Using WireGuard to route all your internet traffic through a VPN: a tutorial

Issue 2024Q1 (current)

Here’s a clear, step-by-step tutorial on using WireGuard to route all your internet traffic through a VPN.
We’ll go through installation, configuration, and making sure all traffic (not just some) goes through the tunnel.

WireGuard: Full-Tunnel VPN Setup

1. What you’ll need

A VPN server (e.g., a VPS or home server) running Linux
The WireGuard package installed on both server and client
Root or sudo access on both ends
Server’s public IP and a chosen UDP port (default: 51820)

2. Install WireGuard

On Ubuntu/Debian:

sudo apt update sudo apt install wireguard

On Fedora/CentOS:

sudo dnf install wireguard-tools

On macOS (client only):

brew install wireguard-tools

On Windows (client only):

Download from WireGuard’s official site

3. Server configuration

Step 3.1 — Generate keys

wg genkey | tee server_private.key | wg pubkey > server_public.key

server_private.key → Keep secret
server_public.key → Share with clients

Step 3.2 — Configure `/etc/wireguard/wg0.conf`

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private.key>

# Enable NAT for internet access
PostUp = iptables -A FORWARD -i %i -j ACCEPT; \
         iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; \
           iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Step 3.3 — Enable IP forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p

4. Client configuration

Step 4.1 — Generate client keys

wg genkey | tee client_private.key | wg pubkey > client_public.key

Step 4.2 — Client config (`wg0.conf`)

[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private.key>
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public.key>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Important:
AllowedIPs = 0.0.0.0/0, ::/0 forces all IPv4 & IPv6 traffic through the VPN — this is the “full tunnel” setting.

5. Add client to server config

On the server, edit /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <client_public.key>
AllowedIPs = 10.0.0.2/32

6. Start WireGuard

On server:

sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0

On client:

sudo wg-quick up wg0

(On Windows/macOS, just click “Activate” in the WireGuard app.)

7. Test that all traffic is routed

Run:

curl ifconfig.me

If it shows your server’s IP, all internet traffic is now going through the VPN.

8. Extra security tips

Change the default port (51820 → random high UDP port)
Use a firewall to only allow UDP from your client’s IP
Keep WireGuard and your OS updated

Please login or register to post a comment.