How to Build Your Own Wireguard VPN in Five Minutes (2024)

/ #Security
How to Build Your Own Wireguard VPN in Five Minutes (1)
David Clinton
How to Build Your Own Wireguard VPN in Five Minutes (2)

You may already understand how important a good VPN can be for maintaining the security and privacy of your mobile communications.

Whether you need to use your phone for banking over a public airport or coffee shop WiFi connection, or you're worried about the wrong people listening in on your online interactions, the tunneled encryption a good VPN gives you can be invaluable.

The trick, however, is finding a VPN that really is "good" – and one that's both convenient and affordable.

There are plenty of commercial VPN services out there, and configuring one of those for your phone or laptop is usually simple enough.

But such services come with two potential down-sides: they're often expensive, with payments averaging around $10 monthly, and you can never be quite 100% sure that they aren't (accidentally or on purpose) leaking or misusing your data.

Also, cheaper VPNs often limit your data use and the number of devices you can connect.

If you like watching video versions of tutorials to supplement your learning, feel free to follow along here:

What WireGuard Delivers

But if you happen to have a cloud-based Linux server running anyway, building a WireGuard VPN can be a simple and free way to add some serious, compromise-free security and privacy to your life.

If you plan to limit the VPN to just devices owned by you and a few friends, you'll probably never even notice any extra resource load on your server. Even if you had to fire up and pay for a dedicated AWS EC2 t2.micro reserved instance, the annual costs should still come out significantly cheaper than most commercial VPNs. And, as a bonus, you'll get complete control over your data.

Right now I'm going to show you how all that would work using the open source WireGuard software on an Ubuntu Linux server.

Why WireGuard? Because it's really easy to use, is designed to be particularly attack resistant, and it's so good at what it does that it was recently incorporated into the Linux kernel itself.

The actual work to make this happen really will take only five minutes - or less. Having said that, planning things out, troubleshooting for unexpected problems and, if necessary, launching a new server might add significant time to the project.

How to Set Up Your Environment

First off, you'll need to open the UDP port 51820 in whatever firewall you're using. Here's how that would look for the security group associated with an AWS EC2 instance:

How to Build Your Own Wireguard VPN in Five Minutes (3)

Now, on the Linux server, using a sudo shell, we'll begin by installing the WireGuard and resolvconf packages.

Technically, we probably won't need resolvconf here, but since that's what you'd need if you wanted to set up a Linux machine as a WireGuard client I thought I'd throw that in here, too.

apt install wireguard resolvconf

How to Generate Encryption Keys

The wg genkey command generates a new private encryption key and saves it as a file in the /etc/wireguard directory. This directory was automatically created when we installed WireGuard.

The chmod command sets the appropriate restrictive permissions for that private key file.

Like everything in Linux, there are other ways to get this done, but just make sure you do it right.

wg genkey | sudo tee /etc/wireguard/private.keychmod go= /etc/wireguard/private.key

Next, we'll use the value of our private key to generate a matching public key – which will also be saved to the /etc/wireguard directory. The goal is to add the server's public key to the WireGuard configuration on all the client devices we'll be using, and then to add those clients' public keys to the server configuration here.

Private keys should never leave the machines for which they're created – and should always be carefully protected.

cat /etc/wireguard/private.key | wg pubkey | sudo tee

How to Configure the WireGuard Server

We're now ready to create a server configuration file. Following convention, I'll name the file wg0.conf, but you can give it any name you'd like. You can also have multiple configurations (with different filenames) existing at the same time.

Here's what our configuration will look like:

[Interface]Address = = 51820# Use your own private key, from /etc/wireguard/privatekeyPrivateKey = your_key[Peer]# Workstation public keyPublicKey = your_key# VPN client's IP address in the VPNAllowedIPs =[Peer]# laptop public keyPublicKey = your_key# VPN client's IP address in the VPNAllowedIPs =

Notice that this file has three sections: an Interface, and two peers. The Interface section defines the private NAT network address that our server will use. That's the private address the clients will connect to – after first requesting access through the server's public IP address, of course.

You don't have to follow my addressing, as long as you use a valid private IP range that doesn't overlap on any network blocks being used by either your server or client.

Matching the UDP security group rule I set up earlier in AWS, I'm defining the ListenPort as 51820. But I could choose a different address to add a tiny bit more security if I want.

Finally, I would paste the server's Private Key as the value of PrivateKey so WireGuard will be able to authenticate incoming client requests.

The first peer section contains nothing more than the public key and assigned private IP address of one client. The second peer section does the same for a second client machine.

Getting those public keys from the client is the most manual task involved in this whole setup. But, since this is your own VPN, you can usually find a way to copy and paste directly into your server configuration so you don't need to painfully type the whole thing in.

That should be everything. I'll use the wg-quick command to bring the VPN to life. up tells WireGuard to read the wg0.conf configuration we just made and use it to build a new VPN interface.

wg-quick up wg0

Running wg will show us that it worked. Finally, I'll run systemctl enable to tell Linux to load this WireGuard interface automatically each time the server reboots.

systemctl enable wg-quick@wg0

How to Configure WireGuard Clients

That's all we'll need from the server end of things. Getting your client device set up with WireGuard is either going to be much easier or more or less the same.

What does that mean? Well, if you're working with Windows, macOS, Android or iOS, then there are links to GUI apps available from this page. Those apps will generate key pairs for you. You'll only need to enter the server's IP address or domain and its public key. You'll then take the client's public key and add it to the server wg0.conf file the way I showed you earlier.

However, if it's a Linux PC or laptop client you want to add, then it's a bit more complicated. You'll basically follow all the steps you saw for the server configuration, including the key generation. You'll even create a configuration file named wg0-conf (if that's the name you like). But here's how that config file should look:

[Interface]# The address your computer will use on the VPNAddress = = Load your privatekey from filePostUp = wg set %i private-key /etc/wireguard/privatekey# Also ping the vpn server to ensure the tunnel is initializedPostUp = ping -c1[Peer]# VPN server's wireguard public keyPublicKey = your_key# Public IP address of your VPN server (USE YOURS!)Endpoint = is the VPN subnetAllowedIPs = PersistentKeepalive = 25

The Interface section represents the client machine this time, while the Peer section down below refers to the server. Let's begin with Interface. The private IP address should match the address you give this particular client in the configuration on the server.

If you need your client to by-pass a local DNS server, you can specify a custom DNS server here. This one is the one provided by Google.

Instead of hard-coding your local private key into your configuration file the way we did on the server, you could tell WireGuard to read the privatekey file whenever it loads. This is probably a bit of a security best-practice – and we could just as easily have done it on the server, too. Finally, the configuration script will test our connection with the PostUp ping command.

The Peer – or server – configuration requires the server's public key, which is added here.

The Endpoint is where you tell WireGuard where to find the server. Nothing will work without this one! That would require the server's public IP – or it's domain name – followed by the port you've chosen. Again, 51820 is the WireGuard default.

Finally, the AllowedIPs setting defines the network address range you'll be using, and the optional PersistentKeepalive value can prevent dropped connections.

You launch WireGuard on the client exactly the same why you did on the server, using wg-quick up wg0. Again, though, all those steps will only be necessary for Linux clients. You can use the apps for other platforms.

Wrapping Up

So that's that. Just as I said, a working VPN in around five minute's work. You've now got one less excuse for protecting your online privacy and securing your communications.

For more technology goodness, please do subscribe to my YouTube channel and, when you've got a moment, check out the many Linux, security, data analytics, and AWS books and courses available through my website.










How to Build Your Own Wireguard VPN in Five Minutes (4)
David Clinton

I'm an AWS solutions architect, Linux server professional, and author of books and Pluralsight courses on Linux, AWS, Docker, and IT security.

If you read this far, thank the author to show them you care.

Learn to code for free. freeCodeCamp's open source curriculum has helped more than 40,000 people get jobs as developers. Get started


Insights, advice, suggestions, feedback and comments from experts

As an expert in the field of cybersecurity and network infrastructure, I can provide you with valuable insights into the concepts discussed in this article. I have extensive experience as an AWS solutions architect, Linux server professional, and author of books and courses on Linux, AWS, Docker, and IT security.

The article discusses the importance of using a good VPN for maintaining the security and privacy of mobile communications. It highlights the potential downsides of commercial VPN services, such as high costs and concerns about data misuse. The article then introduces WireGuard, an open-source VPN software that can be installed on a cloud-based Linux server to provide secure and private communication.

WireGuard VPN

WireGuard is a relatively new VPN protocol that has gained popularity due to its simplicity, security, and performance. It is designed to be easy to set up and use, making it a great choice for individuals or small groups who want to set up their own VPN without relying on commercial services.

Benefits of WireGuard

WireGuard offers several advantages compared to traditional VPN protocols:

1. Ease of Use: WireGuard is designed to be easy to configure and use. It simplifies the process of setting up a VPN, making it accessible to users with varying levels of technical expertise.

2. Security: WireGuard is designed with a focus on security. It uses modern cryptographic techniques to ensure the confidentiality and integrity of data transmitted over the VPN. Additionally, WireGuard has been audited by security experts and is considered to be resistant to attacks.

3. Performance: WireGuard is known for its excellent performance. It is designed to be lightweight and efficient, resulting in faster connection speeds compared to other VPN protocols.

4. Integration: WireGuard has been incorporated into the Linux kernel, which means that it is natively supported on Linux-based operating systems. This integration ensures better compatibility and performance on Linux systems.

Setting Up a WireGuard VPN

The article provides a step-by-step guide on how to set up a WireGuard VPN using an Ubuntu Linux server. Here is a summary of the steps involved:

  1. Open the UDP port 51820 in your firewall to allow WireGuard traffic.
  2. Install the WireGuard and resolvconf packages on your Linux server.
  3. Generate a private encryption key and save it in the /etc/wireguard directory.
  4. Generate a matching public key using the private key and save it in the same directory.
  5. Create a server configuration file (wg0.conf) and define the server's private IP address, listen port, and private key.
  6. Add peer sections to the configuration file for each client device, including their public keys and assigned private IP addresses.
  7. Use the wg-quick command to bring the VPN to life and enable the WireGuard interface.
  8. Configure WireGuard clients by generating key pairs, creating client configuration files, and specifying the server's IP address and public key.
  9. Launch WireGuard on the clients using the wg-quick command.

By following these steps, you can set up your own WireGuard VPN and enjoy the benefits of secure and private communication.


The article highlights the importance of using a VPN for maintaining security and privacy in mobile communications. It introduces WireGuard as a cost-effective and secure solution for setting up your own VPN using a cloud-based Linux server. The step-by-step guide provided in the article offers a practical approach to setting up a WireGuard VPN and empowers individuals to take control of their online security and privacy.

How to Build Your Own Wireguard VPN in Five Minutes (2024)


How to make a WireGuard VPN? ›

WireGuard Road Warrior Setup
  1. Step 1 - Configure the Wireguard Instance. Go to VPN ‣ WireGuard ‣ Instances. ...
  2. Step 2 - Configure the client peer. ...
  3. Step 3 - Turn on/restart WireGuard. ...
  4. Step 4 - Assignments and routing. ...
  5. Step 5 - Create firewall rules. ...
  6. Step 5a - Create normalization rules. ...
  7. Step 6 - Configure the WireGuard client.

What is the fastest VPN for WireGuard? ›

BEST WIREGUARD VPN:NordVPN is our #1 choice. It's the fastest VPN we've tested and comes with every feature a user could ask for including the extra secure NordLynx. If you disagree, take advantage of the risk-free, 30-day money-back guarantee. Read more in our full NordVPN review.

How to build a VPN at home? ›

Create a VPN on Your Router
  1. Download custom firmware. Confirm compatibility between your router and preferred firmware, and then download it.
  2. Connect your computer to your router. Do this via a wired connection. ...
  3. Log into your router. ...
  4. Install the firmware. ...
  5. Reboot the router. ...
  6. Set up your VPN. ...
  7. Check if your VPN works.

What algorithm does WireGuard use? ›

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.

How do you make a WireGuard tunnel from scratch? ›

2. On server machine: configuration
  1. Click on Add empty tunnel from options in Add tunnel button.
  2. Add a name for new tunnel.
  3. Write down the private key and public key generated by WireGuard.
  4. Add an IP address for your interface. ...
  5. Specify listening port number (use an high port number, like between 49000-65000).
Feb 26, 2023

Is anything better than WireGuard? ›

Verdict on Security

There are no known security flaws in either protocol. If security is your topmost priority, the conservative option is OpenVPN. It has simply been around much longer than WireGuard, gone through more third-party security audits, and has a far longer track record than WireGuard.

Which VPN is the strongest and fastest? ›

  • Surfshark. The fastest VPN you can get right now. ...
  • NordVPN. The best VPN is also among the fastest. ...
  • Proton VPN. Where speed and security meets. ...
  • Mullvad. Privacy-conscious provider with electric speeds. ...
  • Windscribe. Wickedly quick with a handy free plan.
Apr 10, 2024

How can I make my own VPN for free? ›

Here's how you can build your own:
  1. Step 1: Set Up the Server. ...
  2. Step 2: Install OpenVPN and Easy-RSA. ...
  3. Step 3: Configuration. ...
  4. Step 4: Server Configuration. ...
  5. Step 5: Enable IP Forwarding. ...
  6. Step 6: Firewall Configuration. ...
  7. Step 7: Client Configuration. ...
  8. Step 8: Connecting to the VPN.
Aug 21, 2023

Is it free to make your own VPN? ›

You can either use a free VPN service or set up your own VPN. If you would like to set up a free VPN yourself, you can install it on a Windows or macOS virtual machine in the cloud or set it up on Windows 10 or 11 by using the built-in Windows tool to create your own VPN.

Is it legal to own a VPN? ›

In most jurisdictions, the use of VPNs is legal. Some countries such as the U.S. and the U.K. allow citizens to use these tools to protect their online privacy and access geo-restricted content. In contrast, many countries ban VPNs as part of broader efforts to control internet access and suppress dissenting voices.

How many lines of code is WireGuard? ›

WireGuard's design is simpler

WireGuard is made up of about 4,000 lines of code, while OpenVPN has 600,000 total lines of code.

What is WireGuard handshake? ›

WireGuard uses the Noise_IK handshake provided by the Noise Protocol. This handshake is based around Diffie-Hellman Key Exchange. In this process, a set of ephemeral Diffie-Hellman keypair are generated for each peer in each handshake. These peers would also have the static keypair, which has been shared previously.

Does WireGuard use TCP or UDP? ›

Networking. WireGuard uses only UDP, due to the potential disadvantages of TCP-over-TCP. Tunneling TCP over a TCP-based connection is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown").

Is WireGuard VPN free? ›

WireGuard is originally open source and can be used for free, absolutely. There are many free VPNs that support WireGuard, and it is also included by default in the Linux kernel, so those who are adept at programming can establish these types of encrypted connections simply by typing in the command line.

How do I manually set a WireGuard? ›

Connect to the VPN
  1. In the WireGuard application, click on Import tunnel(s) from file.
  2. Now select the Surfshark configuration file you downloaded earlier, and hit Open.
  3. You can rename this uploaded connection to your liking. ...
  4. Lastly, to connect to the VPN, click Activate, and to disconnect from the VPN, click Deactivate.
Feb 27, 2024

Is WireGuard better than normal VPN? ›

Conclusion. Both OpenVPN and WireGuard are really secure open-source VPN protocols, if properly implemented. However, WireGuard is newer and faster than OpenVPN, because it was designed with modern devices and processors in mind. It is also easier to maintain.

Is WireGuard a good VPN? ›

WireGuard is a very secure protocol. While it uses shorter cryptographic keys than some previous protocols, it still provides strong encryption. A longer key takes more time to crack, but it would still take millions of years to brute force WireGuard's encryption keys.

Top Articles
Latest Posts
Article information

Author: Gov. Deandrea McKenzie

Last Updated:

Views: 6367

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Gov. Deandrea McKenzie

Birthday: 2001-01-17

Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002

Phone: +813077629322

Job: Real-Estate Executive

Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating

Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.