WireGuard is what every other VPN protocol wishes it was. Smaller codebase than OpenVPN by an order of magnitude, faster throughput, lower CPU overhead, and a config so simple you can read the entire spec in an afternoon. This guide sets up a personal WireGuard server on your own VPS, with client configs for your phone and laptop, in about fifteen minutes. No commercial VPN subscription, no shared IPs with random strangers, no logs you have to take a company's word about.
Prerequisites: Ubuntu 22.04 or 24.04 VPS with KVM virtualization (WireGuard usually doesn't work on OpenVZ — kernel module missing), sudo access, and a public IP. Ideally a region close to where you actually are. All OliveVPS locations support WireGuard.
Steps in this guide
Step 1: Install WireGuard
sudo apt update
sudo apt install -y wireguard wireguard-toolsThat's the entire install. WireGuard's kernel module is built into mainline Linux since 5.6, so on any modern kernel there's nothing else to load.
Step 2: Generate server keys
WireGuard uses public/private key pairs (no certificates, no PKI, no passwords). Generate the server's keys:
cd /etc/wireguard
sudo umask 077
sudo wg genkey | sudo tee server_private.key | sudo wg pubkey | sudo tee server_public.keyThe umask 077 ensures the private key is only readable by root. View the keys:
sudo cat server_private.key
sudo cat server_public.keyCopy the private key — you'll paste it into the server config in the next step. The public key gets shared with clients.
Step 3: Configure the server
Find your VPS's primary network interface name:
ip route | grep defaultIt'll usually be eth0, ens3, or similar. Note it down — you'll use it in the config below.
Create the server config:
sudo nano /etc/wireguard/wg0.confPaste (replacing SERVER_PRIVATE_KEY and eth0 with your actual values):
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = falseWhat this does:
- Address 10.0.0.1/24: the VPN's internal subnet. The server is .1; clients will be .2, .3, .4, etc.
- ListenPort 51820: WireGuard's standard port (UDP).
- PostUp: when the VPN starts, configures NAT so client traffic gets routed out the VPS's public interface (eth0).
- PostDown: reverses those rules when the VPN stops.
Step 4: Enable IP forwarding and start the service
For the server to route client traffic, the kernel needs IP forwarding turned on. Edit /etc/sysctl.conf:
sudo nano /etc/sysctl.confUncomment or add:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1Apply immediately:
sudo sysctl -pStart WireGuard:
sudo systemctl enable --now wg-quick@wg0Check status:
sudo wg showYou should see the interface up with the public key listed.
Step 5: Open the firewall
Allow UDP traffic on port 51820:
sudo ufw allow 51820/udp
sudo ufw reloadStep 6: Generate a client config
For each device (phone, laptop, etc.) you want to connect, generate a separate keypair and config. Let's do one for your laptop:
cd /etc/wireguard
sudo wg genkey | sudo tee laptop_private.key | sudo wg pubkey | sudo tee laptop_public.keyAdd the laptop as a peer to the server config. Edit /etc/wireguard/wg0.conf and append at the bottom:
[Peer]
# Laptop
PublicKey = LAPTOP_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32Reload WireGuard so the server picks up the new peer:
sudo systemctl restart wg-quick@wg0Now create the laptop's client config. Save this as laptop.conf on your laptop (replace placeholders with real values):
[Interface]
PrivateKey = LAPTOP_PRIVATE_KEY
Address = 10.0.0.2/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25Notable choices:
- AllowedIPs = 0.0.0.0/0, ::/0: route all traffic through the VPN. For split-tunnel (only some traffic via VPN), use specific subnets here.
- DNS: Cloudflare's resolver. Pick whatever DNS you want — your traffic goes through it once connected.
- PersistentKeepalive = 25: sends a keepalive every 25 seconds, prevents NAT timeouts on tricky networks (mobile, hotel wifi).
Step 7: Connect from your devices
On Linux laptop
Copy laptop.conf to /etc/wireguard/wg0.conf on the laptop and run:
sudo wg-quick up wg0To disconnect: sudo wg-quick down wg0. Or use the NetworkManager GUI if you prefer clicks.
On macOS / Windows
Install the official WireGuard app, click "Import tunnel from file," select your laptop.conf, and toggle the connection on.
On iOS / Android
Install the WireGuard app from your platform's store. Tap "+", choose "Create from QR code." Generate a QR code from the config:
sudo apt install -y qrencode
qrencode -t ansiutf8 < phone.confScan the QR code from your phone's WireGuard app, give it a name, and toggle on.
Once connected, visit https://ifconfig.me from the device — you should see your VPS's IP, not your local IP. The VPN is working.
WireGuard VPN starts at $3.99/mo
Pick a region close to where you are, get NVMe storage and dedicated cores, run WireGuard for yourself or your team. 20 locations worldwide.
See VPS Plans →Bonus: kill-switch, multiple clients, IPv6
Kill-switch (Linux/macOS)
Add this to your client config under [Interface]:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECTThis blocks all non-VPN traffic when the tunnel is up. If WireGuard drops, your device can't accidentally leak traffic via the regular network.
Multiple clients
Repeat step 6 for each device. Each gets its own keypair, its own 10.0.0.X address (.2, .3, .4, ...), and its own [Peer] block on the server. Don't reuse keys across devices — if one is compromised, you can revoke it without affecting the others.
IPv6
If your VPS has IPv6 (every OliveVPS plan includes a /64 IPv6 block), add to the [Interface] section of wg0.conf:
Address = 10.0.0.1/24, fd00::1/64And client configs:
Address = 10.0.0.2/32, fd00::2/128Now your VPN tunnel carries IPv6 too.
Troubleshooting
Tunnel comes up but no internet through it
Almost always IP forwarding wasn't enabled, or NAT rules weren't applied. Verify:
sysctl net.ipv4.ip_forward # should be 1
sudo iptables -t nat -L -n -v | grep MASQUERADE"Resource temporarily unavailable"
The kernel module isn't loaded. Usually means you're on OpenVZ — see why OpenVZ breaks WireGuard. Check virtualization type with systemd-detect-virt.
Handshake successful but traffic doesn't flow
Usually a MTU issue. Some networks (mobile, certain ISPs) need a smaller MTU. Add MTU = 1280 under [Interface] on the client.
Connection works at home but not on mobile data
NAT timeout from the carrier. Make sure PersistentKeepalive = 25 is in the client config under the [Peer] block.
FAQ
Is self-hosted WireGuard better than commercial VPNs?
Different trade-offs. Commercial VPNs (Mullvad, Proton, NordVPN) give you shared IPs with thousands of others — privacy through anonymity. Self-hosted WireGuard gives you a clean, dedicated IP with full control — privacy through ownership. For privacy-focused use cases (avoiding tracking, encrypting on hostile networks), commercial VPN is often better. For "I want to access my VPS securely" or "I want a stable, fast personal VPN endpoint" — self-hosted wins.
Will WireGuard slow down my internet?
Slightly, depending on the VPS bandwidth and how far it is from you. Typical loss is 5-15% throughput compared to direct. Latency increases by your round-trip-time to the VPS — pick a region near you for minimum impact. WireGuard's overhead is far lower than OpenVPN.
How many devices can connect simultaneously?
WireGuard scales to hundreds of peers per server with negligible overhead. The bottleneck is your VPS's bandwidth and CPU, not WireGuard itself. A 1GB plan handles dozens of active clients comfortably.
Does WireGuard log my traffic?
WireGuard the protocol doesn't log anything. The Linux kernel may have generic networking logs (interface stats, packet counters) but no per-connection traffic logs. Whether anything else on the VPS logs traffic is up to you — by default, no.
Can I run WireGuard alongside other services on the same VPS?
Easily. WireGuard is lightweight (a few MB of RAM, near-zero CPU when idle) and doesn't conflict with web servers, databases, or other services. Most self-hosters run WireGuard alongside everything else on a single VPS.