WireGuard VPS Setup Guide 2026: Build Your Own VPN
Set up WireGuard VPN on your VPS in 10 minutes. Complete guide with configuration, client setup, and security best practices.
WireGuard VPS Setup: Your Own VPN in 10 Minutes
WireGuard is the fastest, simplest VPN protocol. Set it up on a $5 VPS and you have your own private VPN — no subscriptions, no logs, complete control.
Why WireGuard?
| VPN Protocol | Speed | Simplicity | Code Size |
|---|---|---|---|
| WireGuard | Fastest | ~4,000 lines | Tiny |
| OpenVPN | Good | ~100,000 lines | Large |
| IPSec | Good | ~400,000 lines | Huge |
WireGuard is:
- Faster — Kernel-level implementation
- Simpler — Less code = fewer bugs
- Modern — State-of-the-art cryptography
- Battery-friendly — Great for mobile
VPS Requirements
WireGuard is incredibly light:
- CPU: Any
- RAM: 64MB for WireGuard itself
- Storage: <10MB
- Network: Good connectivity, static IP
The VPS specs matter more for your bandwidth than WireGuard.
Best VPS for WireGuard
| Provider | Plan | Price | Best For |
|---|---|---|---|
| Vultr | VC2 | $6/mo | 32 locations |
| Hetzner | CX11 | €3.79/mo | Best value |
| Hostinger | KVM1 | $4.99/mo | Good all-round |
| DigitalOcean | Basic | $6/mo | Easy setup |
For VPN, location matters most. Pick a region near you for speed, or far for bypassing geo-restrictions.
Quick Setup (5 Minutes)
Step 1: Create VPS
Any Ubuntu 22.04+ VPS works. SSH in:
ssh root@your-vps-ip
Step 2: Install WireGuard
apt update
apt install wireguard -y
Step 3: Generate Keys
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 600 privatekey
Step 4: Create Server Config
cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
EOF
Replace:
YOUR_SERVER_PRIVATE_KEYwith contents ofprivatekeyCLIENT_PUBLIC_KEYwith your client's public key (we'll generate this)
Step 5: Enable IP Forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
Step 6: Open Firewall
ufw allow 51820/udp
Step 7: Start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
Verify:
wg show
Client Setup
Generate Client Keys
On server:
cd /etc/wireguard
wg genkey | tee client1-privatekey | wg pubkey > client1-publickey
Create Client Config
cat > client1.conf << 'EOF'
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
Replace:
CLIENT_PRIVATE_KEYwith contents ofclient1-privatekeySERVER_PUBLIC_KEYwith contents ofpublickeyYOUR_VPS_IPwith your VPS IP
Add Client to Server
Edit /etc/wireguard/wg0.conf and add:
[Peer]
PublicKey = CONTENTS_OF_CLIENT1_PUBLICKEY
AllowedIPs = 10.0.0.2/32
Reload:
wg syncconf wg0 <(wg-quick strip wg0)
Transfer Config to Client
Option 1: QR Code (for mobile)
apt install qrencode
qrencode -t ansiutf8 < client1.conf
Option 2: Copy file securely
cat client1.conf
# Copy contents to your device
Client Installation
macOS
brew install wireguard-tools
# Create /etc/wireguard/wg0.conf with client config
sudo wg-quick up wg0
Or use WireGuard app from Mac App Store.
Windows
- Download from wireguard.com
- Import tunnel → paste config
- Activate
Linux
sudo apt install wireguard
# Create /etc/wireguard/wg0.conf
sudo wg-quick up wg0
iOS/Android
- Install WireGuard app
- Add tunnel → scan QR code or import file
- Connect
Multiple Clients
Each client needs unique keys and IP:
# Generate for client2
wg genkey | tee client2-privatekey | wg pubkey > client2-publickey
Add to server config:
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32
Create client2 config with:
- Its own private key
- Address = 10.0.0.3/24
Split Tunneling
Route only specific traffic through VPN:
Route Only Certain IPs
In client config:
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
Only these subnets go through VPN.
Exclude Local Network
AllowedIPs = 0.0.0.0/0, ::/0
PostUp = ip route add 192.168.1.0/24 via 192.168.1.1
DNS Configuration
Use Cloudflare DNS
In client config:
DNS = 1.1.1.1, 1.0.0.1
Use Your Own DNS (Pi-hole)
If running Pi-hole on same VPS:
DNS = 10.0.0.1
Block DNS Leaks
On server, block external DNS:
iptables -I FORWARD -i wg0 -p udp --dport 53 -j DROP
iptables -I FORWARD -i wg0 -p tcp --dport 53 -j DROP
iptables -I FORWARD -i wg0 -d 10.0.0.1 -p udp --dport 53 -j ACCEPT
Performance Optimization
MTU Tuning
Find optimal MTU:
ping -c 5 -M do -s 1400 your-vps-ip
# Decrease until no fragmentation
Set in config:
[Interface]
MTU = 1420
Persistent Keepalive
For clients behind NAT:
PersistentKeepalive = 25
Sends packet every 25 seconds to keep connection alive.
Security Hardening
Change Default Port
Use non-standard port (less scanning):
Server:
ListenPort = 44321
Client:
Endpoint = your-vps-ip:44321
Fail2Ban for WireGuard
# WireGuard doesn't log auth failures by default
# But you can monitor connection attempts
cat > /etc/fail2ban/jail.d/wireguard.local << 'EOF'
[wireguard]
enabled = false
# WireGuard is already secure by design
EOF
WireGuard is inherently secure — unknown keys are silently dropped.
Firewall Only WireGuard Port
ufw default deny incoming
ufw allow ssh
ufw allow 51820/udp
ufw enable
Troubleshooting
Can't Connect
# Check WireGuard is running
wg show
# Check firewall
ufw status
# Check port is open
nc -zvu your-vps-ip 51820
No Internet Through VPN
# Check IP forwarding
cat /proc/sys/net/ipv4/ip_forward
# Should be 1
# Check NAT rules
iptables -t nat -L POSTROUTING
Slow Speeds
# Test without VPN
speedtest-cli
# Test with VPN
# If much slower, try different MTU
Connection Drops
Add to client:
PersistentKeepalive = 25
Using with Docker
WireGuard Container
version: '3.8'
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=UTC
- SERVERURL=your-vps-ip
- PEERS=5
volumes:
- ./config:/config
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
Auto-generates configs for 5 peers in ./config/peer*.
WireGuard vs Commercial VPN
| Factor | WireGuard VPS | NordVPN/etc |
|---|---|---|
| Cost | ~$5/mo | $3-12/mo |
| Servers | 1 (yours) | 5000+ |
| Speed | Fastest | Good |
| Privacy | Complete | Trust them |
| Logging | None | "No logs" 🤔 |
| Control | Full | None |
Your own VPS = your own rules.
Multi-Location Setup
For multiple exit points:
- Create VPS in different regions
- Set up WireGuard on each
- Create configs for each
- Switch between them
# Switch to US exit
wg-quick down wg0
wg-quick up wg-us
# Switch to EU exit
wg-quick down wg-us
wg-quick up wg-eu
FAQ
Is WireGuard secure?
Extremely. Uses modern cryptography (Curve25519, ChaCha20, Poly1305). Audited by security researchers.
Can my ISP see I'm using VPN?
They can see encrypted traffic to your VPS IP, but not the content.
How many devices can connect?
Unlimited. Add more [Peer] sections.
Does WireGuard work in China?
Sometimes. It can be blocked. Consider obfuscation tools like udp2raw.
WireGuard vs OpenVPN?
WireGuard is faster and simpler. OpenVPN is more configurable. For most users, WireGuard wins.
Recommended Setup
| Use Case | VPS | Location |
|---|---|---|
| General privacy | Hetzner CX11 | Nearest region |
| Streaming US | Vultr | US (NYC, LA) |
| Streaming UK | Vultr | London |
| Maximum speed | Local region | Same country |
€3.79/month gets you a private VPN that's faster than any commercial option. No logs, no limits, just your own server.
Ready to get started?
Get the best VPS hosting deal today. Hostinger offers 4GB RAM VPS starting at just $4.99/mo.
Get Hostinger VPS — $4.99/mo// up to 75% off + free domain included
// related topics
fordnox
Expert VPS reviews and hosting guides. We test every provider we recommend.
// last updated: February 8, 2026. Disclosure: This article may contain affiliate links.