Why self-host WireGuard?
Faster than OpenVPN, simpler config, runs in the Linux kernel, and ~€2/month on the smallest v4vm plan beats any commercial VPN per-byte.
Install
apt install -y wireguard qrencode
Server keys
cd /etc/wireguard umask 077 wg genkey | tee server.key | wg pubkey > server.pub
/etc/wireguard/wg0.conf
[Interface] Address = 10.10.0.1/24 ListenPort = 51820 PrivateKey = <server.key contents> PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
Start it:
systemctl enable --now wg-quick@wg0 ufw allow 51820/udp
Adding a client
wg genkey | tee client.key | wg pubkey > client.pub
Generate a client config and a QR code for the WireGuard mobile app:
qrencode -t ansiutf8 < client.conf
Append `[Peer]` to `wg0.conf` with the client's pubkey + an `AllowedIPs = 10.10.0.2/32`, then `wg syncconf wg0 <(wg-quick strip wg0)`.
That's it. WireGuard reconnects in under a second when your laptop changes networks — there's no good reason to use OpenVPN in 2026 unless your firewall blocks UDP.