WireGuard needs a key pair on every node (server and each client). The private key stays on that node; its public key is shared with the other end.

1. Install

# Debian / Ubuntu
sudo apt update && sudo apt install -y wireguard

# Fedora / RHEL
sudo dnf install -y wireguard-tools

# Arch
sudo pacman -S wireguard-tools

2. Generate keys

Generate a private key with a tight umask, then derive the public key from it:

cd /etc/wireguard
wg genkey | (umask 077; tee privatekey) | wg pubkey | tee publickey

privatekey — goes in this node’s [Interface] PrivateKey.
publickey — goes in the other node’s [Peer] PublicKey.

3. (Optional) a pre-shared key for extra hardening

A symmetric PSK adds a layer of post-quantum resistance; put the same value in both peers’ [Peer] as PresharedKey:

wg genpsk > presharedkey

Verify

cat /etc/wireguard/publickey

Key hygiene: never share or commit the private key, and keep /etc/wireguard at mode 700 and the conf at 600. Each node has exactly one private key; you’ll exchange only the public keys between nodes.

Install WireGuard & Generate Keys (Copy-Paste)

1. Install

2. Generate keys

3. (Optional) a pre-shared key for extra hardening

Verify