Tutorials

Set Up WireGuard VPN

WireGuard is a modern, high-performance VPN that is simpler and faster than OpenVPN or IPsec. This guide sets up a WireGuard server on your VPS so you can securely tunnel traffic from any device.

Requirements

  • A VPS running Ubuntu 20.04+ or Debian 11+
  • Root or sudo access
  • A client device (laptop, phone) to connect from

1. Connect to Your Server

ssh root@YOUR_SERVER_IP

Or use the web terminal in the Sitequest dashboard.

2. Install WireGuard

apt update
apt install -y wireguard

3. Generate Server Keys

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Save the private key for the config:

cat /etc/wireguard/server_private.key

4. Configure the Server

Create the WireGuard interface config:

nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace SERVER_PRIVATE_KEY with your actual private key. Replace eth0 with your main network interface (check with ip route show default).

5. Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

6. Start WireGuard

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Verify it is running:

wg show

7. Open Firewall Ports

Open UDP port 51820 in the Sitequest firewall.

With ufw:

ufw allow 51820/udp

8. Add a Client Peer

Generate keys on your client (or on the server for convenience):

wg genkey | tee client_private.key | wg pubkey > client_public.key

Add the peer to the server config:

nano /etc/wireguard/wg0.conf

Append:

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Reload:

systemctl restart wg-quick@wg0

9. Create the Client Config

On your client device, create a config file:

[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Import this file into the WireGuard app on your device (wireguard.com/install).

10. Test the Connection

Activate the tunnel on your client and verify:

wg show

On the server, you should see the peer's latest handshake and transferred data.

Next Steps

  • Add more peers by repeating steps 8-9 with unique IPs (10.0.0.3, 10.0.0.4, etc.)
  • Restrict AllowedIPs on the client to route only specific subnets through the VPN
  • Set up DNS over VPN with Pi-hole or AdGuard Home
  • Use QR codes for easy mobile setup: qrencode -t ansiutf8 < client.conf