WireGuard on Linux: The “I Just Want It To Work” Guide
I used to think setting up a VPN meant hours hunched over black-screen hieroglyphics. Then I tried WireGuard on my little Ubuntu laptop. Ten minutes later my traffic was zipping through Sweden like it had frequent-flyer miles.
That was the basic install. The real magic? These extra tweaks that turn “pretty fast” into smoking fast and add armor thick enough to make a SysAdmin grin.
Step 1: Lock It Down
Extra-secret keys (think two locks on a door)
WireGuard already uses Curve25519, but you can bolt on a second key just in case post-quantum computers ever wake up:
wg genpsk > /etc/wireguard/psk.key
Then glue it into your [Peer] block:
PresharedKey = /etc/wireguard/psk.key
Bulletproof kill-switch (the unplug test)
Ever open Netflix, see “not available in your region,” and panic? The kill-switch blocks all traffic if the tunnel drops.
Four paste-and-forget lines for nftables (swap eth0 to your network card):
sudo nft add table inet wg_killswitch
sudo nft add chain inet wg_killswitch forward '{ type filter hook forward priority 0; }'
sudo nft add rule inet wg_killswitch forward iifname "wg0" oifname "eth0" accept
sudo nft add rule inet wg_killswitch forward drop
Boom. If the tunnel sneezes, the packets stop marching.
Keep your browser in its own room
Want Firefox to use VPN while Steam flows straight to your ISP?
ip netns add vpn ip -n vpn link set wg0 up ip netns exec vpn sudo -u YOUR-USER firefox
Firefox travels inside Room VPN. Steam still walks the halls normally. Perfect for keeping work apps isolated.
Step 2: Make It Fly
Find the sweet MTU (echo-location trick)
- Open a terminal.
- Type
ping -M do -s 1472 -c 1 1.1.1.1 - If it chokes, drop the number until it answers.
Whatever works, subtract 52 and stick that in wg0.conf:
MTU = 1420
Glue the NAT hole open
Coffee-shop Wi-Fi loves to close idle connections. Tell WireGuard to poke every 25 seconds:
PersistentKeepalive = 25
Let your CPU loaf
If your kernel is 5.6 or newer, enable the built-in module:
sudo systemctl enable --now wireguard@wg0
Multi-core goodness without installing anything extra.
Fast DNS that actually listens
Use resolvectl instead of hoping your router plays nice:
sudo resolvectl dns wg0 1.1.1.1 sudo resolvectl domain wg0 ~.
Step 3: Pro Moves
Ditch static client IPs
Servers don’t need the exact address anymore. Open the server’s wg0.conf and change that AllowedIPs line to:
AllowedIPs = 0.0.0.0/0
Your laptop can hop from the bed to the café and still connect. No edits. Zero drama.
Make WireGuard the entire house router
Share the tunnel with tablets, TVs, consoles. Seven extra words in the server config:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
That’s it—your living room now thinks it’s in Dallas.
Rotate keys like you change toothbrushes
Add a cron job. Every month you wake up to fresh keys:
0 0 1 * * wg genkey | tee /etc/wireguard/newkey | wg pubkey && systemctl restart wg-quick@wg0
How Do I Know It’s Working?
- Live stats?
sudo wg show - Lag check?
mtr 8.8.8.8 - Kernel yelling at you?
dmesg | grep wireguard
Closing Thought
Do one tweak, test the speed, then move to the next. When you finally hit 250 Mbps over LTE, the coffee tastes like a medal.
If you manage dozens of boxes, scripts in Ansible playbooks save sanity and knuckles. Otherwise, these five-minute copy-paste gems are all most of us need.
