How to Set Up WireGuard VPN

WireGuard VPN is an open-source project that allows users to set up encrypted tunnels for secure networking easily.

WireGuard VPN Pros:

• Minimal latency and maximum throughput.

• Easy installation and configuration.

WireGuard VPN Cons:

• Requires additional software installation on client devices (though this isn't a major issue since it supports all platforms, and many modern routers come with WireGuard support built-in).

There are many guides and tutorials on how to install and set up WireGuard VPN. The official website provides detailed instructions, but this guide will show simple ways to start using WireGuard with examples, focusing on practical steps rather than theory.

Setting Up a WireGuard Server via Hostman Marketplace

The easiest way to install WireGuard VPN on a cloud server is to use Hostman Marketplace.

1. In the control panel, go to Cloud Servers > Create > Marketplace > Network > WireGuard GUI.

2. Choose a location (e.g., Netherlands), select the minimal configuration, and click Order.

3. The virtual machine and software installation will take around 5 minutes. Once it's ready, you'll receive an email confirmation.

WireGuard Configuration and Connection

1. Follow the link in the email to access the interface and log in using your password.

2. Add new WireGuard clients to connect Android and Windows devices.

There are two ways to connect a client device to the server:

• QR Code: Convenient for mobile devices.

• Config file: Easier for PC setups.

In the interface, you'll see buttons to generate a QR code or download the configuration file.

Android Setup

1. Download the official WireGuard app from Google Play.

2. Open the app, scan the QR code from the web interface, and tap "Connect."

3. To confirm the connection, check your IP address on whatismyipaddress.com. If it shows the server's IP, you're successfully connected.

Windows Setup

1. Download the WireGuard Windows client from the official site.

2. Download the WireGuard configuration file from the web interface.

3. Open the client, add a tunnel, select the file, and click "Connect."

That's it! 

There are more advanced configuration options, but this basic setup should be enough for most users. WireGuard tends to be a "set it and forget it" solution; it works reliably after initial setup.

Speed Testing

To check the server connection speed, install the Speedtest CLI tool:

curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | sudo bash
sudo apt-get install speedtest

I got a speed of 194 Mbps — excellent.

Setting Up a WireGuard Server Using Docker Compose

While the WebGUI and Hostman marketplace one-click setup are easy, you may want more control over the configuration. Since I prefer working with Docker, I'll use it to install the same WireGuard with a web interface.

1. Start with a clean system: Сloud Servers > Create > Select Ubuntu 22.04.

2. After creation, connect to the server, update packages, and install Docker and Docker Compose:

apt update && apt upgrade -y
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

3. Create a new docker-compose.yml file:

nano docker-compose.yml

4. Add the following configuration:

version: '3.8'
services:
  wireguard:
    image: weejewel/wg-easy:7
    environment:
      WG_HOST: 'your-server-ip'  # Hostname or IP address
      PASSWORD: 'MegaSuperPass@42'  # Web GUI password
    volumes:
      - ./wireguard:/etc/wireguard
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always

Replace your-server-ip with your actual server IP address and set a password.

5. Save and run the following command to start the service:

docker compose up -d

You can now access the web interface at http://your-server-ip:51821. The project used here is called wg-easy, and you can explore additional settings in the repository.

Additional Configuration Options

In the Docker Compose file, you can adjust the following settings:

• PASSWORD: Password for the WebGUI.

• WG_HOST: Hostname or IP address.

• WG_DEVICE: The Ethernet device to use for WireGuard traffic.

• WG_PORT: The public UDP port (default: 51820).

• WG_MTU: The MTU used by clients (default server MTU is used).

• WG_PERSISTENT_KEEPALIVE: Time in seconds to keep connections alive. If set to 0, no keep-alive will be sent.

• WG_DEFAULT_ADDRESS: The address range for clients.

• WG_DEFAULT_DNS: DNS server.

• WG_ALLOWED_IPS: The IP addresses that clients are allowed to use.

This setup gives you more control over configuration, restart management, and the ability to run additional services in Docker containers if needed.

Accessing Local Resources

One common issue with VPNs is losing access to local network resources because all traffic is routed through the tunnel by default.

To solve this, modify the AllowedIPs setting. By default, it's set to 0.0.0.0/0, which sends all traffic through the VPN. To retain access to local resources, you can add a list of IPs that should bypass the VPN.

Add the following environment variable in your docker-compose.yml and restart the container:

environment:
      WG_ALLOWED_IPS: '0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32'

Alternatively, edit the client’s configuration file:

[Peer]
PublicKey = PublicKey
PresharedKey = PresharedKey
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
Endpoint = Endpoint

Conclusion

WireGuard VPN is one of the easiest and most convenient services for secure networking. I've worked with PPTP, SSTP, L2TP/IPsec, and others, each with its pros and cons. For now, WireGuard covers all my needs without any hassle.

The project is actively developing, with more devices supporting WireGuard and third-party teams creating additional UIs for easier configuration, such as the NetMaker project.