Free WireGuard Config Generator

Generate WireGuard VPN configuration files for servers and clients. Configure peers, AllowedIPs, and download ready-to-use .conf files.

Configuration Type:

Server Configuration

Interface

Private Key

Address

Listen Port

DNS Servers

PostUp Command

PostDown Command

Peers (1)

Public Key

Allowed IPs

Generated Config

[Interface]
# Server Configuration
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
DNS = 1.1.1.1, 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Generate WireGuard Keys

WireGuard keys must be generated using the wg command:

# Generate private key
wg genkey > privatekey

# Generate public key from private key
wg pubkey < privatekey > publickey

Common AllowedIPs Configurations

Route All Traffic (Full Tunnel)

0.0.0.0/0, ::/0

VPN Network Only (Split Tunnel)

10.0.0.0/24

Single Client IP

10.0.0.2/32

Private Networks

10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

How to Use the WireGuard Config Generator

Choose Server or Client Mode

Select whether you are creating a server configuration (with ListenPort and NAT rules) or a client configuration (connects to a server endpoint). Servers need public IPs, clients can be behind NAT.

Enter Interface Settings

Provide your private key (from wg genkey), VPN IP address (e.g., 10.0.0.1/24 for server), and listen port for servers (default 51820). The tool validates all fields for correct format.

Add Peer Configuration

Enter peer public keys, allowed IPs (traffic to route through VPN), and for clients, the server endpoint (IP:port). Enable PersistentKeepalive for peers behind NAT.

Download Configuration File

Click Generate to create your wg0.conf file. Download it and place in /etc/wireguard/ on Linux, or import into WireGuard apps on Windows, macOS, iOS, or Android.

Pro tip: Your data is processed entirely in your browser. Nothing is sent to any server, ensuring complete privacy.

About WireGuard Configuration

WireGuard is a next-generation VPN protocol known for its simplicity and performance. Configuration is done through simple .conf files with [Interface] and [Peer] sections. Our generator helps you create properly formatted configs without memorizing the syntax.

Configuration Sections

[Interface]: Your local WireGuard settings including private key, IP address, and listen port
[Peer]: Remote peer configuration with public key, allowed IPs, and optional endpoint
PostUp/PostDown: Commands to run when the interface comes up or goes down (typically NAT rules on servers)
AllowedIPs: IP ranges that should be routed through the VPN tunnel for this peer
PersistentKeepalive: Send keepalive packets to maintain connection through NAT/firewalls

Frequently Asked Questions

What is WireGuard?

WireGuard is a modern, fast, and secure VPN protocol. It aims to be simpler and more performant than IPsec and OpenVPN while maintaining strong cryptography. WireGuard uses state-of-the-art cryptography and has a smaller codebase, making it easier to audit and more secure.

How do I generate WireGuard keys?

WireGuard keys are generated using the `wg` command-line tool. Run `wg genkey` to generate a private key, then pipe it to `wg pubkey` to derive the public key: `wg genkey | tee privatekey | wg pubkey > publickey`. Each peer needs their own unique key pair.

What is the difference between server and client configs?

A WireGuard server config includes ListenPort and typically has PostUp/PostDown rules for NAT. It lists all clients as [Peer] sections. Client configs have no ListenPort and list the server as a single [Peer] with an Endpoint. Both use the same config format.

What should I set for AllowedIPs?

AllowedIPs determines what traffic goes through the VPN. Use `0.0.0.0/0, ::/0` to route all traffic (full tunnel). Use specific subnets like `10.0.0.0/24` for split tunneling. On the server, set AllowedIPs to each client's IP (e.g., `10.0.0.2/32`).

What port does WireGuard use?

WireGuard uses UDP port 51820 by default, but you can configure any port. Make sure your firewall allows incoming UDP traffic on the chosen port. Some networks block non-standard ports, so 443 or 53 might work better in restricted environments.

Related Tools

JSON Formatter

Format, validate, and beautify JSON data online. Syntax highlighting, error detection, tree view, and minification. Fix malformed JSON instantly.

JSON Validator & Formatter

Validate JSON syntax, format and beautify, minify, and get detailed statistics about your JSON data.

CSV to JSON Converter

Convert CSV to JSON array instantly. Custom delimiters, header row detection, nested object support. Paste CSV or upload file. Perfect for data transformation.

YouTube URL Parser

Parse YouTube URLs to extract video IDs, playlist IDs, timestamps, and channel information.

View all Developer Tools