The WireGuard mobile app can import a config by scanning a QR code — much easier than typing keys.
1. Generate the phone’s keys (on the server is fine)
wg genkey | (umask 077; tee phone_private) | wg pubkey > phone_public
2. Write the phone’s config — phone.conf
[Interface]
Address = 10.0.0.7/24
PrivateKey = PHONE_PRIVATE_KEY
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
(Use AllowedIPs = 0.0.0.0/0, ::/0 for a full tunnel, or specific subnets for split tunnel.)
3. Add the phone as a peer on the server
sudo wg set wg0 peer PHONE_PUBLIC_KEY allowed-ips 10.0.0.7/32
sudo wg-quick save wg0
4. Render the QR code
sudo apt install -y qrencode # if needed
qrencode -t ansiutf8 < phone.conf
A QR prints right in your terminal. In the WireGuard app: + → Create from QR code, scan it, name the tunnel, and toggle it on.
Verify
sudo wg show # the phone's peer shows a recent handshake once connected
Security: phone.conf contains a private key — delete it after scanning (shred -u phone.conf)
and don’t email it to yourself. Each device should get its own key pair and its own /32.