How to Install WireGuard

Step 1: Install WireGuard on Ubuntu or Debian

On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Debian 12, and newer releases, WireGuard is available in the default repositories. The kernel module is already built into the default kernel, so you only need to install the userspace tools:

sudo apt update
sudo apt install wireguard -y

This installs the wg command for managing WireGuard interfaces and the wg-quick utility for bringing tunnels up and down using configuration files. On older Ubuntu versions (18.04 or 20.04), you may need to install the wireguard-dkms package as well, which compiles the kernel module from source using DKMS. However, upgrading to a current LTS release is recommended for both security and compatibility.

Verify the installation by running wg --version, which should display the WireGuard tools version number.

Step 2: Install WireGuard on Fedora, CentOS, or RHEL

On Fedora (37 and later), WireGuard is included in the default kernel and the tools are in the main repositories:

sudo dnf install wireguard-tools -y

On CentOS Stream 9 or RHEL 9, you need to enable the EPEL (Extra Packages for Enterprise Linux) repository first:

sudo dnf install epel-release -y
sudo dnf install wireguard-tools -y

On CentOS Stream 8 or RHEL 8, the kernel module may not be available by default. You will need to install kmod-wireguard from the ELRepo repository or upgrade to a newer kernel that includes WireGuard natively. The ELRepo method involves adding the repository, importing its GPG key, and installing both kmod-wireguard and wireguard-tools.

For Arch Linux users, WireGuard is included in the default kernel and the tools are available in the extra repository: sudo pacman -S wireguard-tools.

Step 3: Install WireGuard on Windows

Download the official Windows installer from the WireGuard website at wireguard.com/install. The installer is a standard MSI package that includes the WireGuard tunnel driver (Wintun), the graphical user interface, and the command-line tools. Run the installer and follow the prompts. No reboot is required.

After installation, the WireGuard application appears in your Start menu and system tray. To add a tunnel, click "Import tunnel(s) from file" and select a .conf configuration file, or click "Add empty tunnel" to enter the configuration manually. The GUI generates a key pair for you when creating a new tunnel, displaying the public key for you to copy to your server configuration.

For Windows Server or headless Windows machines, you can manage WireGuard entirely from the command line using the wireguard.exe and wg.exe binaries installed in C:\Program Files\WireGuard. Configuration files go in C:\Program Files\WireGuard\Data\Configurations.

WireGuard on Windows requires Windows 10 version 1803 or later, or any version of Windows 11. It also works on Windows Server 2019 and later.

Step 4: Install WireGuard on macOS

The official WireGuard app for macOS is available from the Mac App Store. Search for "WireGuard" and install the free app published by the WireGuard Development Team. The app provides a menu bar interface for managing tunnels, importing configurations, and toggling connections on and off.

Alternatively, if you prefer command-line tools without the GUI, install via Homebrew:

brew install wireguard-tools

The Homebrew installation provides the wg and wg-quick commands but does not include the GUI app or the system extension for managing tunnels through the macOS network preferences. For most users, the App Store version is more convenient because it integrates with macOS networking and can activate tunnels automatically on specific Wi-Fi networks.

The macOS app supports macOS 12 (Monterey) and later. Configuration files use the same .conf format as every other platform.

Step 5: Install WireGuard on iOS and Android

iOS: Download the WireGuard app from the Apple App Store. It is free and published by the WireGuard Development Team. The app supports configuration import through .conf files (via Files, AirDrop, or email), QR code scanning, and manual entry. Once a tunnel is configured, it can be set to activate automatically when connected to untrusted Wi-Fi networks, which is useful for ensuring your traffic is always protected outside your home network.

Android: The official WireGuard app is available from both Google Play and F-Droid. The F-Droid version is identical in functionality but is built from source by the F-Droid project, which some users prefer for supply chain transparency. Like the iOS app, it supports .conf file import, QR code scanning, and automatic activation based on network conditions.

Both mobile apps use the wireguard-go userspace implementation rather than a kernel module, which means slightly higher CPU usage and battery consumption compared to the Linux kernel module. In practice, the difference is negligible for normal browsing and streaming. WireGuard's fast reconnection (typically under 100 milliseconds) makes it particularly effective on mobile devices that frequently switch between Wi-Fi and cellular networks.

For Android users who want WireGuard integrated into their device's native VPN settings, some custom ROMs and Android distributions include WireGuard as a built-in kernel module. The official WireGuard Android app works on Android 5.0 (Lollipop) and later.

Step 6: Generate Keys and Create a Configuration

Every WireGuard tunnel requires a key pair on each side. On Linux and macOS, generate a key pair from the terminal:

wg genkey | tee privatekey | wg pubkey > publickey

This creates two files: privatekey (keep this secret) and publickey (share this with your peer). On Windows, the GUI generates keys automatically when you create a new tunnel. On mobile devices, the app generates keys when you add a tunnel manually.

A basic client configuration file (for connecting to a VPN server) contains an [Interface] section with the client's private key, the assigned tunnel IP address, and the DNS server to use inside the tunnel. The [Peer] section contains the server's public key, the server's public IP and port as the endpoint, and the AllowedIPs setting that determines which traffic routes through the tunnel.

Setting AllowedIPs = 0.0.0.0/0, ::/0 routes all traffic (both IPv4 and IPv6) through the VPN, providing full-tunnel protection. Setting specific networks like AllowedIPs = 10.0.0.0/24 routes only traffic to those networks through the tunnel, which is called split tunneling and is useful for accessing private resources while leaving regular internet traffic on the local connection.

An optional PersistentKeepalive = 25 setting sends a keepalive packet every 25 seconds, which helps maintain the connection through NAT firewalls that would otherwise drop idle UDP sessions.

Step 7: Activate and Verify the Tunnel

On Linux, start the tunnel using the configuration file name (without the .conf extension):

sudo wg-quick up wg0

To stop it: sudo wg-quick down wg0

To start WireGuard automatically at boot, enable the systemd service:

sudo systemctl enable wg-quick@wg0

On macOS with the GUI app, click the tunnel name in the menu bar and select "Activate." On Windows, right-click the tunnel in the WireGuard application and choose "Activate." On iOS and Android, toggle the switch next to the tunnel name.

After activating the tunnel, verify it is working correctly. Run wg show on Linux or macOS to see the tunnel status, including the peer's public key, endpoint, allowed IPs, bytes transferred, and the time of the last handshake. A recent handshake time (within the last few minutes) confirms the tunnel is active and exchanging data.

For a complete verification, check your public IP address through a web browser or command line (curl ifconfig.me) to confirm it shows the VPN server's IP. Run a DNS leak test to ensure DNS queries route through the tunnel rather than leaking to your local ISP's DNS servers. If you configured IPv6, verify that IPv6 traffic also routes through the tunnel by checking your IPv6 address.