How many peers per VPS?

Romania III handles 200+. Bandwidth is the limit, not WireGuard.

Can I do split tunnel?

Yes, set AllowedIPs on the client to specific subnets only. The hub still routes them, but only listed traffic enters the tunnel.

Should I use Tailscale instead?

Tailscale is easier but uses a third-party coordination server with your peer metadata. WireGuard self-hosted keeps that off Tailscale's servers.

How do I add IPv6 peers?

Address fd00:66::n/128 per peer, MASQUERADE the IPv6 NAT, set AllowedIPs to include ::/0.

Multi-Peer WireGuard Hardening on Anubiz VPS

Moving from a single road warrior to 20-50 team peers introduces problems wg-quick blog posts never cover: peer isolation, per-peer firewall, audit logs, key rotation when someone leaves. This guide is the multi-peer hardened build on an Anubiz Romania or Iceland VPS for a small team.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Topology

Hub-and-spoke. The Anubiz VPS is the hub at 10.66.66.1. Each team member gets a unique /32 inside 10.66.66.0/24. Peers reach the internet through the hub and (optionally) reach each other; default is they cannot.

Step 1: Peer Isolation

By default WireGuard lets peers route to each other through the hub. To isolate, in nftables filter table FORWARD chain: drop traffic from wg0 to wg0 unless src+dst are in an explicit allow list. This way peer A cannot scan peer B's laptop.

Step 2: Per-Peer Firewall

Mark traffic from each /32 with a different fwmark in nftables. Then apply different policies. Example: contractor peers can only reach the team's internal app at 10.30.0.5:443; full-time staff get full egress.

Step 3: Audit Logs

WireGuard does not log by design. Use wg show on a 60-second cron and log the latest-handshake timestamp per peer to /var/log/wg-audit.log. This gives you a session log without breaking the no-traffic-logging promise.

Step 4: Key Rotation Runbook

When somebody leaves: remove their [Peer] block from wg0.conf, run wg syncconf wg0 <(wg-quick strip wg0) for hot reload. Their last handshake stays in audit. Have a quarterly rotation calendar so even active peers rotate keys.

Step 5: Backup the Hub Config

wg0.conf with all public keys is the single point of failure. Encrypt with age or sops and push to a private git repo. Recovery from a rebuilt VPS takes 2 minutes if you have the file.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Anubiz VPS