How to Set Up a WireGuard VPN on a VPS

Use Cases 3 min read Updated June 2026

Running your own VPN server gives you full privacy control, lets you bypass geo-restrictions, and secures your traffic on public Wi-Fi - without trusting a third-party VPN provider. This guide uses WireGuard, the fastest and easiest modern VPN protocol. For an exit node that isn't tied to your identity, run it on an anonymous VPS paid in crypto.

How a self-hosted WireGuard VPN routes your traffic through your VPS

Why Use Your Own VPN?

A WireGuard VPS is simply a VPS running the WireGuard protocol - a private, self-hosted VPN endpoint you fully control. The upside:

Prerequisites

Step 1: Install WireGuard

apt update
apt install wireguard -y

Step 2: Generate Server Keys

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

View your keys:

cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key

Step 3: Generate Client Keys

wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

Step 4: Create the Server Config

Find your network interface name:

ip route | grep default
# Look for something like: default via x.x.x.x dev eth0

Create the config file (replace eth0 with your interface name, and paste your actual keys):

nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Step 5: Enable IP Forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Step 6: Open the Firewall Port

ufw allow 51820/udp

Step 7: Start WireGuard

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
wg show

Step 8: Configure the Client

On Linux / macOS

Install WireGuard, then create a config file at ~/.config/wireguard/wg0.conf or /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Connect:

wg-quick up wg0

On Windows / Android / iOS

  1. Install the WireGuard app
  2. Create a new tunnel and paste the client config above
  3. Tap/click Activate

Verify It's Working

Visit https://whatismyip.com - it should now show your server's IP address, not your local one.


Questions? Email us at [email protected] - we reply in under 2 hours, 7 days a week.

Top up in crypto.
Be root in a minute.

No cards. No KYC. Uninterrupted service since 2014. For people who'd rather not explain why they need a server.

Deploy a server →