A WireGuard config has one [Interface] (this node) and one [Peer] block per other node. Here’s
every field you’ll actually use.
Annotated example (a server)
[Interface]
# This node's own settings
Address = 10.0.0.1/24 # this node's VPN IP (and subnet)
ListenPort = 51820 # UDP port to listen on (servers only)
PrivateKey = THIS_NODE_PRIVATE_KEY
[Peer]
# One block per other node you connect to
PublicKey = OTHER_NODE_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32 # which IPs this peer may use / route to it
# Endpoint = 203.0.113.5:51820 # the other node's address (clients set this for the server)
# PersistentKeepalive = 25 # set on the side behind NAT
[Interface] fields
- Address — this node’s IP inside the VPN, with the subnet mask (e.g.
10.0.0.1/24). - PrivateKey — this node’s private key (from the keys recipe).
- ListenPort — UDP port (default
51820); set on the server. Clients can omit it. - DNS — (clients) DNS server to use while the tunnel is up, e.g.
DNS = 1.1.1.1. - PostUp / PostDown — shell commands run after the interface comes up / before it goes down (used for NAT — see the NAT recipe).
[Peer] fields
- PublicKey — the other node’s public key.
- AllowedIPs — the IPs this peer is allowed to send from, and that get routed into the tunnel. This is the field people get wrong — see the AllowedIPs recipe.
- Endpoint — the other node’s reachable
host:port. The client sets this to the server; a server usually omits it (clients can roam). - PersistentKeepalive — seconds between keepalive packets; set to
25on a peer behind NAT.
Rule: a private key only ever appears in its own node’s [Interface]; a public key only ever
appears in the other node’s [Peer]. Save the file as /etc/wireguard/wg0.conf (the wg0
becomes the interface name).