site-to-Site VPN

# Site A (Server)
[Interface]
PrivateKey = <site-a-private>
Address = 10.0.0.1/24

[Peer]
PublicKey = <site-b-public>
AllowedIPs = 10.0.1.0/24  # Site B network
Endpoint = site-b.example.com:51820
PersistentKeepalive = 25

# Site B (Client)
[Interface]
PrivateKey = <site-b-private>
Address = 10.0.1.1/24

[Peer]
PublicKey = <site-a-public>
AllowedIPs = 10.0.0.0/24  # Site A network
Endpoint = site-a.example.com:51820
PersistentKeepalive = 25

Road Warrior (Mobile Users)

# Server config with multiple peers
[Interface]
PrivateKey = <server-private>
Address = 10.0.0.1/24
ListenPort = 51820

# Mobile user
[Peer]
PublicKey = <mobile-public>
AllowedIPs = 10.0.0.100/32

# Laptop user
[Peer]
PublicKey = <laptop-public>
AllowedIPs = 10.0.0.101/32

Troubleshooting

Connection Issues

# Check if port is listening
sudo ss -ulnp | grep 51820

# Check firewall
sudo iptables -L -n

# Test connectivity
nc -zvu <server-ip> 51820

# Debug mode
sudo wg-quick up wg0 -debug

Slow Performance

# Check current MTU
ip link show wg0

# Test optimal MTU
ping -M do -s 1500 <server-ip>

# Enable BBR congestion control
sudo sysctl net.ipv4.tcp_congestion_control=bbr
sudo sysctl net.core.default_qdisc=fq

External Resources

Conclusion

WireGuard offers a modern, simple approach to VPN. Key points:

  • Modern cryptography with minimal overhead
  • Simple configuration with small attack surface
  • Cross-platform support
  • Easy key management
  • Excellent performance

For secure site-to-site or remote access VPNs, WireGuard is an excellent choice over older protocols like OpenVPN and IPSec.

Comments