// Fast. Simple. Modern.
VPN FOR THE MODERN WORLD.
WireGuard is a fast, modern VPN protocol that's simpler than IPsec and faster than OpenVPN. It uses cutting-edge cryptography and fits in a few thousand lines of code.
SECURITY MEETS SIMPLICITY.
Unlike legacy VPNs, WireGuard is designed for the modern internet. It's fast, easy to configure, and secure by default.
Click a lesson to begin
What is WireGuard? Why it's better than OpenVPN.
BeginnerInstall WireGuard on Linux, macOS, Windows.
BeginnerConfigure your WireGuard server.
BeginnerSet up clients on any device.
BeginnerGenerate public and private keys.
BeginnerWireGuard on iOS and Android.
IntermediateSecure your VPN with iptables/nftables.
IntermediateRoute only specific traffic through VPN.
IntermediateServer with multiple clients.
AdvancedPeer-to-peer WireGuard mesh networks.
AdvancedTuning and optimization.
AdvancedDebug common WireGuard issues.
AdvancedWireGuard is a modern VPN protocol designed for simplicity and performance. It's cross-platform, open source, and uses state-of-the-art cryptography.
WireGuard creates a simple tunnel interface. Each peer has a public/private key pair. Peers authenticate using these keys—no certificates needed.
1. What makes WireGuard faster?
# Ubuntu/Debian sudo apt install wireguard # Fedora sudo dnf install wireguard-tools # Arch sudo pacman -S wireguard-tools
# Using Homebrew brew install wireguard-tools # Or from App Store: WireGuard
Download from wireguard.com/install
1. What package do you install on Linux?
# /etc/wireguard/wg0.conf [Interface] PrivateKey = SERVER_PRIVATE_KEY Address = 10.0.0.1/24 ListenPort = 51820 SaveConfig = true # Enable forwarding PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -A FORWARD -o %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allow existing connections PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -D FORWARD -o %i -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Enable and start sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 # Check status sudo wg show
1. What is the default port?
wg genkey # Output: CLIENT_PRIVATE_KEY echo "CLIENT_PRIVATE_KEY" | wg pubkey # Output: CLIENT_PUBLIC_KEY
# /etc/wireguard/wg0.conf (client) [Interface] PrivateKey = CLIENT_PRIVATE_KEY Address = 10.0.0.2/24 DNS = 1.1.1.1 [Peer] PublicKey = SERVER_PUBLIC_KEY Endpoint = server.example.com:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2/32
1. What does PersistentKeepalive do?
# Generate private key wg genkey # Generate private key and save wg genkey > private.key # Generate public key from private cat private.key | wg pubkey > public.key # One-liner wg genkey | tee private.key | wg pubkey > public.key
For extra security between peers:
wg genpsk
1. What command generates a public key?
# Generate QR code qrencode -t ansi < client.conf
Configure to auto-connect on WiFi/cellular.
1. How do you share config to mobile?
# Allow WireGuard port sudo ufw allow 51820/udp # Forward traffic sudo ufw default FORWARD ACCEPT # Or more secure - only allow specific IPs sudo ufw allow from 10.0.0.0/24
# /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 net/ipv6/conf/all/forwarding=1
# /etc/nftables.conf # Add to inet filter forward chain iif wg0 oif eth0 accept iif eth0 oif wg0 accept
1. What port does WireGuard use?
# Only route specific network through VPN [Peer] AllowedIPs = 10.0.0.0/24, 192.168.1.0/24 # Route specific host AllowedIPs = 192.168.1.100/32
1. What controls what goes through VPN?
# Add peer sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.3/32 # Add multiple peers sudo wg set wg0 peer PEER1_PUBKEY allowed-ips 10.0.0.2/32 sudo wg set wg0 peer PEER2_PUBKEY allowed-ips 10.0.0.3/32 sudo wg set wg0 peer PEER3_PUBKEY allowed-ips 10.0.0.4/32
# /etc/wireguard/wg0.conf [Interface] PrivateKey = SERVER_PRIVATE_KEY Address = 10.0.0.1/24 ListenPort = 51820 [Peer] PublicKey = CLIENT1_PUBLIC AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = CLIENT2_PUBLIC AllowedIPs = 10.0.0.3/32 [Peer] PublicKey = CLIENT3_PUBLIC AllowedIPs = 10.0.0.4/32
1. How do you add multiple clients?
In a mesh, each peer connects directly to others—no central server.
# Peer A config [Interface] PrivateKey = A_PRIVATE Address = 10.0.0.1/24 [Peer] PublicKey = B_PUBLIC Endpoint = B.example.com:51820 AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = C_PUBLIC Endpoint = C.example.com:51820 AllowedIPs = 10.0.0.3/32
1. What connects peers directly?
# Reduce MTU for better performance [Interface] MTU = 1420
# Add to peer config PersistentKeepalive = 25
1. What improves slow connections?
# Show interface sudo wg show # Show interface with more detail sudo wg show wg0
# Ping through VPN ping 10.0.0.1 # Check port nc -zvu server.example.com 51820 # View logs sudo journalctl -u wg-quick@wg0 -f
You've completed the WireGuard Mastery guide. You now understand:
WireGuard is the future of VPN. It's faster, simpler, and more secure than legacy VPN protocols.
Whether you need remote access, site-to-site VPN, or a mesh network, WireGuard handles it all with minimal configuration.
Fast. Simple. Modern. Secure.