The base case: one VPS (server) and one laptop (client). Get this working first — every other recipe is a variation of it.

Server — /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

[Peer]
# the laptop
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Client — /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
# the server
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

This minimal version only lets the two nodes reach each other over the VPN (AllowedIPs is just the other VPN IP). To route internet traffic, see the full-tunnel recipe; to reach a LAN, see the home-LAN recipe.

Open the port (server)

WireGuard uses UDP 51820. Open it in the firewall / cloud security group:

sudo ufw allow 51820/udp

Bring both up and verify

sudo wg-quick up wg0        # on each node
sudo wg show                # check for a recent handshake
ping 10.0.0.1               # from the client

If there’s no handshake: confirm UDP 51820 is open on the server, the client’s Endpoint is the server’s real public IP, and the keys aren’t swapped (server’s public key in the client [Peer], client’s public key in the server [Peer]).

Minimal WireGuard Server + Client (Road Warrior)

Server — /etc/wireguard/wg0.conf

Client — /etc/wireguard/wg0.conf

Open the port (server)

Bring both up and verify