WireGuard VPN server setup notes

Following ShadowSocks, V2Ray, and SoftEther, I am also putting WireGuard here. I did not actually use this back then, so this is based on information from 2025.

What WireGuard is

WireGuard is a relatively new VPN protocol that appeared in 2018. It is built into the Linux kernel from 4.9 onward, and its main strengths are simplicity and speed.

Compared with other protocols:

• OpenVPN: long history and stable, but configuration is complex and it is slower
• IPsec: enterprise-oriented, and very complex to configure
• WireGuard: small codebase, easy to audit, and fast

WireGuard runs over UDP and uses port 51820 by default.

Server setup

These steps are for Ubuntu 22.04 / 24.04. WireGuard is available in the default repositories.

Install

sudo apt update
sudo apt install wireguard

Generate a key pair

Generate the server private and public keys:

cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Check the keys:

cat server_private.key
cat server_public.key

Create the config file

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <contents of server_private.key>

# NAT settings so clients can access the internet
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client settings (add later)
# [Peer]
# PublicKey = <client_public.key>
# AllowedIPs = 10.0.0.2/32

Note: Replace eth0 with your server’s actual network interface name. You can check it with ip a. On some VPSs it may be ens3 or enp0s3.

Enable IP forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Firewall

If you use UFW:

sudo ufw allow 51820/udp
sudo ufw reload

If you use iptables directly:

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

Start the service

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Check status:

sudo wg show

Add a client

Generate a client key pair

Run this on the client side, or generate it on the server and hand it over:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Add the client to the server config

Append this to /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <contents of client_public.key>
AllowedIPs = 10.0.0.2/32

Apply it without restarting the service:

sudo wg set wg0 peer <client_public.key> allowed-ips 10.0.0.2/32

Or:

sudo systemctl restart wg-quick@wg0

Client config

Use /etc/wireguard/wg0.conf on Linux, or import it into the WireGuard app:

[Interface]
PrivateKey = <contents of client_private.key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <contents of server_public.key>
Endpoint = <server-ip-address>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs settings:

• 0.0.0.0/0 - route all traffic through the VPN
• 10.0.0.0/24 - route only VPN-internal traffic

Managing multiple clients

Assign a different IP to each client:

# Client 1
[Peer]
PublicKey = <client1_public.key>
AllowedIPs = 10.0.0.2/32

# Client 2
[Peer]
PublicKey = <client2_public.key>
AllowedIPs = 10.0.0.3/32

# Client 3
[Peer]
PublicKey = <client3_public.key>
AllowedIPs = 10.0.0.4/32

QR code setup for clients

You can generate a QR code for smartphones:

sudo apt install qrencode
qrencode -t ansiutf8 < client.conf

Scan it with the WireGuard app and you are done.

Troubleshooting

If connection fails

1. Firewall: make sure UDP 51820 is open
2. IP forwarding: check that cat /proc/sys/net/ipv4/ip_forward returns 1
3. Key mismatch: verify that the server and client public keys are correct
4. Interface name: make sure eth0 in PostUp/PostDown is correct

Check logs

sudo journalctl -u wg-quick@wg0 -f

Check connection status

sudo wg show

If the last handshake time appears, the connection is working.

Notes for 2025

Use in China

WireGuard by itself may be detected by the GFW (Great Firewall). Reasons:

• Its UDP traffic pattern is distinctive
• AI-based DPI (Deep Packet Inspection) started being used in late 2024
• Encrypted traffic entropy is also analyzed

It may work for short, low-traffic sessions, but longer usage has a high detection risk.

Countermeasures

1. Wrap it in a TCP tunnel: use something like udp2raw to disguise UDP as TCP
2. Combine it with an obfuscation proxy: put ShadowSocks or V2Ray in front of WireGuard
3. Move to a harder-to-detect protocol: VLESS + REALITY (Xray), Hysteria2, and so on

VPS selection

Some Japanese VPS providers, such as Sakura Internet, may have IP ranges that are blocked from China. Overseas VPSs such as Vultr, DigitalOcean, and Linode tend to connect more reliably.

If you use Vultr, avoid the Tokyo region. Singapore or Hong Kong tends to be more reachable from China, even though it is not Japan.

-> Continue with: OpenConnect (ocserv) server setup notes

-> Summary: Comparison of VPN protocols for China-facing connectivity

References

• WireGuard official site
• Ubuntu Server - WireGuard VPN
• DigitalOcean - How To Set Up WireGuard on Ubuntu