Linux Networking

Set up WireGuard on Linux

Practical Linux guide: set up WireGuard on Linux without the usual guesswork.

14 min read Intermediate Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

A WireGuard tunnel on Linux using wg-quick — fast, modern VPN for site-to-site or road-warrior access to your homelab.

1) Install WireGuard

sudo apt install wireguard
# Fedora: sudo dnf install wireguard-tools

2) Generate keys

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

3) Client config

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 10.8.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

4) Bring interface up

sudo systemctl enable --now wg-quick@wg0
sudo wg show

Verify

ping -c3 10.8.0.1
sudo ss -ulnp | grep 51820

5) Server-side peer config

# Server /etc/wireguard/wg0.conf excerpt
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32
sudo sysctl -w net.ipv4.ip_forward=1
sudo ufw route allow in on wg0 out on eth0

6) Multiple peers

Each client gets unique AllowedIPs on server (e.g. 10.8.0.3/32). Reuse keys and you get routing conflicts.

7) Debugging handshake

sudo wg show wg0 latest-handshakes
sudo tcpdump -i eth0 udp port 51820

No handshake — check endpoint reachability, NAT port forwarding, and firewall UDP 51820.

Compared to OpenVPN

WireGuard is leaner and faster on mobile CPUs. OpenVPN still wins when you need legacy corporate auth (LDAP, MFA portals) without building custom solutions.

8) Roaming clients

PersistentKeepalive = 25 keeps NAT mappings fresh on mobile networks. Without it, road-warrior clients lose tunnel silently after carrier NAT timeout.

Prerequisites

Server endpoint hostname/IP, UDP 51820 reachable, key pair generated, IP plan for tunnel subnet (e.g. 10.8.0.0/24). Server peer config must include client public key before client can handshake.

Firewall on client

Outbound UDP must be allowed — corporate networks blocking UDP break WireGuard while OpenVPN TCP 443 might work — know your network before choosing protocol.

PostUp iptables MASQUERADE

PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Required on server for clients to reach internet through tunnel.

Hub and spoke topology

Homelab hub runs WireGuard server; spokes are phones and laptops with persistent keepalive. Each spoke AllowedIPs on server is /32; server advertises LAN subnet in client AllowedIPs for access to home NAS. Rotate keys annually: generate new keys, add parallel peer entry, migrate clients, remove old peer — avoids simultaneous downtime if you botch one device.

DNS leak on full tunnel

Client must accept DNS from Interface line or use PostUp resolvectl dns wg0 1.1.1.1 — otherwise queries leak ISP resolver while traffic tunnels. Test at dnsleaktest.com after connect from laptop.

Related guides

linux setup wireguard

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Set up Wi‑Fi from the command line
Practical Linux guide: set up Wi‑Fi from the command line without the usual guesswork.
Read guide
Networking
iptables vs nftables overview
Practical Linux guide: iptables vs nftables overview without the usual guesswork.
Read guide