WireGuard VPS Setup: Your Own VPN in 10 Minutes

WireGuard is the fastest, simplest VPN protocol. Set it up on a cheap VPS and you have your own private VPN — no subscriptions, no logs, complete control.

Why WireGuard?

VPN Protocol	Speed	Simplicity	Code Size
WireGuard	Fastest	~4,000 lines	Tiny
OpenVPN	Good	~100,000 lines	Large
IPSec	Good	~400,000 lines	Huge

WireGuard is:

• Faster — Kernel-level implementation
• Simpler — Less code = fewer bugs
• Modern — State-of-the-art cryptography
• Battery-friendly — Great for mobile

VPS Requirements

WireGuard is incredibly light:

• CPU: Any
• RAM: 64MB for WireGuard itself
• Storage: <10MB
• Network: Good connectivity, static IP

The VPS specs matter more for your bandwidth than WireGuard.

Best VPS for WireGuard

Provider	Plan	Price	Best For
Vultr	VC2	$6/mo	32 locations
Hetzner	CX11	€3.79/mo	Best value
Hostinger	KVM1	$4.99/mo	Good all-round
DigitalOcean	Basic	$6/mo	Easy setup

For VPN, location matters most. Pick a region near you for speed, or far for bypassing geo-restrictions.

Quick Setup (5 Minutes)

Step 1: Create VPS

Any Ubuntu 22.04+ VPS works. SSH in:

ssh root@your-vps-ip

Step 2: Install WireGuard

apt update
apt install wireguard -y

Step 3: Generate Keys

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 600 privatekey

Step 4: Create Server Config

cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
EOF

Replace:

• YOUR_SERVER_PRIVATE_KEY with contents of privatekey
• CLIENT_PUBLIC_KEY with your client’s public key (we’ll generate this)

Step 5: Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

Step 6: Open Firewall

ufw allow 51820/udp

Step 7: Start WireGuard

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Verify:

wg show

Client Setup

Generate Client Keys

On server:

cd /etc/wireguard
wg genkey | tee client1-privatekey | wg pubkey > client1-publickey

Create Client Config

cat > client1.conf << 'EOF'
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF

Replace:

• CLIENT_PRIVATE_KEY with contents of client1-privatekey
• SERVER_PUBLIC_KEY with contents of publickey
• YOUR_VPS_IP with your VPS IP

Add Client to Server

Edit /etc/wireguard/wg0.conf and add:

[Peer]
PublicKey = CONTENTS_OF_CLIENT1_PUBLICKEY
AllowedIPs = 10.0.0.2/32

Reload:

wg syncconf wg0 <(wg-quick strip wg0)

Transfer Config to Client

Option 1: QR Code (for mobile)

apt install qrencode
qrencode -t ansiutf8 < client1.conf

Option 2: Copy file securely

cat client1.conf
# Copy contents to your device

Client Installation

macOS

brew install wireguard-tools
# Create /etc/wireguard/wg0.conf with client config
sudo wg-quick up wg0

Or use WireGuard app from Mac App Store.

Windows

1. Download from wireguard.com
2. Import tunnel → paste config
3. Activate

Linux

sudo apt install wireguard
# Create /etc/wireguard/wg0.conf
sudo wg-quick up wg0

iOS/Android

1. Install WireGuard app
2. Add tunnel → scan QR code or import file
3. Connect

Multiple Clients

Each client needs unique keys and IP:

# Generate for client2
wg genkey | tee client2-privatekey | wg pubkey > client2-publickey

Add to server config:

[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

Create client2 config with:

• Its own private key
• Address = 10.0.0.3/24

Split Tunneling

Route only specific traffic through VPN:

Route Only Certain IPs

In client config:

AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

Only these subnets go through VPN.

Exclude Local Network

AllowedIPs = 0.0.0.0/0, ::/0
PostUp = ip route add 192.168.1.0/24 via 192.168.1.1

DNS Configuration

Use Cloudflare DNS

In client config:

DNS = 1.1.1.1, 1.0.0.1

Use Your Own DNS (Pi-hole)

If running Pi-hole on same VPS:

DNS = 10.0.0.1

Block DNS Leaks

On server, block external DNS:

iptables -I FORWARD -i wg0 -p udp --dport 53 -j DROP
iptables -I FORWARD -i wg0 -p tcp --dport 53 -j DROP
iptables -I FORWARD -i wg0 -d 10.0.0.1 -p udp --dport 53 -j ACCEPT

Performance Optimization

MTU Tuning

Find optimal MTU:

ping -c 5 -M do -s 1400 your-vps-ip
# Decrease until no fragmentation

Set in config:

[Interface]
MTU = 1420

Persistent Keepalive

For clients behind NAT:

PersistentKeepalive = 25

Sends packet every 25 seconds to keep connection alive.

Security Hardening

Change Default Port

Use non-standard port (less scanning):

Server:

ListenPort = 44321

Client:

Endpoint = your-vps-ip:44321

Fail2Ban for WireGuard

# WireGuard doesn't log auth failures by default
# But you can monitor connection attempts
cat > /etc/fail2ban/jail.d/wireguard.local << 'EOF'
[wireguard]
enabled = false
# WireGuard is already secure by design
EOF

WireGuard is inherently secure — unknown keys are silently dropped.

Firewall Only WireGuard Port

For comprehensive firewall setup, see our VPS security guide.

ufw default deny incoming
ufw allow ssh
ufw allow 51820/udp
ufw enable

Troubleshooting

Can’t Connect

# Check WireGuard is running
wg show

# Check firewall
ufw status

# Check port is open
nc -zvu your-vps-ip 51820

No Internet Through VPN

# Check IP forwarding
cat /proc/sys/net/ipv4/ip_forward
# Should be 1

# Check NAT rules
iptables -t nat -L POSTROUTING

Slow Speeds

# Test without VPN
speedtest-cli

# Test with VPN
# If much slower, try different MTU

Connection Drops

Add to client:

PersistentKeepalive = 25

Using with Docker

WireGuard Container

version: '3.8'
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - SERVERURL=your-vps-ip
      - PEERS=5
    volumes:
      - ./config:/config
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Auto-generates configs for 5 peers in ./config/peer*.

WireGuard vs Commercial VPN

Factor	WireGuard VPS	NordVPN/etc
Cost	~$5/mo	$3-12/mo
Servers	1 (yours)	5000+
Speed	Fastest	Good
Privacy	Complete	Trust them
Logging	None	”No logs” 🤔
Control	Full	None

Your own VPS = your own rules. If you prefer zero-config VPN with SSO, check out Tailscale instead.

Multi-Location Setup

For multiple exit points:

1. Create VPS in different regions
2. Set up WireGuard on each
3. Create configs for each
4. Switch between them

# Switch to US exit
wg-quick down wg0
wg-quick up wg-us

# Switch to EU exit
wg-quick down wg-us
wg-quick up wg-eu

FAQ

Is WireGuard secure?

Extremely. Uses modern cryptography (Curve25519, ChaCha20, Poly1305). Audited by security researchers.

Can my ISP see I’m using VPN?

They can see encrypted traffic to your VPS IP, but not the content.

How many devices can connect?

Unlimited. Add more [Peer] sections.

Does WireGuard work in China?

Sometimes. It can be blocked. Consider obfuscation tools like udp2raw.

WireGuard vs OpenVPN?

WireGuard is faster and simpler. OpenVPN is more configurable. For most users, WireGuard wins.

Recommended Setup

Use Case	VPS	Location
General privacy	Hetzner CX11	Nearest region
Streaming US	Vultr	US (NYC, LA)
Streaming UK	Vultr	London
Maximum speed	Local region	Same country

€3.79/month gets you a private VPN that’s faster than any commercial option. No logs, no limits, just your own server.