Running your own VPN is one of the best things you can do with a free VPS. You get complete control over your traffic, no subscription fees, no third-party logging — and WireGuard makes the whole setup take under 15 minutes.
This guide walks through the full setup from scratch. We’re using Ubuntu 22.04 (works on 20.04 and 24.04 too) on a free VPS. By the end you’ll have a working VPN you can connect to from your laptop, phone, or any device.
What Is WireGuard and Why Use It
WireGuard is a modern VPN protocol built directly into the Linux kernel since version 5.6. The entire codebase is roughly 4,000 lines — compared to OpenVPN’s 100,000+ lines. Less code means faster speeds, easier security audits, and way fewer things that can go wrong.
Some quick numbers that matter:
| Feature | WireGuard | OpenVPN | IPSec |
|---|---|---|---|
| Codebase size | ~4,000 lines | ~100,000 lines | Complex |
| Setup time | 10–15 minutes | 30–60 minutes | 60+ minutes |
| Speed | Very fast | Moderate | Fast |
| Mobile roaming | Seamless | Can drop | Can drop |
| Config complexity | Simple | High | Very high |
| Kernel-level | Yes (Linux 5.6+) | No | Partial |
Best for: Anyone who wants a fast, private VPN they actually control. Developers, remote workers, privacy-conscious users, and anyone tired of paying $10–15/month for a commercial VPN.
What You Need Before You Start
- A VPS running Ubuntu 22.04 (or 20.04/24.04) — free VPS works fine
- Root or sudo access via SSH
- A laptop, phone, or device to use as the VPN client
- About 15 minutes
That’s genuinely it. No domain name needed, no SSL certificates, no control panel.
Step 1 — Get a Free VPS
If you don’t have a VPS yet, you need one with a public IP address. WireGuard needs to be reachable from the internet, so a home server behind NAT won’t work unless you do extra port forwarding.
The fastest option is a free VPS trial — VPSWala’s free tier gives you a real VPS with a public IP, SSH access, and Ubuntu pre-installed. Deployment takes 60 seconds and no credit card is required.
Pick a location close to where you’ll be connecting from — this is your VPN server’s location, so it affects speed.
Once you have your VPS, SSH in:
ssh root@YOUR_SERVER_IPStep 2 — Install WireGuard on Ubuntu
Ubuntu 22.04, 20.04, and 24.04 all have WireGuard built into the kernel. You just need the userspace tools:
sudo apt update
sudo apt install -y wireguard wireguard-toolsVerify it installed:
wg --versionYou should see something like wireguard-tools v1.0.20210914 or newer. If you get a command not found error, try sudo apt install --reinstall wireguard.
Step 3 — Generate Server Keys
WireGuard uses public/private key pairs — same concept as SSH keys. Generate a pair for your server:
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
cd /etc/wireguard
# Generate private key
wg genkey | sudo tee server_private.key
# Generate public key from private key
sudo cat server_private.key | wg pubkey | sudo tee server_public.key
# Lock down the private key
sudo chmod 600 server_private.keyView and save both keys — you’ll need them in the next step:
echo "Private key: $(sudo cat /etc/wireguard/server_private.key)"
echo "Public key: $(sudo cat /etc/wireguard/server_public.key)"Never share your private key. The public key is what you’ll give to clients.
Step 4 — Create the Server Config File
First, find your server’s public network interface name:
ip route list defaultLook for the word after dev — it’ll be something like eth0, ens3, or enp1s0. Note it down.
Now create the WireGuard config:
sudo nano /etc/wireguard/wg0.confPaste this in, replacing YOUR_SERVER_PRIVATE_KEY with your actual private key and eth0 with your interface name:
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE_KEY
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADESave with Ctrl+O, then Ctrl+X to exit.
What each line does:
Address— the VPN’s internal IP range. Your server gets 10.8.0.1, clients get 10.8.0.2, 10.8.0.3, etc.ListenPort— WireGuard listens on UDP port 51820 by defaultSaveConfig— automatically saves any changes you make withwgcommands back to the filePostUp/PreDown— iptables rules that handle NAT so client traffic actually routes to the internet
Step 5 — Enable IP Forwarding
By default Ubuntu doesn’t forward traffic between interfaces — a security feature that you need to turn off for a VPN server to work:
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.confVerify it’s on:
sysctl net.ipv4.ip_forwardShould return net.ipv4.ip_forward = 1.
Step 6 — Open the Firewall Port
If your VPS has UFW (Ubuntu’s firewall) enabled, open the WireGuard port and make sure SSH stays open:
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw statusIf your VPS provider has a separate cloud firewall panel (like VPSWala’s control panel), make sure UDP port 51820 is open there too. This is the most common reason WireGuard fails — port blocked at the infrastructure level, not the OS level.
Step 7 — Start WireGuard
# Start WireGuard
sudo wg-quick up wg0
# Enable auto-start on boot
sudo systemctl enable wg-quick@wg0
# Check it's running
sudo wg showThe wg show output should show your interface wg0 with the public key and listening port. No peers yet — that’s fine, we’ll add one in the next step.
Step 8 — Set Up the Client
On your laptop or phone, you need to generate a key pair and create a config file. The process is the same on Linux, macOS, and Windows (via the WireGuard app).
On Linux/macOS client:
# Install WireGuard on your local machine
# Ubuntu/Debian:
sudo apt install wireguard wireguard-tools
# macOS (Homebrew):
brew install wireguard-tools
# Generate client keys
wg genkey | tee client_private.key | wg pubkey > client_public.key
cat client_private.key # save this
cat client_public.key # save this tooNow add this client as a peer on your server:
sudo wg set wg0 peer YOUR_CLIENT_PUBLIC_KEY allowed-ips 10.8.0.2/32Replace YOUR_CLIENT_PUBLIC_KEY with the public key you just generated on the client.
Then create the client config file (on your local machine):
sudo nano /etc/wireguard/wg0.conf[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.8.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Fill in:
YOUR_CLIENT_PRIVATE_KEY— the private key you generated on the clientYOUR_SERVER_PUBLIC_KEY— the public key from Step 3YOUR_SERVER_IP— your VPS’s public IP address
AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. If you only want to route specific traffic (split tunneling), replace with the specific subnets.
On iPhone/Android:
Download the official WireGuard app from the App Store or Play Store. You can either import the config file or have your server generate a QR code:
# On the server, install qrencode
sudo apt install qrencode
# Generate QR code for a client config file
qrencode -t ansiutf8 < /etc/wireguard/client.confScan the QR code in the WireGuard app to import the config instantly.
Step 9 — Connect and Test
On your client machine:
sudo wg-quick up wg0Verify the tunnel is working:
# Check your public IP — should show your VPS's IP, not your home IP
curl ifconfig.me
# Ping the server's VPN address
ping 10.8.0.1
# Check the WireGuard connection status
sudo wg showIf curl ifconfig.me returns your VPS’s IP address, you’re done. All your internet traffic is now encrypted and routed through your VPS.
To disconnect:
sudo wg-quick down wg0To add more clients, repeat Step 8 with a new key pair and assign a new IP (10.8.0.3, 10.8.0.4, etc.).
Common Issues and Fixes
| Problem | Likely Cause | Fix |
|---|---|---|
| Can’t connect at all | UDP 51820 blocked | Check cloud firewall AND UFW — both need to allow UDP 51820 |
| Connected but no internet | IP forwarding off or wrong interface name in PostUp | Check sysctl net.ipv4.ip_forward and confirm interface name in wg0.conf |
| Handshake not completing | Key mismatch | Double-check server public key in client config and client public key in server peer config |
| DNS leaking | DNS not going through VPN | Add DNS = 1.1.1.1 to client [Interface] section |
| Drops when switching networks | Missing keepalive | Add PersistentKeepalive = 25 to client [Peer] section |
| Works on phone, not laptop | Conflicting VPN software | Disable any other VPN clients before connecting WireGuard |
The single most common issue is the cloud provider’s firewall blocking UDP 51820. Most VPS control panels have a separate security group or firewall tab — check there first before troubleshooting anything else.
WireGuard vs OpenVPN — Quick Comparison
Both are solid options, but they’re built for different situations.
| WireGuard | OpenVPN | |
|---|---|---|
| Setup time | ~15 minutes | ~45–60 minutes |
| Speed | Faster (kernel-level) | Slower (userspace) |
| Mobile performance | Excellent — no drops on network switch | Can reconnect on network switch |
| Firewall bypass | UDP only (easier to block) | Can run on TCP 443 (harder to block) |
| Config complexity | Simple text file | Multiple files + certificates |
| Best for | Personal VPN, fast tunnels, mobile | Corporate networks, deep firewall bypass |
If you’re in a country or network that aggressively blocks VPNs (China, UAE, some corporate networks), OpenVPN on TCP port 443 is harder to detect. For everything else, WireGuard is the better choice.
That’s the full setup. One VPS, 15 minutes, and you have a private VPN server that nobody else controls. You can add as many devices as you want, and the free VPS tier handles normal personal usage without any issues.
If you’re running bandwidth-heavy usage — routing multiple devices, streaming, or sharing the VPN with a household — the Professional free trial gives you 1TB of bandwidth plus 8-core AMD EPYC performance that handles it comfortably.
