WireGuard VPN

• * Simple: ~4,000 lines of code vs 100,000+ for OpenVPN
• * Fast: Kernel-level implementation, minimal overhead
• * Modern crypto: ChaCha20, Curve25519, BLAKE2s
• * Roaming: Handles IP changes
• * Cross-platform: Linux, Windows, macOS, iOS, Android

Install WireGuard

# Ubuntu/Debian
sudo apt update && sudo apt install wireguard

# Enable IP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Generate Keys

# Generate server keys
wg genkey | tee server_private.key | wg pubkey > server_public.key

# Set secure permissions
chmod 600 server_private.key

Server Config

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

# NAT for clients
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.2/32

Generate Client Keys

wg genkey | tee client_private.key | wg pubkey > client_public.key

Client Config

[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private_key>
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs Options

• * 0.0.0.0/0 - Route all traffic through VPN (full tunnel)
• * 10.0.0.0/24, 192.168.1.0/24 - Only route specific networks (split tunnel)

• * Rotate keys periodically: Generate new key pairs annually
• * Use PersistentKeepalive: Required for NAT traversal (25 seconds typical)
• * Restrict allowed IPs: Only permit necessary traffic
• * Firewall the server: Only allow UDP 51820 from needed sources
• * Use QR codes: For mobile client deployment