What is WireGuard VPN ?
WireGuard is a secure network tunnel operating at Layer 3, built directly into the Linux kernel as a virtual network interface. Its goal is straightforward: replace both IPsec and TLS-based solutions such as OpenVPN — and do it better. More secure, more performant, and significantly easier to use.
A cleaner mental model
At its core, WireGuard is built around a simple principle: a tunnel is an association between a peer's public key and a tunnel source IP. No certificates, no certificate authorities, no complex configuration hierarchies. If you've used OpenSSH, the model will feel familiar — short, static Curve25519 keys handle mutual authentication, and that's it. No central server required. it's peer-to-peer by design, though you can use a hub-and-spoke topology.
Fast handshakes, strong privacy
Session creation is handled transparently using a single round-trip key exchange based on the NoiseIK protocol — fast and invisible to the end user. The protocol provides strong perfect forward secrecy and a high degree of identity hiding, so even if keys are later compromised, past sessions stay protected.
Performance-first design
Data in transit is encrypted using ChaCha20Poly1305, a modern authenticated-encryption cipher that's fast even on hardware without dedicated AES acceleration. Packets are encapsulated in UDP, and the kernel-level implementation takes full advantage of Linux's queue and parallelism primitives. Crucially, WireGuard is designed to allocate no resources in response to incoming packets — a key factor in its resilience under load. So, it runs over UDP, which is faster than TCP-based VPNs but can be easliy blocked or throttled by some networks.
Better DoS protection
WireGuard improves on the IP-binding cookie mechanisms used in IKEv2 and DTLS by adding encryption and authentication to the cookie itself — making denial-of-service mitigation significantly more robust.
Small enough to audit
Perhaps the most striking aspect of WireGuard is its size: the entire Linux implementation fits in under 4,000 lines of code. Compare that to OpenVPN's ~100,000+ lines and the security implications become obvious. A smaller codebase means a smaller attack surface, and one that's actually feasible to audit and verify.
How to Install WireGuard VPN on Ubuntu and Configure it as a server.
1) Update packages and install WireGuard.
sudo apt update && sudo apt install -y wireguard
2) Generate server private and public key pair.
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
3) View the generated private & public keys — you will need them in the WireGuard config.
sudo cat /etc/wireguard/private.key
sudo cat /etc/wireguard/public.key
4) Find your actual network interface name — it will be the one associated with your server's public IP such as ens160 and eth0.
ip a
5) Create your WireGuard server configuration file. You can name the virtual network interface anything you like, such as wg0.conf or custom-name.conf. Let's name it as name0.conf.
sudo nano /etc/wireguard/name0.conf
[Interface]
PrivateKey = Copy /etc/wireguard/private.key to here
ListenPort = 443
Address = 192.168.50.1/24
## Enable IP forwarding (for routing)
## Please check your network interface name such as ens160.
## Please check that -i name0 same as your config file name.
PostUp = iptables -A FORWARD -i name0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i name0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
## Client 1
[Peer]
PublicKey = Paste your mac client's public key here.
AllowedIPs = 192.168.50.2/32
## Client xN
[Peer]
PublicKey = Paste your widows or any client's public key here.
AllowedIPs = 192.168.50.3/32
6) Enable IP forwarding in the kernel so that server acts as a router, passing traffic between your VPN clients and the outside network.
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
7) Start WireGuard and enable on boot and verify the interface is up.
sudo systemctl enable wg-quick@name0
sudo systemctl start wg-quick@name0
sudo wg show
8) If UFW is enabled, open the WireGuard port in the firewall.
ufw allow 443/udp
9) Every time you update the WireGuard configuration file, remember to restart the WireGuard service for the changes to take effect.
sudo systemctl restart wg-quick@name0
How to Install WireGuard VPN on Mac and Configure it as a client.
Install the official WireGuard app from the Mac App Store: Download
Click 'Add Empty Tunnel' in the app and paste the client config below. Make sure the client IP address (e.g. 192.168.50.2/24) matches the AllowedIPs value set for this peer in your server's /etc/wireguard/name0.conf.
[Interface]
PrivateKey = This is auto generated. Do not share it with anyone.
Address = 192.168.50.2/24
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = Copy vpn server /etc/wireguard/public.key to here
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = VPN_SERVER_IP:443
PersistentKeepalive = 5
Once the connection is established, the AllowedIPs = 0.0.0.0/0, ::/0 setting will route all IPv4 and IPv6 traffic through your VPN server, changing your Mac's public IP to your server's IP.
If you only want a private network without changing your public IP, set AllowedIPs to your VPN subnet (e.g. 192.168.50.0/24) and restart the WireGuard client.
Make sure you have added your Mac client's public key to your VPN server config at /etc/wireguard/name0.conf:
## Client 1
[Peer]
PublicKey = Paste your mac client's public key here.
AllowedIPs = 192.168.50.2/32
Then restart the VPN server:
sudo systemctl restart wg-quick@name0
That's it — enjoy your self-hosted, free, and open-source VPN!
Top comments (0)