> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# WireGuard VPN

> Your own fast WireGuard VPN

WireGuard is a modern VPN protocol: fast, lightweight, and it holds the connection when your network changes. It has far less code than older solutions — less room for bugs and higher speed. On a Lumi VPS (Ubuntu 22.04 by default, root over SSH) you can set it up in a couple of minutes.

<Note>
  Commands are current as of writing. Script names and flags change from time to time — check [angristan/wireguard-install](https://github.com/angristan/wireguard-install) and [wireguard.com](https://www.wireguard.com).
</Note>

## Why WireGuard is good

<CardGroup cols={2}>
  <Card title="Speed" icon="bolt">
    Runs in the Linux kernel and barely loses any throughput.
  </Card>

  <Card title="Simplicity" icon="feather">
    The config is a few lines, not pages of settings.
  </Card>

  <Card title="Stability" icon="wifi">
    Switch from Wi-Fi to mobile — the tunnel doesn't drop.
  </Card>

  <Card title="Privacy" icon="user-shield">
    A personal VPN and access to your own services from any device.
  </Card>
</CardGroup>

## Installation

Two paths: a ready-made script (quick) or manual (full control). The script is enough for most people.

<Tabs>
  <Tab title="Script — quick and easy">
    The ready-made script will install WireGuard, configure the server, create a system service, and issue your first client — with a config file and a QR code.

    <Steps>
      <Step title="Connect to the server over SSH">
        Take the IP and root password from the server card in the bot.

        ```bash theme={"system"}
        ssh root@YOUR_SERVER_IP
        ```
      </Step>

      <Step title="Download and run the script">
        ```bash theme={"system"}
        curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
        chmod +x wireguard-install.sh
        ./wireguard-install.sh
        ```
      </Step>

      <Step title="Answer the questions">
        The script will ask for your public IP, the port (default `51820`), DNS servers for clients, and the name of the first client. Not sure — press Enter; the defaults work for almost everyone.
      </Step>

      <Step title="Grab the client config">
        At the end, the script prints a **QR code** right in the terminal and creates a `.conf` file. The QR is handy for scanning from your phone; the file is for moving to a computer.
      </Step>
    </Steps>

    **Add more clients.** Each device gets its own config. Run the script again (`./wireguard-install.sh`) — a menu appears: add a client, remove one, or uninstall WireGuard entirely. The script sets up the NAT rules itself.
  </Tab>

  <Tab title="Manual — full control">
    For those who want to understand every step.

    <Steps>
      <Step title="Install the package">
        ```bash theme={"system"}
        apt update && apt install -y wireguard
        ```
      </Step>

      <Step title="Generate the keys">
        ```bash theme={"system"}
        wg genkey | tee privatekey | wg pubkey > publickey
        ```

        `privatekey` is the server's secret key, `publickey` is the public one.
      </Step>

      <Step title="Create the server config">
        File `/etc/wireguard/wg0.conf`. Minimal example:

        ```ini theme={"system"}
        [Interface]
        Address = 10.0.0.1/24
        ListenPort = 51820
        PrivateKey = PASTE_privatekey_CONTENTS

        [Peer]
        PublicKey = CLIENT_PUBLIC_KEY
        AllowedIPs = 10.0.0.2/32
        ```
      </Step>

      <Step title="Enable traffic routing">
        ```bash theme={"system"}
        echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
        sysctl -p
        ```

        Without this, the server won't pass client traffic through itself.
      </Step>

      <Step title="Bring up the interface">
        ```bash theme={"system"}
        wg-quick up wg0
        ```

        To stop it — `wg-quick down wg0`. To enable on boot — `systemctl enable wg-quick@wg0`.
      </Step>
    </Steps>

    <Warning>
      The manual method also needs NAT rules (`iptables` / `MASQUERADE`) so client traffic can reach the internet. The script in the other tab does this for you — if you'd rather not fuss with it, pick the script.
    </Warning>
  </Tab>
</Tabs>

<Warning>
  Open WireGuard's UDP port in the firewall, otherwise the connection won't go through (default `51820`):

  ```bash theme={"system"}
  ufw allow 51820/udp
  ```

  If you chose a different port, substitute it. More details — [Firewall (ufw)](/en/vps/firewall).
</Warning>

## Connecting devices

Install the official WireGuard app and import the config:

| Platform    | Where from                                                                 |
| ----------- | -------------------------------------------------------------------------- |
| Windows     | Installer from [wireguard.com/install](https://www.wireguard.com/install/) |
| macOS · iOS | App Store                                                                  |
| Android     | Google Play or the APK from the site                                       |
| Linux       | Your distribution's package manager                                        |

In the app: **Add Tunnel** → import the `.conf` file or scan the QR code. Turn on the tunnel — all traffic goes through your server.

## What Lumi handles, and what you do

Lumi handles the server and network: the VPS is up, you have root access, a 10 Gbit/s port, and unlimited traffic. Setting up the VPN software is on you — it's your personal service. If a port won't open or the network won't come up on the server side, message [@lumisup\_robot](https://t.me/lumisup_robot).

## Where to next

<CardGroup cols={3}>
  <Card title="Firewall" icon="shield-halved" href="/en/vps/firewall">
    Open the WireGuard port the right way.
  </Card>

  <Card title="Harden the server" icon="lock" href="/en/vps/hardening">
    A VPS security checklist.
  </Card>

  <Card title="Another VPN" icon="layer-group" href="/en/vps/amnezia">
    Amnezia, if WireGuard is blocked.
  </Card>
</CardGroup>
