Build Your Own VPN with WireGuard

March 14, 2026 • Networking • 15 min read

You're on a coffee shop WiFi. The kind with no password. Anyone else on this network can see what you're doing—your emails, your passwords, everything. It's terrifying if you think about it. And you should think about it.

So you use a VPN. Great. Except now you're trusting some company you've never met to route all your traffic through their servers. They're collecting data. They're selling data. They're probably logging everything. You're paying $70/year to be tracked by a different company.

Here's an alternative: build your own VPN. It costs nothing but time. You control it completely. Nobody's selling your data because there's nobody else involved. It's just you and your server.

This guide is about WireGuard. It's the VPN protocol I use. It's fast, simple, and modern. It's built into Linux. It's what the cool kids use.

What We'll Cover

Why WireGuard?

WireGuard is a VPN protocol—it's the method your computer uses to create an encrypted tunnel to another computer. Here's why it's better than what most people use:

Compare this to the big VPN companies pushing their apps on YouTube. They use OpenVPN or their own protocols. They're collecting data. They're logging. They cost $70+/year.

WireGuard is the VPN equivalent of self-hosting your email. It's the right thing to do.

How WireGuard Works

Before we set it up, let's talk about how this actually works. You don't need to understand the cryptography, but understanding the architecture helps when things don't work.

WireGuard connects devices. One device is the server—this is the computer that stays online, probably at your house or on a VPS. The other devices are clients—your laptop, phone, tablet.

When you connect, your client creates an encrypted tunnel to the server. All your internet traffic goes through this tunnel to the server, then out to the internet. To the websites you visit, it looks like the server is making the request—not you.

This gives you two things:

  1. Privacy on public WiFi – Everyone on the coffee shop network can only see encrypted WireGuard traffic going to your server. They can't see what you're doing.
  2. Access to your home network – You can reach your home computers, NAS, smart home devices—anything on your home network—from anywhere.
Two scenarios: If your server is at home and you're away, your traffic goes through your home connection (slower but you get home network access). If your server is a VPS somewhere else, you're just routing your traffic through that server (faster, but no home network access).

Setting Up the Server

We'll set up a WireGuard server on your Linux machine. This could be:

For this guide, I'll assume it's a Debian/Ubuntu machine. If you're on something else, the package manager commands differ, but the config is the same.

Install WireGuard

sudo apt update
sudo apt install wireguard

That's it. WireGuard is installed. See? Simple.

Generate Keys

WireGuard uses cryptographic keys. You need a private key (keep secret) and a public key (share with clients). Generate them:

wg genkey | tee privatekey | wg pubkey > publickey

This creates two files: privatekey (your server's secret) and publickey (your server's public key). Keep privatekey safe—anyone who has it can impersonate your server.

Configure the Server

sudo nano /etc/wireguard/wg0.conf

Paste in this configuration (I'll explain below):

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <YOUR-SERVER-PRIVATE-KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1 (your laptop)
[Peer]
PublicKey = <CLIENT-PUBLIC-KEY>
AllowedIPs = 10.0.0.2/32

Let's break this down:

Important: Replace <YOUR-SERVER-PRIVATE-KEY> with the actual key from your privatekey file. I'll show you how to add clients shortly.

Start WireGuard

sudo wg-quick up wg0
sudo wg-quick enable wg0

The first command brings up the VPN. The second makes it start automatically on boot.

Check if it's running:

sudo wg

You should see your interface listed. It's alive.

Firewall Rules

If you have UFW (you should), you need to allow the WireGuard port:

sudo ufw allow 51820/udp

If your server is behind a router (like at home), you'll also need to forward port 51820/UDP to your server's local IP. That's router-specific—check your router's documentation for port forwarding.

Connecting a Client

Now we need to set up a client. This could be your laptop, phone, or another computer. Let's start with a Linux client, then I'll mention options for other devices.

Install on Client

sudo apt install wireguard

Generate Client Keys

wg genkey | tee client-privatekey | wg pubkey > client-publickey

Save these keys somewhere safe. You'll need the public key on the server and the private key on this client.

Configure the Client

sudo nano /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = <CLIENT-PRIVATE-KEY>
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER-PUBLIC-KEY>
Endpoint = your-server-ip-or-domain:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Replace the keys with your actual keys. For the endpoint, put your server's IP address or domain name.

AllowedIPs explained: 0.0.0.0/0 means "route everything through the VPN." This is what you want when you're on public WiFi. If you only want to access your home network, you'd change this to something like 10.0.0.0/24.

Connect

sudo wg-quick up wg0

Now test it:

curl ipinfo.io

It should show your server's IP address, not your client's. You're now routing all your traffic through your VPN.

Before you continue: You need to add this client's public key to the server's config! See below.

Add Client to Server

The server doesn't know about this client yet. On the server, run:

sudo wg set wg0 peer <CLIENT-PUBLIC-KEY> allowed-ips 10.0.0.2/32

Replace with the actual public key from your client. This makes the server accept connections from this client.

To make this permanent (so it survives server restarts), add the client to the server's config file:

sudo nano /etc/wireguard/wg0.conf

Add this under the [Peer] section:

# Client laptop
[Peer]
PublicKey = <CLIENT-PUBLIC-KEY>
AllowedIPs = 10.0.0.2/32

Non-Linux Clients

If you want to connect from Windows, macOS, iOS, or Android, WireGuard has official apps for all of them:

These apps have a QR code feature. On your Linux client, generate a QR code:

sudo wg showconf wg0

Or use the qrencode package to generate a scannable QR code:

sudo apt install qrencode
qrencode -t ansiutf8 < /etc/wireguard/wg0.conf

Scan this with your phone's WireGuard app and it'll import the config automatically.

Practical Use Cases

Here's why you'd actually use this in real life:

1. Secure Public WiFi

You're at a coffee shop, airport, hotel. Connect your phone/laptop to your WireGuard VPN first. Then do your banking, check your email, whatever. Your traffic is encrypted end-to-end. Nobody on that network can see anything.

2. Access Your Home Computers

You're traveling and need a file from your home server. Connect to your WireGuard VPN. Now you're on your home network. You can SSH into your Pi, access your NAS, whatever you could do if you were sitting at home.

3. Bypass Geographic Restrictions

Your VPS is in Germany. Connect to your WireGuard VPN. Now Netflix thinks you're in Germany. (Note: this may violate Netflix's terms of service. I'm not telling you to do this. Just saying it's possible.)

4. Tunnel Through Your VPS

You can use your VPS as the VPN server and route all your traffic through it. This is what commercial VPNs do—but you're the company now. You know your server isn't logging your traffic. You're the one in control.

Persistent Configuration

WireGuard is designed to stay connected. Here's how to make it bulletproof:

On the server:

sudo systemctl enable wg-quick@wg0

This makes WireGuard start automatically when the server boots.

On clients:

sudo systemctl enable wg-quick@wg0

Same thing. The VPN will reconnect automatically if the connection drops.

PersistentKeepalive

Add PersistentKeepalive = 25 to your client's [Peer] section. This sends a packet every 25 seconds to keep NAT/firewall mappings alive. Without this, some connections might drop after inactivity.

Troubleshooting

Things go wrong. Here's how to debug:

Check if WireGuard is running

sudo wg

This shows all interfaces, peers, and transfer stats.

Check the logs

journalctl -u wg-quick@wg0 -f

This shows what's happening in real-time. Look for error messages.

Can I reach the server?

If nothing works, first check basic connectivity:

ping 10.0.0.1

If this fails, the VPN isn't coming up properly. Check your config file for typos. Keys must be correct.

Is the port open?

sudo ss -ulnp | grep 51820

This shows if WireGuard is listening on the right port. If nothing shows, it's not running.

Can the client reach the server?

From the client, test if the server's IP is reachable:

ping your-server-ip

If this fails but you can SSH to the server normally, there's a firewall issue. Check both the server's firewall and any router port forwarding.

That's It

You now have your own VPN. It cost you nothing but time. There's no subscription. No company tracking you. Just an encrypted tunnel between your devices and your server.

Add more clients by generating new keypairs and adding them to the server config. Your family, your friends—whoever you trust. This is what the internet should have been.

WireGuard makes privacy accessible. It's not just for paranoids or geeks anymore. It's simple enough for anyone who can follow a tutorial. You just did.

Go forth and encrypt.

The revolution will not be proprietary.

// Comments

Leave a Comment