A commercial VPN means trusting a third party with your traffic. A self-hosted WireGuard VPN means you own the infrastructure. Your server, your keys, your logs — or lack thereof.
WireGuard is the default VPN protocol now. It’s built into the Linux kernel, faster than OpenVPN, simpler to configure, and cryptographically sound. Mullvad deprecated OpenVPN entirely in January 2026 — that’s the direction the industry is moving.
This guide covers setting up your own WireGuard server on a Linux VPS, configuring clients across all platforms, and securing it for production.
- WireGuard tools v1.0.20260223 (latest, Feb 2026)
- One-hour setup from empty VPS to working VPN
- No-log by design — WireGuard has no logging mechanism to disable
- Faster than OpenVPN — kernel-level operation, minimal overhead
- Cost: $5–10/month for a VPS (replaces $5–15/month per commercial VPN subscription)
Why WireGuard Instead of a Commercial VPN?
| Self-Hosted WireGuard | Commercial VPN | |
|---|---|---|
| Trust model | You control the server | Third-party provider |
| Logging | Impossible (no logging code) | Depends on provider policy |
| Speed | Kernel-level, near line rate | Depends on provider infrastructure |
| Cost | $5–10/month VPS | $5–15/month subscription |
| Users/devices | Unlimited | Usually 5–10 limit |
| Setup effort | 1 hour | 5 minutes |
| IP reputation | Yours alone | Shared (blocked by some sites) |
The tradeoff: more setup, more control. I’ve run both and I’ll take the hour of setup for the peace of mind.
Prerequisites
- A Linux VPS (Ubuntu 26.04 LTS or Debian 13) — $5–10/month from Hetzner, Linode, or DigitalOcean
- Domain name pointing to your VPS (optional but helps with IP rotation)
- Basic SSH and command line familiarity
Step 1: Server Setup
SSH into your VPS and install WireGuard:
ssh root@your-server-ip
# Ubuntu / Debian
apt update && apt install -y wireguard
# Verify
wg --version
# WireGuard tools v1.0.20260223Enable IP forwarding:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf
sysctl -pStep 2: Generate Keys
WireGuard uses Curve25519 key pairs:
cd /etc/wireguard
umask 077
wg genkey | tee server.key | wg pubkey > server.pubThe umask 077 means only root can read the private key. Don’t skip this.
Step 3: Configure the Server
Create /etc/wireguard/wg0.conf:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>
# Enable NAT for client traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADEReplace <server-private-key> with the content of /etc/wireguard/server.key. Run ip route show default to check your interface name — it might not be eth0.
Enable and start:
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0Verify with wg show — you should see your public key and listening port.
Step 4: Client Configuration
Generate a client key pair:
mkdir -p /etc/wireguard/clients
wg genkey | tee clients/laptop.key | wg pubkey > clients/laptop.pubAdd the client to the server config by appending to /etc/wireguard/wg0.conf:
[Peer]
# Laptop
PublicKey = <laptop-public-key>
AllowedIPs = 10.0.0.2/32Reload:
wg addconf wg0 <(wg-quick strip wg0)Step 5: Client Config File
Create a file to import into your device:
[Interface]
PrivateKey = <laptop-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server-public-key>
Endpoint = your-server-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25A quick explanation of what matters:
AllowedIPs = 0.0.0.0/0routes ALL traffic through the VPN (full tunnel). Change it to specific subnets for split tunneling.PersistentKeepalive = 25keeps the connection alive through NAT — you want this.- The DNS line uses Cloudflare’s 1.1.1.1 but swap it if you prefer Quad9 (9.9.9.9) or your own resolver.
Step 6: Connect Clients
macOS: WireGuard from App Store or brew install wireguard-tools → Import tunnel → Activate.
Windows: WireGuard v0.6 from wireguard.com/install → Import tunnel → Activate.
iOS / Android: Official WireGuard app → Create from file or QR code → Connect.
Step 7: Kill Switch
Without a kill switch, your real IP leaks if the VPN drops. WireGuard has a built-in one: add Table = auto to the [Interface] section of your client config. It automatically removes the default route when the tunnel goes down.
Test it: sudo wg-quick down wg0 — your internet should stop working until the tunnel reconnects.
For a firewall-based kill switch on Linux:
iptables -I OUTPUT ! -o wg0 -m owner --uid-owner 0 -j REJECTStep 8: Multiple Clients
Phone, tablet, work laptop — each needs its own key pair and IP:
for device in phone tablet work-laptop; do
wg genkey | tee clients/${device}.key | wg pubkey > clients/${device}.pub
doneAdd each as a [Peer] with a unique IP (10.0.0.3, 10.0.0.4, etc.) and generate matching client configs.
Security Checklist
- Server private key has
0600permissions (chmod 600 /etc/wireguard/server.key) - Firewall allows only port 51820/UDP from the internet
- SSH is locked down (key-only auth, no root login)
- VPS is fully updated (
apt update && apt upgrade) - DNS uses a privacy-respecting provider (1.1.1.1 or 9.9.9.9)
- All client configs use
PersistentKeepalive = 25 - You’ve tested the kill switch
Troubleshooting
VPN connects but no internet: Check IP forwarding (sysctl net.ipv4.ip_forward should return 1). Check the NAT rule (iptables -t nat -L).
Frequent drops: Bump PersistentKeepalive to 25 in the client config.
Slow speeds: WireGuard is kernel-level — check your VPS bandwidth cap. Test with iperf3.
Handshake failed: Check the firewall on port 51820/UDP. Verify public keys match.
If you want zero-config, use Tailscale (it’s built on WireGuard). But if you want to own your infrastructure, the hour of setup is worth it. Start with the Tor vs VPN guide for deciding when each makes sense.
Related Articles
Deepen your understanding with these curated continuations.
Tor vs VPN: Which One Do You Actually Need?
Tor and VPNs both protect your privacy, but they work very differently. Here's a clear comparison of when to use each, when to use both, and when neither is the right choice.
Emergency Privacy Kit: Secure Your Digital Life in 2026
Step-by-step guide to securing your digital privacy fast. Password manager, 2FA, encrypted messaging, browser hardening, VPN setup, and data cleanup. Actionable checklist for immediate protection.
Best Privacy Browsers in 2026: Firefox vs Brave vs Librewolf vs Tor vs Mullvad
Fact-checked comparison of privacy-focused browsers. Tracking protection, fingerprinting resistance, usability trade-offs, and which browser for your threat model.