How to Set Up Your Own WireGuard VPN Server on a VPS

This guide will help you install and configure your own dedicated, private VPN service hosted on your own server.

Published on September 1st, 2024 by Slomad

The goal of this guide is to help you get a WireGuard VPN service up and running on your own VPS (Virtual Private Server). Hosting your own private VPN server has many benefits:

You're less likely to get flagged as using a VPN
You'll have your own static IP Address
Your location will remain fixed to one geographical location
You'll have more control over the VPN server, configurations, logs, etc.
You won't have to share your VPN server with other users (unless you want to)
You'll likely see faster speeds (depending on the VPS provider)
It's cool, and a fun project!

Let's get started...

Tip: If you're trying to decide between setting up your own VPN server and paying for a VPN service, I'd recommend starting with a VPN Service. A service like Proton VPN is going to give you a much more user-friendly experience and offer you features like being able to change your location at will.

Get a VPS

The first step is to purchase a Virtual Private Server ("VPS") to host your own WireGuard VPN service. Any VPS that is capable of running Docker should be fine. For this guide, I'm going to use a 1GB BuyVM VPS running CentOs which costs $3.50/month. I've been using BuyVM for about 10 years on various projects and I highly recommend them. But pick whichever VPS provider you are comfortable with.

What you'll need:

The IP Address of your VPS server
The root password
SSH access

Note: If you don't know what any of these are or you're uncomfortable using SSH, inputing terminal commands, copy and pasting, etc. you may be better off signing up for a VPN service instead of configuring your own server.

Set up your WireGuard Server

Now that you have a VPS, you can login via SSH and configure WireGuard.

Step 1: SSH into your VPS

In order to install and configure services, you’ll need to SSH into your VPS as the root user:

ssh [email protected]

[root@localhost ~]#

Step 2: Install Docker

Determine if you have docker installed:

docker -v

If you receive an error like docker: command not found, then you don't have docker. Let's install it.

Add the Docker repository to your CentOs system:

sudo yum install -y yum-utils

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

Install Docker and Docker Compose:

sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

If you are asked to verify a fingerprint, confirm the value is 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35 and then hit Y.

You should now have Docker and Docker Compose installed.

Verify Docker is installed:

docker -v

Docker version 27.2.0, build 3ab4256

Verify Docker Compose is installed:

docker compose version

Docker Compose version v2.29.2

Note: If you had trouble getting Docker installed, or you are running a different server OS / Linux Distribution, please check out Docker's official docs.

Step 3: Configure Networking

On some systems, you may need to do a few things to prepare the networking configuration to run WireGuard and route your internet traffic successfully.

In the case of my BuyVM VPS, I needed to load the IP Tables filter module. You can do so like this:

modprobe iptable_filter

echo iptable_filter > /etc/modules-load.d/iptable_filter.conf

Step 4: Install WireGuard

Once Docker is installed, it's time to install and setup the WireGuard service on your VPS.

First, create a directory on your server called wireguard, which we'll use to store our WireGuard configuration files:

cd ~

mkdir wireguard

cd wireguard

Next, create a Docker Compose file named docker-compose.yaml with the following contents:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERPORT=51820
      - PEERS=MyLaptop,MyPhone,MyTablet,MyRouter
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
      - PERSISTENTKEEPALIVE_PEERS=all
      - LOG_CONFS=true
    volumes:
      - ~/wireguard/config:/config
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

You should adjust the PEERS value to reflect the names of each client device you want to have access to your VPN server. You can add/remove as many devices as you need and name them whatever you want.

Start up the WireGuard container to see if it works:

docker compose up

You should see the docker containers get created and WireGuard generate configuration files and a QR code for each of the clients you specified. At the end, you should see:

wireguard  | **** All tunnels are now active ****

This indicates that your WireGuard service was successfully started.

That's great, but let's run it in detached mode instead so it runs in the background. Hit Ctrl+C to stop the containers, then run:

docker compose up -d

Your VPN service should now be up and running!

Set up your WireGuard Clients

Now that you have your VPN server up and running, it's time to set up some WireGuard clients to actually use it.

View WireGuard Client Configuration Files

During the previous steps, WireGuard configuration files and QR codes were generated for each of your client devices. These can be found a few different ways.

All the client configuration files are located in the config directory. Each client will have it's own directory prefixed by peer_. For example, the client configuration file generated for the MyLaptop client would be located at config/peer_MyLaptop/peer_MyLaptop.conf. You can view it like this:

cat config/peer_MyLaptop/peer_MyLaptop.conf

You can also show the QR codes for each client. These will come in handy for setting up WireGuard on a mobile device later:

docker exec -it wireguard /app/show-peer MyPhone

Install WireGuard on your devices

You'll need to install the WireGuard client on each device you want to connect to your VPN. WireGuard can run on Windows, Mac, Android, iOS and a bunch of Linux distros.

Check out the available WireGuard clients and install what you need from here: https://www.wireguard.com/install/

MacOS / Windows

When configuring WireGuard on a laptop/desktop computer, you'll need access to the WireGuard client configuration file you generated earlier. You'll then need to paste the configuration into your client.

First, print out the client configuration file for the device you want to set up. In my case, I'll be setting up the MyLaptop client. Adjust the following to match the device name you want to show the configuration file for:

cat config/peer_MyLaptop/peer_MyLaptop.conf

This will output something similar to the following:

[Interface]
Address = 10.13.13.2
PrivateKey = UE5qgnlH6YsjWasc9xso0yooZWtd6lBLldErnq9QyVI=
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = y7vl+Df+AUY4MfUsKySevaIqGbLnGLIQDXDz7jqcEUA=
PresharedKey = CFGNctUDu4vTgFVromXC1o+4lh6ufvc3YWjG3WnD9JU=
Endpoint = 123.123.123.123:51820
AllowedIPs = 0.0.0.0/0

You'll need to highlight the above and copy it to your clipboard (or save it to a file, whichever you prefer).

Next, open up the WireGuard client on your computer and go to "Manage Tunnels":

Click the + button and select Add Empty Tunnel.

Note: If you saved your configuration to a file, then click Import tunnel(s) from file and select your file instead.

You can then name your VPN whatever you want, and paste the configuration you copied into the box:

Note: You can copy with Ctrl+C / Cmd+C and paste with Ctrl+V / Cmd+V. But I hope you know that already.

Once the configuration is saved, you can then click Activate to connect to your VPN:

Note: Just because you are "connected", doesn't mean your VPN is working correctly! Make sure you can actually access the internet now. Also, you should see your Data sent and Data received stats increase.

Android / iOS

Configuring WireGuard on a mobile device is much easier, as you can simply scan the QR codes you generated earlier.

Adjust the following to match the device name you want to show the QR code for:

docker exec -it wireguard /app/show-peer MyPhone

Then from your mobile device, open up the WireGuard client and add a new VPN connection by QR code. Scan it, and you should be good to go!

VPN Router

If you have a router capable of connecting to WireGuard such as the awesome Gli.Net Slate AX, you can set it up with a WireGuard client config file to send all your traffic through your private VPN.

Verify your VPN

Don't forget to verify that your VPN is working. Check out my IP Address lookup tool to make sure your location is showing as your VPS location.

Manage your VPN

Adding Clients

If you need to add a new client to your WireGuard VPN, you can simply add it to the PEERS variable in your docker-compose.yaml file and then restart your containers.

For example: PEERS=MyLaptop,MyPhone1,MyTablet,MyOtherDevice

Stop your WireGuard service:

docker compose down

Start it back up:

docker compose up -d

Now you can view the config file and QR code generated for your new device:

cat config/peer_MyOtherDevice/peer_MyOtherDevice.conf

docker exec -it wireguard /app/show-peer MyOtherDevice

Enjoy your VPN!

Related Services

Proton VPN - My VPN of choice from the makers of Proton Mail in Switzerland. An excellent VPN that works great on Travel Routers and all major platforms.

Related Products

Back to How-To Guides