← All articlesSecurity

WireGuard VPN Setup for Secure Remote Access to Your Infrastructure

Deploy WireGuard VPN for secure remote access to self-hosted services. Covers server setup, client configuration, split tunneling, DNS, and mobile access...

Y
Yash Pritwani
12 min read

Why WireGuard?

WireGuard is the modern VPN protocol that replaced OpenVPN and IPsec for most use cases. It is:

  • Fast: Runs in the Linux kernel, ~3x faster than OpenVPN
  • Simple: ~4,000 lines of code vs OpenVPN's ~100,000
  • Secure: Modern cryptography (Curve25519, ChaCha20, Poly1305)
  • Lightweight: Minimal battery drain on mobile devices
UserIdentityVerifyPolicyEngineAccessProxyAppMFA + DeviceLeast PrivilegeEncrypted TunnelNever Trust, Always Verify

Zero Trust architecture: every request is verified through identity, policy, and access proxy layers.

Server Setup

Install WireGuard

# Ubuntu/Debian
sudo apt update && sudo apt install wireguard

# Generate server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Server Configuration

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = SERVER_PRIVATE_KEY_HERE
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer 1: Laptop
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.2/32

# Peer 2: Phone
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.3/32

# Peer 3: Tablet
[Peer]
PublicKey = CLIENT3_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.4/32

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

Start WireGuard

Get more insights on Security

Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

# Verify
sudo wg show

Client Setup

Generate Client Keys

# On the server or locally
wg genkey | tee client_private.key | wg pubkey > client_public.key
Hello WorldPlaintextEncryptAES-256🔑x8f2...k9zCiphertextDecryptAES-256🔑Symmetric Encryption: same key encrypts and decrypts

Encryption transforms readable plaintext into unreadable ciphertext, reversible only with the correct key.

Linux Client

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/24
DNS = 10.0.0.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24  # Split tunnel
PersistentKeepalive = 25

macOS Client

# Install via Homebrew
brew install wireguard-tools

# Or use the App Store WireGuard app and import the config file

Mobile (QR Code)

Generate a QR code for easy mobile setup:

You might also like

Docker Rootless Mode: Running Containers Without Root Privileges11 min read read
Trivy Supply Chain Attack: What Happened and How to Protect Your CI/CD Pipeline12 min read read
Docker Runtime Security: Detecting Threats with Falco and eBPF12 min read read
# Install qrencode
sudo apt install qrencode

# Generate QR code from config
qrencode -t ansiutf8 < /etc/wireguard/clients/phone.conf

Scan the QR code with the WireGuard mobile app and connect instantly.

Split Tunneling

Route only internal traffic through the VPN (better performance):

# In client config - only route these networks through VPN
[Peer]
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

Route all traffic through the VPN (better security on public WiFi):

# In client config - route everything through VPN
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0

DNS Configuration

Run a DNS server on the VPN server for internal name resolution:

# docker-compose.yml
services:
  pihole:
    image: pihole/pihole:latest
    environment:
      WEBPASSWORD: your-password
      PIHOLE_DNS_: "1.1.1.1;8.8.8.8"
    volumes:
      - pihole_data:/etc/pihole
    ports:
      - "10.0.0.1:53:53/tcp"
      - "10.0.0.1:53:53/udp"
    restart: unless-stopped

Add custom DNS entries for internal services:

# In Pi-hole custom DNS
192.168.1.101 git.internal
192.168.1.101 n8n.internal
192.168.1.101 grafana.internal

Free Resource

Infrastructure Security Audit Template

The exact audit template we use with clients: 60+ checks across network, identity, secrets management, and compliance.

Get the Template

Automated Client Provisioning

#!/bin/bash
# add-vpn-client.sh
CLIENT_NAME="\$1"
CLIENT_IP="\$2"
SERVER_PUBLIC_KEY="\$(cat /etc/wireguard/server_public.key)"
SERVER_ENDPOINT="vpn.example.com:51820"

# Generate keys
CLIENT_PRIVATE=\$(wg genkey)
CLIENT_PUBLIC=\$(echo "\$CLIENT_PRIVATE" | wg pubkey)

# Create client config
mkdir -p /etc/wireguard/clients
cat > "/etc/wireguard/clients/\$CLIENT_NAME.conf" << CONF
[Interface]
PrivateKey = \$CLIENT_PRIVATE
Address = \$CLIENT_IP/24
DNS = 10.0.0.1

[Peer]
PublicKey = \$SERVER_PUBLIC_KEY
Endpoint = \$SERVER_ENDPOINT
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25
CONF

# Add peer to server
cat >> /etc/wireguard/wg0.conf << PEER

# \$CLIENT_NAME
[Peer]
PublicKey = \$CLIENT_PUBLIC
AllowedIPs = \$CLIENT_IP/32
PEER

# Reload WireGuard
wg syncconf wg0 <(wg-quick strip wg0)

# Generate QR code
qrencode -t ansiutf8 < "/etc/wireguard/clients/\$CLIENT_NAME.conf"

echo "Client \$CLIENT_NAME configured with IP \$CLIENT_IP"

Usage:

./add-vpn-client.sh laptop 10.0.0.2
./add-vpn-client.sh phone 10.0.0.3

Security Best Practices

  1. Use unique keys per device: Never share private keys between devices
  2. Restrict AllowedIPs: Only allow the specific IPs each client needs
  3. Firewall the VPN port: Only allow UDP 51820 from expected locations
  4. Rotate keys periodically: Generate new key pairs every 6-12 months
  5. Monitor connections: Check wg show regularly for unknown peers
  6. Use PersistentKeepalive: Set to 25 for clients behind NAT
FirewallWAFSSO / MFATLS/SSLRBACAudit Logs

Defense in depth: multiple security layers protect your infrastructure from threats.

Performance

WireGuard adds minimal overhead:

Metric Direct WireGuard OpenVPN
Throughput 940 Mbps 880 Mbps 320 Mbps
Latency 1ms +0.5ms +2ms
CPU usage - 2% 15%

At TechSaaS, we use WireGuard to provide secure remote access to our self-hosted infrastructure. Engineers can access internal services from anywhere while keeping everything off the public internet.

Need secure remote access to your infrastructure? Contact [email protected].

#wireguard#vpn#security#remote-access#networking

Related Service

Security & Compliance

Zero-trust architecture, compliance automation, and incident response planning.

Get a ConsultationChat on WhatsApp

Need help with security?

TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.

Get a Free ConsultationWhatsApp Us

We Will Build You a Demo Site — For Free

Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.

47+ companies trusted us
99.99% uptime
< 48hr response

No spam. No contracts. Just a free demo.

Related Articles

Architecture

Rate Limiting Patterns: Protecting Your APIs Without Blocking Legitimate Traffic

11 min read

DevOps

eBPF Beyond Security: Networking, Observability, and Performance in One Technology

12 min read

Security

Hardening Your Self-Hosted CI/CD Pipeline Against Supply Chain Attacks

13 min read