VPS for WireGuard VPN Setup

WireGuard operates inside the Linux kernel as a module (available since kernel 5.6). This means your VPN traffic bypasses the user-space overhead that OpenVPN and IPsec must deal with. In practice, WireGuard typically achieves 2-4x higher throughput than OpenVPN on the same hardware, with CPU usage that is 30-50% lower. On a 1 vCPU VPS, this matters significantly - OpenVPN at 500 Mbps can saturate a core, while WireGuard at the same throughput uses less than 20% CPU.

WireGuard also has a much simpler configuration surface. There are no cipher suite negotiation failures, no TLS version mismatches, and no certificate authority chain to maintain. The entire configuration for a peer is a public key, an allowed IP range, and an optional endpoint address. This simplicity makes it easier to audit your own configuration and harder to introduce security mistakes.

The protocol uses ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2 for hashing, and SipHash24 for hashtable keys. All are modern, well-analyzed primitives with no known practical attacks. For threat models involving nation-state adversaries, WireGuard's cryptographic choices are significantly better than OpenVPN's legacy cipher support.

WireGuard is extremely efficient. The minimum practical configuration for a personal WireGuard server is 512 MB RAM and 1 vCPU - the Romania VPS Start at $17.90/mo handles this easily. For a team of 10-20 simultaneous users, 1 vCPU and 1 GB RAM is comfortable. For 50+ users routing all traffic through the VPN, 2 vCPU and 2 GB RAM with a 10 Gbps port (available on higher-tier plans) is recommended.

Realistic throughput on AnubizHost's 1 Gbps nodes: a single WireGuard tunnel will saturate the full gigabit uplink before the CPU becomes a bottleneck. Latency between client and server dominates - choose the node geographically closest to your users. Iceland is excellent for Scandinavian users, Romania for Eastern Europe, and Netherlands for Western Europe.

Disk usage is negligible - the WireGuard daemon and its keys occupy under 5 MB. The OS itself will use roughly 200-300 MB of RAM at idle on a minimal Debian install. Everything else is available for your VPN traffic and any co-hosted services.

Connect to your AnubizHost VPS via SSH as root. Install WireGuard: apt update && apt install -y wireguard. Generate server keys: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key && chmod 600 /etc/wireguard/private.key.

Create the interface configuration at /etc/wireguard/wg0.conf: set [Interface] with Address (e.g., 10.8.0.1/24), ListenPort (51820 or 443 for firewall bypass), PrivateKey, and PostUp/PreDown iptables rules for NAT masquerading. For each client, add a [Peer] block with the client's PublicKey and AllowedIPs.

Enable IP forwarding: echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf && sysctl -p. Start and enable the service: systemctl enable --now wg-quick@wg0. Verify: wg show. The interface should appear with your server public key and the configured listen port.

For client configuration, generate a keypair on the client device and add the client's public key as a [Peer] on the server. The client config needs the server's public key, endpoint (your VPS IP:port), AllowedIPs (0.0.0.0/0 for full tunnel), and the client private key. Use qrencode on the server to generate a QR code for mobile clients: apt install qrencode && qrencode -t ansiutf8 < client.conf.

Managing many peers manually in wg0.conf becomes tedious. WireGuard-UI (a web-based management panel) runs as a Docker container and provides a browser interface for adding and revoking peers, generating client QR codes, and viewing connection status. Install Docker on your VPS and run WireGuard-UI on localhost:5000, then proxy it through Nginx with basic authentication and an SSL certificate from Let's Encrypt.

Security hardening steps: disable IPv6 on the WireGuard interface if you are not routing it (net.ipv6.conf.all.disable_ipv6 = 1 in sysctl) to prevent IPv6 leaks. Set a pre-shared key (PSK) on each peer for an additional layer of symmetric encryption on top of the Curve25519 handshake: wg genpsk generates one. Add it as PresharedKey under both the server's [Peer] and the client's [Peer] block.

Use ufw or nftables to restrict SSH access to your management IP only, with WireGuard open on its configured port. This prevents brute-force SSH attempts from the public internet. AnubizHost's nodes come with no pre-installed firewall rules, so you have a clean slate to implement exactly the policy you need.