How to Set Up a WireGuard VPN Server on Linux

Why Run Your Own WireGuard Server?

Running your own WireGuard VPN server gives you full control over your traffic, no third-party logging, and a private, encrypted tunnel you can trust. With a modest VPS, you can have a personal VPN up and running in under 30 minutes. This guide walks you through a complete server setup on Ubuntu/Debian.

Prerequisites

• A Linux VPS (Ubuntu 20.04+ or Debian 11+ recommended)
• Root or sudo access
• Basic familiarity with the Linux terminal
• A client device (Linux, Windows, macOS, Android, or iOS)

Step 1: Install WireGuard

On Ubuntu/Debian, WireGuard is available in the standard repositories:

sudo apt update
sudo apt install wireguard -y

Step 2: Generate Server Keys

WireGuard uses public/private key pairs for authentication. Generate them with:

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Keep your private key secret — it never leaves the server.

Step 3: Create the Server Configuration

Create the file /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <paste server_private.key contents here>

# Enable IP forwarding and NAT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Note: Replace eth0 with your actual network interface name (check with ip a).

Step 4: Enable IP Forwarding

For the server to route client traffic, enable IP forwarding:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Step 5: Generate Client Keys and Add a Peer

Generate a key pair for each client:

wg genkey | tee client1_private.key | wg pubkey > client1_public.key

Add the client as a peer in wg0.conf:

[Peer]
PublicKey = <client1_public.key contents>
AllowedIPs = 10.0.0.2/32

Step 6: Start and Enable WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Verify it's running:

sudo wg show

Step 7: Configure the Client

Create a config file on your client device:

[Interface]
PrivateKey = <client1_private.key contents>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public.key contents>
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Setting AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. For split tunneling, specify only the subnets you want tunneled.

Open the Firewall Port

Allow WireGuard's UDP port through your firewall:

sudo ufw allow 51820/udp

Conclusion

You now have a fully functional WireGuard VPN server. Adding more clients is simply a matter of generating new key pairs and adding [Peer] blocks. WireGuard's simplicity makes it easy to maintain — the entire config file is human-readable and version-controllable. For enhanced security, consider running WireGuard on a non-default port and combining it with fail2ban on your SSH port.