MODERN
VPN POWER

What is WireGuard?

WireGuard is a modern, high-performance VPN protocol designed to be simpler and faster than existing solutions. It uses state-of-the-art cryptography (Curve25519, ChaCha20, Poly1305, BLAKE2) and aims to be "fast, modern, and secure."

Why WireGuard?

• Speed: 3-4x faster than OpenVPN in benchmarks
• Simplicity: ~4,000 lines of code vs OpenVPN's 600,000+
• Security: Modern, audited cryptography
• Cross-platform: Windows, macOS, Linux, iOS, Android
• Kernel-native: Built into Linux kernel

Installing WireGuard

Linux

# Ubuntu/Debian
sudo apt install wireguard

# Fedora
sudo dnf install wireguard-tools

# Arch
sudo pacman -S wireguard-tools

macOS

# Via Homebrew
brew install wireguard-tools

# Or App Store: WireGuard

Windows

# Download from https://www.wireguard.com/install/

How WireGuard Works

WireGuard uses a simple concept:

1. Each peer has a private key and shares their public key
2. Configuration defines which peers can connect
3. All traffic is encrypted with Curve25519
4. Handshake happens in milliseconds

Generating Keys

WireGuard uses Curve25519 for key exchange. Each peer needs a key pair:

# Generate private key
wg genkey > privatekey

# Generate public key from private key
wg pubkey < privatekey > publickey

This creates two files:

• privatekey: Keep secret, never share
• publickey: Share with peers who need to connect to you

Pre-Shared Key (Optional)

For extra security, add a pre-shared key for post-quantum resistance:

# Generate pre-shared key
wg genpsk > presharedkey

This is optional but recommended for high-security scenarios.

Key Storage

# Store keys securely
chmod 600 privatekey
chmod 600 presharedkey

# Keep in /etc/wireguard/ on server
sudo mv privatekey /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf

Server Configuration

# Create server config: /etc/wireguard/wg0.conf

[Interface]
# Server's private key (generated in lesson 2)
PrivateKey = SERVER_PRIVATE_KEY

# Listen port (default 51820)
ListenPort = 51820

# Server's IP address in VPN network
Address = 10.0.0.1/24

# DNS server to use for clients
DNS = 1.1.1.1, 8.8.8.8

# NAT configuration (optional, for IP forwarding)
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Adding Peer Configuration

# Add to /etc/wireguard/wg0.conf after [Interface]:

[Peer]
# Client's public key (from client)
PublicKey = CLIENT_PUBLIC_KEY

# Allowed IPs - what can this client access through VPN
# For full tunnel (all traffic):
AllowedIPs = 0.0.0.0/0, ::/0
# For split tunnel (only VPN network):
# AllowedIPs = 10.0.0.2/32

# Optional: persistent keepalive (for NAT traversal)
PersistentKeepalive = 25

Starting WireGuard

# Enable and start
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

# Check status
sudo wg show

# View interface
ip addr show wg0

Linux Client

# Create client config: /etc/wireguard/wg0.conf

[Interface]
# Client's private key
PrivateKey = CLIENT_PRIVATE_KEY

# Client's IP in VPN network
Address = 10.0.0.2/24

# DNS while on VPN
DNS = 1.1.1.1

[Peer]
# Server's public key
PublicKey = SERVER_PUBLIC_KEY

# Server endpoint
Endpoint = your-server-ip-or-domain.com:51820

# What traffic to route through VPN
# Full tunnel:
AllowedIPs = 0.0.0.0/0, ::/0
# Split tunnel:
# AllowedIPs = 10.0.0.0/24

# Optional: keep connection alive through NAT
PersistentKeepalive = 25

# Connect
sudo wg-quick up wg0

# Disconnect
sudo wg-quick down wg0

Windows Client

1. Download WireGuard from wireguard.com
2. Install and open
3. Click "Add Tunnel" > "Add empty tunnel"
4. Paste client configuration
5. Click "Activate"

macOS Client

1. Download from App Store or wireguard.com
2. Open WireGuard
3. Import tunnel from file or create new
4. Connect

Full Tunnel vs Split Tunnel

Full Tunnel

All traffic goes through VPN:

AllowedIPs = 0.0.0.0/0, ::/0

Use when: Public WiFi, hiding all traffic, accessing home network resources.

Split Tunnel

Only VPN network traffic goes through:

AllowedIPs = 10.0.0.0/24

Use when: Speed matters, only need access to home network.

Routing Specific Networks

# Access home network (192.168.1.0/24) through VPN
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

This routes both VPN network and home LAN through the tunnel.

Server-Side IP Forwarding

# Enable IP forwarding (persistently)
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

Basic Firewall Rules

# Allow WireGuard port
sudo ufw allow 51820/udp

# Or iptables directly
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

# Allow forwarding from VPN to internet
sudo iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

# NAT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Persistent Rules

# Install iptables-persistent
sudo apt install iptables-persistent

# Save rules
sudo netfilter-persistent save

# Or add to WireGuard config
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Adding Multiple Peers

Server configuration can have multiple [Peer] sections:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820
Address = 10.0.0.1/24
DNS = 1.1.1.1

# Peer 1 - Alice
[Peer]
PublicKey = ALICE_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

# Peer 2 - Bob
[Peer]
PublicKey = BOB_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

# Peer 3 - Charlie (with pre-shared key)
[Peer]
PublicKey = CHARLIE_PUBLIC_KEY
PresharedKey = CHARLIE_PSK
AllowedIPs = 10.0.0.4/32

Managing Peers

# View connected peers
sudo wg show

# Add peer dynamically (not persistent)
sudo wg set wg0 peer PUBLIC_KEY allowed-ips 10.0.0.5/32

# Remove peer
sudo wg set wg0 peer PUBLIC_KEY remove

iOS Setup

1. Install "WireGuard" from App Store
2. Open app > Import from file or create new
3. Configure as shown for Linux client
4. Toggle to connect

Generate config on computer and transfer via:

• Email to yourself
• iCloud/Drive/Dropbox
• AirDrop

Android Setup

1. Install "WireGuard" from Play Store or F-Droid
2. Open app > Add tunnel
3. Import config or create new
4. Tap to connect

Mobile-Specific Settings

# On mobile, recommended settings:
[Interface]
PrivateKey = MOBILE_PRIVATE_KEY
Address = 10.0.0.5/24
DNS = 1.1.1.1

# Keepalive important for mobile networks
PersistentKeepalive = 25

Mesh VPN Concept

WireGuard can create mesh networks where peers connect directly to each other without a central server.

Mesh Configuration Example

# Peer A config
[Interface]
PrivateKey = A_PRIVATE
Address = 10.0.0.1/24

[Peer]
PublicKey = B_PUBLIC
Endpoint = B_HOSTNAME_OR_IP:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = C_PUBLIC
Endpoint = C_HOSTNAME_OR_IP:51820
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

Tools for Mesh

For larger meshes, use helper tools:

• WireGuard Mesh: Automated mesh networking
• Netmaker: Full mesh VPN management
• Tailscale: Commercial WireGuard mesh (simplified)

MTU Optimization

WireGuard adds overhead. Setting proper MTU prevents fragmentation:

# If experiencing issues, try lower MTU
[Interface]
MTU = 1420

# Common settings:
# 1420 - Safe for most (prevents fragmentation)
# 1500 - Maximum, may fragment on some networks

Persistent Keepalive

# Required for NAT traversal
# Default: off
PersistentKeepalive = 25

# For mobile: keepalive is essential
# For always-on server: can be higher or off

Measuring Performance

# Test speed through VPN
iperf3 -s  # On server
iperf3 -c 10.0.0.1  # On client

# Check current settings
sudo wg show

Dynamic DNS for Server

If your server has dynamic IP, use DDNS:

1. Sign up for DDNS service (DuckDNS, No-IP, etc.)
2. Configure DDNS client on server
3. Use domain in client Endpoint

# Example: DuckDNS
# Register at duckdns.org
# Your domain: myvpn.duckdns.org

# Install ddclient
sudo apt install ddclient

# Configure /etc/ddclient.conf
protocol=dyndns2
server=www.duckdns.org
login=your-duckdns-token
password='your-password'
myvpn.duckdns.org

Update WireGuard Endpoint

Clients will automatically use updated IP:

# In client config, use domain instead of IP
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = myvpn.duckdns.org:51820
AllowedIPs = 0.0.0.0/0

Diagnostic Commands

# Check interface status
sudo wg show

# View detailed interface info
sudo wg show wg0 dump

# Check interface exists
ip addr show wg0

# Check routing
ip route

# Check firewall
sudo iptables -L -n -v

Common Issues

Can't connect

• Check server is running: sudo wg show
• Check firewall: ufw status
• Check port: telnet your-server 51820
• Check keys match

Connected but no traffic

• Check AllowedIPs on both sides
• Check IP forwarding enabled
• Check NAT/masquerading

DNS not working

• Verify DNS in [Interface] section
• Test: nslookup google.com 1.1.1.1

Logging

# Journal logs
sudo journalctl -u wg-quick@wg0 -f

# System logs
sudo dmesg | grep wireguard

Conclusion

You've completed the WireGuard mastery guide. You now know how to:

• Generate secure key pairs
• Configure WireGuard server
• Set up clients on any platform
• Configure routing (full and split tunnel)
• Secure with firewall rules
• Manage multiple peers
• Use on mobile devices
• Create mesh networks
• Optimize performance
• Handle dynamic IPs
• Troubleshoot issues