Free VPN [WireGuard] Setup πŸ‡¬πŸ‡§

Free VPN [WireGuard] Setup πŸ‡¬πŸ‡§

- 10 mins

Why VPN?

It is crucial to do not expose your personal details or not being attacked by someone when you are connected to public endpoints such as coffee, airport, hotel and guest WIFI points. Furthermore, sometimes, people require to have organizatinal VPN access if organization itself does not provide one. For instance when students in universities have taken into consideration, it is quite important to reach resources that university is providing, it could be IEEE library access or enclosed resource which is only exclusive to internal network of the organization.

No matter what is your intention to use VPN, it is quite useful to have in any case.

There are lots of tutorials and explanations regarding to setting up WireGuard however I could not manage to find proper instructions for MacOSX users that’s why I thought it could be useful to pack up in once in a post. I hope, this would be handy for anyone who are seeking for brand new tutorial for using WireGuard on MacOSx.

Preliminary information; there is no such a concept of server and client in WireGuard, all devices are called as peers. However, in sake of understanding better, I will refer virtual private server as WireGuard server however, it is actually a PEER !


Wireguard is a decent VPN solution with all recent crypto features compared to other open source VPN solutions furthermore, it is lightweight.

Wireguard works based on key-pair relation between server and client just like ssh connection. The setup for personal usage is quite simple to do. Moreover, it is super fast, simple and more performant than any other open source VPN solution. Let’s start build our own VPN solution using WireGuard.

Following scenario is made on ubuntu 18.04, however almost for any linux distribution the steps are more or less same.

Setup Peer 1

I assumed that you have bought your VPS and ready to go for installation steps for WireGuard. Make sure that you have done with your SSH connection.

 $ sudo apt-get update && sudo apt-get upgrade -y 
 $ sudo add-apt-repository ppa:wireguard/wireguard
 $ sudo apt-get update 
 $ sudo apt-get install wireguard

Syncing Wireguard with kernel updates, which means that whenever there is an update for your linux kernel, wireguard module will be updated too.

$ sudo modprobe wireguard

Afterwards, you can ensure that the module is loaded as following;

$ lsmod | grep wireguard

wireguard             217088  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard

Generate Keys

Keys are backbone of WireGuard, extremely important step to take into.

$ cd /etc/wireguard
$ umask 077
$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

After given commands above, you will have publickey and privatekey in /etc/wireguard/ directory.

Setup Configuration

In this step, an interface should be defined in order to route all traffic from clients over rented VPS. Common interface for WireGuard is wg0.

Create a configuration file on VPS as /etc/wireguard/wg0.conf through your favorite text editor (vim, nano, vi).

PrivateKey = <generated-private-key-here>
Address =
Address = fd86:ea04:1111::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820

Forward Traffic

Traffic which comes into VPS should be forwarded properly, in order to set it up, change /etc/sysctl.conf file as follows.

Using your text editor, add following two lines of configuration into /etc/sysctl.conf


After that, to activate them immeditaly, type;

$ sysctl -p

It is time to bring VPN interface up;

$ wg-quick up wg0

If there is no problem or complain when the command above called, you should be able to get following results from given command below.

$ wg

interface: wg0
  public key: loZviZQpT5Sy4gFKEbk6Vc/rcJ3bH84L7TUj4qMB918=
  private key: (hidden)
  listening port: 51820

Setup Peer 2 (-client-)

In my case, I will gonna go over for setup for MacOS client, however, the logic remains same for any other client that you will use.

All required appliations are downloadable from given adress below.

After installation of your application from given official website (, it is time to add peers to server, and configure Peer 2 (client).

Setup Configuration (client)

If you are using MacOsX, you need to add following configuration under /usr/local/etc/wireguard/wg0.conf, however if you are using Linux, /etc/wireguard/wg0.conf would be correct place to put the configuration given below.

Address =
Address = fd86:ea04:1111::2/128
# note that privatekey value is just a place holder 
PrivateKey = KIaLGPDJo6C1g891+swzfy4LkwQofR2q82pFR6BW9VM=

PublicKey = <your server public key>
Endpoint = <your server public ip>:51820
AllowedIPs =, ::/0

If you have already installed GUI application from official installation website of WireGuard (, it could be nice to arrange that configuration file as shown below.

You will be able to create your configuration file through WireGuard GUI application as follows.

Without excluding internal IPs

Note that the PrivateKey value is just a placeholder, it is not valid value to put into, you need to take care of your own private key which is generated by WireGuard.

Add Peer

When you are done with setting up configuration in client side, you need to let your other peer (server) know your device. It can be achieved by following command on server.

$ wg set wg0 peer <client-public-key> allowed-ips,fd86:ea04:1111::2/128

When everything goes fine, you will be able to list peers by executing following command on server side.

$ wg

interface: wg0
  public key: loZviZQpT5Sy4gFKEbk6Vc/rcJ3bH84L7TUj4qMB918=
  private key: (hidden)
  listening port: 51820

peer: Ta9esbl7yvQJA/rMt5NqS25I/oeuTKbFHJu7oV5dbA4=
  allowed ips:, fd86:ea04:1111::2/128

Last but not least step is to up wg0 interface on client side.(peer 2)

$ wg-quick up wg0

Now you can check your IP address location through

Firewall configuration

It can be handy to enable ufw and allow port 51820/udp for traffic routing.

  1. Check ufw status
$ ufw status verbose
  1. If not enabled, enable it by ; (before enabling ufw make sure that you have already allowed port 22 otherwise you may face some problems in return)
$ ufw enable 
  1. Allow port 51820/udp
$ ufw allow 51820/udp

Sometimes it is required to setup iptables, if that is the case use following rule.

$ iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT
$ iptables -A OUTPUT -p udp -m udp --sport 51820 -j ACCEPT

Note: Run commands with a user which has root privileges

How Traffic Looks Like

Following figures are just snippet of some network traffic which is captured by WireShark. In the first figure, WireGuard is disabled, however in second image, WireGuard is enabled, you can easily distinguish the difference.

In ordinary usage (without VPN), your network traffic is seen as follows;

Without WireGuard

When you have configured your WireGuard to route all your traffic, here is how it is look like;

With WireGuard

It can be observed that all the traffic which goes out from client side has been encrypted with WireGuard.

All in all, it is quite handy to have your own private VPN access which decreases the likelihood of being attacked. Apart from VPN capabilities of WireGuard, it stabilize WIFI connections and actually improves quality of WiFi connection on clients. Keep in mind that you need to create exclusive key pairs for each client who would like to route all or some of his/her traffic over VPN.


Ahmet Turkmen

Ahmet Turkmen

Software Engineer

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium cool-kubernetes stackoverflow reddit quora quora dev