Introduction to WireGuard

WireGuard is a modern, fast, simple, and secure Virtual Private Network (VPN) protocol designed to replace traditional VPN technologies like IPsec and OpenVPN. It is faster, simpler, leaner, and more practical than IPsec, while avoiding massive amounts of trouble. It offers higher performance compared to OpenVPN. Originally released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. Although currently under active development, it is likely already considered the most secure, easiest to use, and simplest VPN solution in the industry.

Main Use Cases:

  • Secure remote access to the enterprise intranet for employees working from home or traveling who need secure access to internal systems (e.g., file servers, ERP, databases).
  • Cross-branch interconnection (Site-to-Site), e.g., stable communication between a European office and the China headquarters.
  • Secure interconnection between cloud servers and local data centers, connecting business systems on Alibaba Cloud/AWS/Azure with local IDCs.
  • Secure interconnection between home networks and cloud servers, accessing home NAS files while traveling.
  • Secure communication for IoT devices, where smart cameras, industrial sensors, POS machines, etc., need to securely transmit data back to the data center.
  • Container and microservice network isolation, cross-host communication in container scenarios, e.g., using tools like wg-easy or Netmaker to quickly build overlay networks.

WireGuard Deployment

Installing WireGuard

WireGuard has been merged into the mainline kernel since Linux 5.6. Most modern distributions can install the userspace tools directly:

1
2

sudo apt update
sudo apt install wireguard wireguard-tools

Note: If using CentOS/RHEL, you need to enable EPEL or use the elrepo kernel module first; Windows/macOS clients can download the official GUI app from wireguard.com.

Generating Key Pairs

1
2
3
4
5

cd /etc/wireguard/
umask 077 # Ensure key file permissions are secure
wg genkey | tee server_private.key | wg pubkey > server_public.key # Generate server-side keys
wg genkey | tee server_private.key | wg pubkey > client1_public.key # Client A keys
wg genkey | tee server_private.key | wg pubkey > client2_public.key # Client B keys

WireGuard Configuration Management

WireGuard does not have a strict server/client distinction, but usually a node with a public IP is required to act as a relay server (Hub).

Edit the server-side (relay) configuration file /etc/wireguard/wg0.conf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

[Interface]
Address = 10.100.0.1/24
ListenPort = 51820
PrivateKey = wg genkey | tee server_private.key | wg pubkey > server_public.key # Generate server-side keys

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client A
[Peer]
PublicKey = client1_public.key
AllowedIPs = 10.100.0.2/32

# Client B
[Peer]
PublicKey = client2_public.key
AllowedIPs = 10.100.0.3/32

Enable Auto-start on Boot

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
# Check status
sudo wg show

Configure Kernel Forwarding and Firewall (CentOS/Ubuntu):

# Enable IPv4 forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

# Open firewall port (optional, adjust based on actual situation)
sudo firewall-cmd --permanent --add-port=51820/udp
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.100.0.0/24 masquerade'
sudo firewall-cmd --reload
# If using iptables, refer to the PostUp/PostDown scripts above

WireGuard Dashboard

wg-easy (Lightweight Web UI)

  • Features: Single-page application, one-click Docker deployment, supports QR code scanning for connection, traffic monitoring, and online client toggling.
  • Use Cases: Small to medium teams (<50 users), quickly setting up a remote office VPN.
  • One-click deployment command:
docker run -d \
  --name=wg-easy \
  -e WG_HOST=your.domain.com \
  -e WG_PORT=51820 \
  -e WG_DEFAULT_ADDRESS=10.100.0.x \
  -e PASSWORD=your_admin_password \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51821:51821 \
  -p 51820:51820/udp \
  weejewel/wg-easy

Note: wg-easy has no user permission isolation by default and is not suitable for multi-tenant or high-security scenarios.

Netmaker (Enterprise-grade SD-WAN Architecture)

  • Features:

    • Supports Mesh networking (arbitrary node interconnection), Site-to-Site, and Kubernetes integration;
    • Provides REST API, RBAC permission control, ACL policies, and metrics monitoring (Prometheus);
    • Separation of control plane (netmaker) and data plane (netclient), supporting dynamic topology.

  • Architecture Components:

    • Netmaker Server: Manages nodes, policies, and certificates;
    • Netclient: Deployed on endpoints (servers/PCs/IoT), automatically registers and fetches configurations;
    • MQTT Broker (Optional): Used for large-scale node status synchronization.

  • Deployment Methods: Supports Helm Chart (K8s), Docker Compose, and systemd.

Recommended for: Complex topologies such as cross-branch interconnection, hybrid cloud networking, and IoT device cluster management.

Tailscale / Headscale (Zero Trust Architecture)

  • Although not native WireGuard, it is based on the WireGuard protocol at the core;
  • Provides SSO (Google/Azure/OIDC), device authentication, and fine-grained ACLs;
  • Headscale is the open-source self-hosted version, suitable for enterprises with high data compliance requirements.

Tailscale is a commercial SaaS service (free version supports 3 users), while Headscale is its open-source, self-hosted alternative; the protocols are fully compatible.

Here is a strongly recommended solution: use the open-source Headscale for the server side and Tailscale for the client side.