Set Up WireGuard VPN on Your VPS: Complete Privacy and Security Guide

Published on 2025-06-27

Step-by-step WireGuard VPN setup on a VPS. Covers installation, client configuration, kill switch, DNS leak prevention, and multi-client management.

Written by Space-Node Team – Infrastructure Team – 15+ years combined experience in game server hosting, VPS infrastructure, and 24/7 streaming solutions. Read author bio →

WireGuard is the fastest and simplest VPN protocol available. Setting it up on your own VPS gives you complete control over your privacy - no third-party VPN provider needed.

Why Self-Hosted VPN

Full control - No logging by a VPN provider, you own the server
Speed - WireGuard is faster than OpenVPN with less CPU overhead
Cost effective - A single VPS handles VPN for multiple devices
Custom routing - Route only specific traffic through the VPN
Static IP - Useful for accessing services that whitelist IPs

Installation

Server Side (Ubuntu/Debian)

# Install WireGuard
apt update && apt install -y wireguard

# Generate server keys
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
chmod 600 /etc/wireguard/private.key

Server Configuration

Create /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32

Enable IP Forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Start WireGuard

systemctl enable --now wg-quick@wg0

Open Firewall Port

ufw allow 51820/udp

Client Configuration

Generate Client Keys

wg genkey | tee client-private.key | wg pubkey > client-public.key

Client Config File

[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server-public-key>
Endpoint = your-vps-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Import this configuration file into the WireGuard client on your device (available for Windows, macOS, Linux, iOS, Android).

Adding More Clients

For each new client:

Generate a new key pair
Assign a unique IP (10.0.0.3, 10.0.0.4, etc.)
Add a [Peer] section to the server config
Create a client config file
Reload WireGuard: wg syncconf wg0 <(wg-quick strip wg0)

DNS Leak Prevention

To prevent DNS leaks, either:

Set DNS in the client config to a privacy-respecting resolver (1.1.1.1, 9.9.9.9)
Run your own DNS resolver on the VPS (Unbound or Pi-hole)

Split Tunneling

Route only specific traffic through the VPN by adjusting AllowedIPs:

# Route only internal network through VPN
AllowedIPs = 10.0.0.0/24

# Route everything except local network through VPN
AllowedIPs = 0.0.0.0/0, ::/0

Performance

WireGuard is extremely lightweight:

Uses ~1-2% CPU on a 1-core VPS
Adds ~50-80ms overhead at most
Handles multiple clients easily on a small VPS

A VPS with 1GB RAM and 1 CPU core comfortably runs WireGuard for 10+ simultaneous clients.

Security Best Practices

Keep your private keys secure - never share them
Use a firewall to restrict WireGuard port to expected client IPs if possible
Regularly update WireGuard to get security patches
Rotate keys periodically for maximum security
Monitor connection logs for unauthorized access attempts

Self-hosted WireGuard VPN on a VPS gives you privacy, speed, and control that commercial VPN services can't match.

About the Author

Space-Node Team – Infrastructure Team – Experts in game server hosting, VPS infrastructure, and 24/7 streaming solutions with 15+ years combined experience.

Since 2023

500+ servers hosted

4.8/5 avg rating

Our team specializes in Minecraft, FiveM, Rust, and 24/7 streaming infrastructure, operating enterprise-grade AMD Ryzen 9 hardware in Netherlands datacenters. We maintain GDPR compliance and ISO 27001-aligned security standards.

View Space-Node's full team bio and credentials →