Copy · paste · wg-quick up
WireGuard configs you can actually paste.
Complete wg0.conf recipes — server and client side by side — for the
setups people actually build: road-warrior, full-tunnel, split-tunnel, site-to-site and home-LAN
access. Placeholders are marked, NAT and keepalive are sorted, and every recipe says how to verify it.
15 recipes
- Basics Add a WireGuard Peer Without Restarting the Tunnel Add a new client to a running WireGuard server with wg set or wg syncconf — no downtime for existing peers. Copy-paste.
- Basics Install WireGuard & Generate Keys (Copy-Paste) Install wireguard-tools on Linux and generate a private/public key pair the right way (umask 077). Copy-paste.
- Basics Bring WireGuard Up/Down & Check Status (wg-quick, wg show) Start and stop a WireGuard tunnel with wg-quick, enable it on boot, and read wg show to confirm the handshake. Copy-paste.
- Basics The wg0.conf File Explained ([Interface] & [Peer]) What every line in a WireGuard wg0.conf means — Address, ListenPort, PrivateKey, PublicKey, Endpoint, AllowedIPs — with an annotated example. Copy-paste.
- Scenarios Access Your Home LAN Remotely with WireGuard Reach every device on your home network from your laptop or phone — copy-paste server + client wg0.conf with the LAN subnet routed and NAT.
- Scenarios Full-Tunnel VPN: Route ALL Traffic Through WireGuard Turn a WireGuard server into an internet gateway / exit node — copy-paste server + client wg0.conf with IP forwarding and NAT masquerade.
- Scenarios Add a Phone to WireGuard with a QR Code Generate a WireGuard client config and turn it into a QR code with qrencode, then scan it in the mobile app. Copy-paste.
- Scenarios Minimal WireGuard Server + Client (Road Warrior) A complete, copy-paste WireGuard server and client wg0.conf pair for a single remote user — the foundation every other setup builds on.
- Scenarios WireGuard Site-to-Site (Connect Two LANs) Link two networks over WireGuard so hosts on each LAN reach the other — copy-paste wg0.conf for both gateways, with forwarding and routes.
- Scenarios Split Tunnel: Route Only Specific IPs Through WireGuard Send just your server/LAN subnets through the tunnel while normal internet stays direct — copy-paste client AllowedIPs config.
- Networking WireGuard AllowedIPs Explained (the #1 Confusion) AllowedIPs is both a routing table and an access filter. What to put on the server vs the client, with copy-paste examples for each setup.
- Networking WireGuard DNS, PersistentKeepalive & MTU (Fix Drops & Leaks) Three settings that fix the most common WireGuard annoyances: DNS leaks, connections dropping when idle, and broken throughput. Copy-paste.
- Networking Enable IP Forwarding for WireGuard (net.ipv4.ip_forward) Turn on kernel IP forwarding so a WireGuard server can route client traffic — persistent sysctl config for IPv4 and IPv6. Copy-paste.
- Networking WireGuard NAT / MASQUERADE (PostUp & PostDown Rules) The exact PostUp/PostDown firewall rules to let WireGuard clients reach the internet or a LAN — iptables and nftables variants. Copy-paste.
- Platforms Run WireGuard in Docker (linuxserver/wireguard) A copy-paste docker-compose for WireGuard that auto-generates client configs and QR codes — plus the wg-easy web-UI alternative.
Why this exists
WireGuard is simple — until AllowedIPs and NAT aren't.
The protocol is tiny, but the answers are scattered across Reddit threads, gists and half-complete
blog posts — and one wrong AllowedIPs or a missing MASQUERADE rule means
"connected, no traffic". wgcookbook.pages.dev gives you the whole thing: matching
server and client wg0.conf files for each real scenario, every placeholder labelled, the
PostUp firewall lines included, and the wg show check to confirm it works.
How it works
Pick the setup, copy both ends, bring it up
- Pick a recipe. Browse by scenario in the full recipe list.
- Copy server & client. Each recipe shows both
wg0.conffiles with clearly marked placeholders. - Bring it up and verify. Every recipe ends with
wg-quick upand thewg showhandshake check.
FAQ
Frequently asked questions
Are these WireGuard configs free?
Yes. Every recipe on wgcookbook.pages.dev is free to read and copy, with no account, paywall, or sign-up. Some outbound links (for example to VPS providers) may be affiliate links, which never change the price you pay.
Where do these configs go?
On the server and on each client, in /etc/wireguard/wg0.conf. Lock it down with "sudo chmod 600 /etc/wireguard/wg0.conf", then bring it up with "sudo wg-quick up wg0" (and "systemctl enable wg-quick@wg0" to start on boot). The Basics recipes walk through this.
The tunnel connects but I have no internet — why?
For a full-tunnel/gateway setup the server must forward and NAT your traffic: enable IP forwarding (net.ipv4.ip_forward=1) and add a PostUp MASQUERADE rule, and the client must use AllowedIPs = 0.0.0.0/0, ::/0. The full-tunnel and NAT recipes give the exact lines.
My connection drops when idle / I am behind NAT.
Add PersistentKeepalive = 25 to the [Peer] on the side that sits behind NAT (usually the client). It sends a tiny packet every 25s so the NAT mapping stays open. See the DNS/keepalive/MTU recipe.
What exactly is AllowedIPs?
It is two things at once: which source IPs WireGuard accepts from a peer, and which destination IPs it routes into the tunnel. On the server, each client gets its own /32; on the client, it is the subnets (or 0.0.0.0/0) you want to reach. It is the single biggest source of confusion — there is a dedicated recipe.
How do I add my phone?
Write a client config, render it as a QR code with "qrencode -t ansiutf8 < phone.conf", and scan it in the WireGuard mobile app. The phone-QR recipe shows the full config and command.