WireGuard VPN Setup

Holtzweb//easy-wg-quick

Hub + peer config in minutes // burghardt/easy-wg-quick

STEP 0 / 7 COMPLETE
1

Install WireGuard Tools

Kernel module + wg CLI on your hub server

WireGuard must be installed on the hub. Choose your OS below. Peers (clients) also need WireGuard installed — Android & iOS apps are available on their respective stores.

bash
sudo apt update && sudo apt install -y wireguard wireguard-tools qrencode
bash
sudo dnf install -y wireguard-tools qrencode
# Kernel module included since Linux 5.6+
bash
pkg install wireguard py38-qrencode
kldload if_wg
# Add if_wg_load="YES" to /boot/loader.conf for persistence
bash
sudo pacman -S wireguard-tools qrencode
✦ tip Full WireGuard install docs: wireguard.com/install
2

Download easy-wg-quick

Grab the script, make it executable

bash
wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
chmod +x easy-wg-quick
ℹ note The script requires only standard tools (wg, ip/route, awk). No other dependencies needed.
3

Overview of Configuration Files

Set your requirements before generating the Hub

The easy-wg-quick script uses multiple .txt files to configure settings. Edit them beforehand to customize your VPN setup.

!! REVERSE PROXY ALERT !!

If you are behind a reverse proxy/NAT, you MUST set extnetip.txt to the LOCAL ADDRESS of your WireGuard server (e.g. 192.168.1.50), not the public IP.

NETWORK CONFIGURATION

FilePurposeDefault
extnetif.txtExternal interface nameAuto-detected
extnetip.txtExternal IP of hubAuto-detected
intnetaddress.txtInternal IPv4 network prefixRandom 10.x.x.
intnetmask.txtInternal IPv4 subnet mask/24
intnetdns.txtIPv4 DNS for clients1.1.1.1
intnetmtu.txtInterface MTU size (1280-1420)1280
intnetallowedips.txtClient traffic routing0.0.0.0/0, ::/0
portno.txtWireGuard listening portRandom 1025-65535

IPV6 CONFIGURATION

FilePurposeDefault
forceipv6.txtForce IPv6 enablementNot created
ipv6mode.txtIPv6 routing mode (NAT vs NDP)masquerade
intnet6address.txtInternal IPv6 prefixRandom fd**::
intnet6mask.txtInternal IPv6 subnet mask/64
intnet6dns.txtIPv6 DNS for clients2606:4700:4700::1111

SYSTEM CONFIGURATION

FilePurposeDefault
fwtype.txtFirewall backendOS-dependent
sysctltype.txtIP forwarding controlOS-dependent
seqno.txtClient sequence number10
✦ setup tip Example: echo "51820" > portno.txt to set Wireguard on a static port number.
4

Generate Hub + First Peer

Run the script — zero arguments needed

Just run the script. On first run it creates wghub.conf (your server config) and wgclient_1.conf (first peer). Each subsequent run adds a new peer.

bash
./easy-wg-quick

# Files created:
#   wghub.conf        ← hub/server config
#   wgclient_1.conf   ← peer 1 config
#   wgclient_1.png    ← QR code image
#
# Run again to add more peers:
./easy-wg-quick    # → wgclient_2.conf
./easy-wg-quick    # → wgclient_3.conf
✦ named peers Pass a name argument to label peers: ./easy-wg-quick laptop → creates wgclient_laptop.conf
5

Activate Hub with wg-quick

Bring up the VPN interface on the server

Copy the generated hub config to WireGuard's config directory, then enable and start it with systemd.

bash
# Copy config
sudo cp wghub.conf /etc/wireguard/wghub.conf

# Enable & start on boot
sudo systemctl enable wg-quick@wghub
sudo systemctl start  wg-quick@wghub

# Check status
systemctl status wg-quick@wghub
ℹ no systemd? Use sudo wg-quick up wghub to bring up manually. Down: sudo wg-quick down wghub
6

Connect Your Peer(s)

QR code for mobile / copy conf for desktop

Each peer gets its own .conf file and a scannable QR code. Use whichever method fits the device.

Display the QR code directly in terminal and scan with the WireGuard app (Android/iOS):

bash
# Display QR in terminal
qrencode -t ansiutf8 < wgclient_1.conf

# Or display a saved QR image
cat wgclient_1.png | display
✦ re-display qr You can regenerate the QR any time with: qrencode -t ansiutf8 < wgclient_N.conf

Copy the peer config to WireGuard on the client machine and bring it up:

bash
# On the peer machine — copy config
sudo cp wgclient_1.conf /etc/wireguard/wgclient_1.conf
sudo systemctl enable wg-quick@wgclient_1
sudo systemctl start  wg-quick@wgclient_1

A UCI fragment is generated alongside each peer config. Append it to your router's network config:

bash
# On the OpenWRT router
cat wgclient_1_uci.conf >> /etc/config/network
/etc/init.d/network reload
7

Verify & Manage

Confirm tunnels are up, add future peers

Check that the hub sees connected peers and monitor traffic with wg show.

bash — hub
sudo wg show

# Expected output:
# interface: wghub
#   public key: kbaG3Hx...
#   listening port: 51820
#
# peer: th8qYu0...
#   endpoint: 10.x.x.x:PORT
#   allowed ips: 10.127.0.10/32
#   latest handshake: X seconds ago
#   transfer: 12 MiB received, 40 MiB sent

# Add more peers anytime:
./easy-wg-quick phone    # → wgclient_phone.conf
./easy-wg-quick tablet   # → wgclient_tablet.conf

# Self-upgrade the script:
./easy-wg-quick --upgrade
ℹ firewall / ports Open UDP 51820 inbound on your hub server (or whatever port is in portno.txt).

VPN is Live.

Hub configured · Peers connected · Traffic tunneled

Run ./easy-wg-quick <name> any time to add more peers.