WireGuard is a modern VPN protocol that has rapidly become the preferred choice for self-hosted VPN deployments. Compared to OpenVPN and IPsec, WireGuard offers dramatically simpler configuration, smaller attack surface (roughly 4,000 lines of code versus hundreds of thousands), and significantly better performance. Running your own WireGuard VPN on a VPS gives you complete control over your encrypted tunnel without relying on third-party VPN providers.

This tutorial walks you through installing WireGuard on an Ubuntu VPS, generating cryptographic keys, configuring both the server and client, setting up firewall rules, and verifying that your VPN tunnel works correctly. By the end, you will have a fully functional VPN that encrypts all your internet traffic through your VPS.

Prerequisites

Before starting, ensure you have the following:

MassiveGRID's Cloud VPS plans provide full root access, a dedicated public IP, and KVM virtualization that fully supports kernel modules like WireGuard. Even the entry-level plan is sufficient for running a personal VPN server.

Why WireGuard Over OpenVPN?

FeatureWireGuardOpenVPN
Codebase size~4,000 lines~100,000+ lines
Connection speedNear-instant10-15 seconds
Throughput800-900 Mbps200-400 Mbps
CPU usageMinimalModerate to high
Kernel integrationBuilt into Linux kernel (5.6+)Userspace daemon
Configuration complexitySimple (single file)Complex (multiple files, PKI)
CryptographyModern (ChaCha20, Curve25519)Configurable (can be misconfigured)

WireGuard's performance advantage is especially noticeable on VPS instances with limited CPU cores, where OpenVPN's userspace encryption can become a bottleneck.

Step 1: Install WireGuard on the VPS

WireGuard is included in the Linux kernel since version 5.6 and is available as a package on all modern Ubuntu and Debian distributions. SSH into your VPS and install it:

# Update package lists
sudo apt update

# Install WireGuard
sudo apt install wireguard -y

# Verify installation
wg --version

You should see the WireGuard version output, confirming a successful installation. On Ubuntu 22.04 and newer, the kernel module is already included, so no additional kernel packages are needed.

Step 2: Generate Server Keys

WireGuard uses Curve25519 key pairs for authentication. Generate the server's private and public keys:

# Generate private key
wg genkey | sudo tee /etc/wireguard/server_private.key
sudo chmod 600 /etc/wireguard/server_private.key

# Derive public key from private key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

Note the contents of both files. You will need the server private key for the server config and the server public key for the client config.

# View the keys (you'll need these later)
echo "Server Private Key: $(sudo cat /etc/wireguard/server_private.key)"
echo "Server Public Key: $(sudo cat /etc/wireguard/server_public.key)"

Security note: The private key must never leave the server. Treat it like a password. The public key can be shared freely.

Step 3: Generate Client Keys

Generate a separate key pair for each client device that will connect to your VPN:

# Generate client keys (can be done on server or client)
wg genkey | tee client_private.key
cat client_private.key | wg pubkey | tee client_public.key

echo "Client Private Key: $(cat client_private.key)"
echo "Client Public Key: $(cat client_public.key)"

If you have multiple devices, repeat this process for each one, using unique key pairs and IP addresses within the VPN subnet.

Step 4: Configure the WireGuard Server

Create the server configuration file at /etc/wireguard/wg0.conf:

sudo nano /etc/wireguard/wg0.conf

Add the following configuration, replacing the placeholder values with your actual keys and network interface:

[Interface]
# Server's private key (from Step 2)
PrivateKey = SERVER_PRIVATE_KEY_HERE

# VPN subnet - the server gets .1
Address = 10.0.0.1/24

# UDP port WireGuard will listen on
ListenPort = 51820

# NAT rules to route client traffic through the VPS
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client's public key (from Step 3)
PublicKey = CLIENT_PUBLIC_KEY_HERE

# IP address assigned to this client within the VPN
AllowedIPs = 10.0.0.2/32

Important: Identify Your Network Interface

The PostUp and PostDown rules reference eth0 as the public network interface. Verify your actual interface name:

ip route show default
# Output example: default via 192.168.1.1 dev eth0 proto dhcp
# Your interface name is after "dev" (eth0, ens3, enp0s3, etc.)

Replace eth0 in the configuration with your actual interface name if it differs.

Step 5: Enable IP Forwarding

For the VPS to route traffic between the VPN tunnel and the internet, IP forwarding must be enabled:

# Enable IP forwarding temporarily (for testing)
sudo sysctl -w net.ipv4.ip_forward=1

# Enable permanently by editing sysctl.conf
sudo nano /etc/sysctl.conf

Find and uncomment (or add) the following line:

net.ipv4.ip_forward = 1

Apply the change:

sudo sysctl -p

Step 6: Configure the Firewall

Open the WireGuard UDP port and ensure forwarding is allowed:

# Allow WireGuard port
sudo ufw allow 51820/udp

# Allow SSH (don't lock yourself out!)
sudo ufw allow 22/tcp

# Enable UFW if not already active
sudo ufw enable

# Verify rules
sudo ufw status

If your VPS provider also has a network-level firewall (security groups or firewall rules in the control panel), ensure UDP port 51820 is open there as well. MassiveGRID VPS instances have all ports open by default at the network level, so you only need to configure the OS-level firewall.

Step 7: Start the WireGuard Server

# Start WireGuard
sudo wg-quick up wg0

# Enable WireGuard to start on boot
sudo systemctl enable wg-quick@wg0

# Verify the interface is running
sudo wg show

The wg show output should display the interface, its public key, listening port, and any configured peers. At this point, the server is ready to accept connections.

Step 8: Configure the Client

Install WireGuard on your client device. It is available for Linux, macOS, Windows, iOS, and Android.

Linux Client

sudo apt install wireguard -y

macOS, Windows, iOS, and Android

Download the WireGuard app from the official website or your platform's app store.

Client Configuration File

Create the client configuration (on the client device or import via QR code):

[Interface]
# Client's private key (from Step 3)
PrivateKey = CLIENT_PRIVATE_KEY_HERE

# Client's VPN IP address
Address = 10.0.0.2/24

# DNS server to use while connected (use a public resolver or your own)
DNS = 1.1.1.1, 9.9.9.9

[Peer]
# Server's public key (from Step 2)
PublicKey = SERVER_PUBLIC_KEY_HERE

# Server's public IP and WireGuard port
Endpoint = YOUR_VPS_IP:51820

# Route ALL traffic through the VPN (full tunnel)
AllowedIPs = 0.0.0.0/0, ::/0

# Send keepalive packets to maintain NAT mappings
PersistentKeepalive = 25

Setting AllowedIPs = 0.0.0.0/0, ::/0 routes all internet traffic through the VPN. If you only want to access the VPN network without routing all traffic, change this to AllowedIPs = 10.0.0.0/24 (split tunnel).

Step 9: Connect and Test

On a Linux Client

# Save config and connect
sudo cp client.conf /etc/wireguard/wg0.conf
sudo wg-quick up wg0

# Verify the connection
sudo wg show

On Desktop or Mobile Apps

Import the configuration file or scan a QR code (generate one on the server with qrencode):

# Install qrencode on the server
sudo apt install qrencode -y

# Generate QR code from client config
qrencode -t ansiutf8 < /path/to/client.conf

Scan the QR code with the WireGuard mobile app to import the configuration instantly.

Verify the VPN is Working

After connecting, verify that your traffic is flowing through the VPN:

# Check your public IP - should show your VPS IP, not your local IP
curl ifconfig.me

# Ping the server through the VPN tunnel
ping 10.0.0.1

# Check WireGuard status for handshake info
sudo wg show

If curl ifconfig.me returns your VPS IP address, your VPN is working correctly and all internet traffic is being routed through the encrypted tunnel.

Adding More Clients

To add additional peers, generate a new key pair for each client and add a [Peer] block to the server configuration:

# Add a new peer without restarting WireGuard
sudo wg set wg0 peer NEW_CLIENT_PUBLIC_KEY allowed-ips 10.0.0.3/32

# Save the running config to the file
sudo wg-quick save wg0

Assign each client a unique IP address within the 10.0.0.0/24 subnet (10.0.0.3, 10.0.0.4, etc.).

Security Best Practices

Troubleshooting Common Issues

No Handshake Occurring

If wg show does not display a "latest handshake" for a peer, check these items:

Connected but No Internet Access

If the VPN connects but you cannot reach the internet:

DNS Resolution Fails

If websites do not load but you can ping IP addresses, the DNS configuration in the client config may be incorrect. Ensure the DNS line specifies working resolvers like 1.1.1.1 or 9.9.9.9.

VPS Recommendations for WireGuard

WireGuard is extremely lightweight. A VPS with 1 vCPU and 1 GB RAM can easily handle a personal VPN for 5-10 simultaneous connections. The primary resource consideration is bandwidth: all your internet traffic flows through the VPS when using a full tunnel configuration.

Choose a VPS location close to your primary physical location for the lowest latency. MassiveGRID offers datacenter locations in New York, London, Frankfurt, and Singapore, with premium network connectivity and generous bandwidth allocations starting at 1 TB per month.

Deploy a MassiveGRID VPS and have your own WireGuard VPN running in under 15 minutes.

Conclusion

Setting up WireGuard on a VPS is one of the most practical self-hosting projects you can complete. You get a fast, modern VPN with full control over your encrypted tunnel, no third-party logging concerns, and the flexibility to add as many devices as you need. The entire configuration fits in a single file per device, and the kernel-integrated performance means your VPN adds negligible latency compared to an unencrypted connection.

With MassiveGRID's VPS infrastructure providing NVMe storage, dedicated resources, and enterprise-grade security, your WireGuard VPN server benefits from the same reliable foundation that powers production workloads worldwide.