Need a fast, private connection between your devices and your VPS? Or a way to encrypt traffic without relying on third-party VPNs? WireGuard is what you want.
It’s lightweight, secure, and stupidly fast. Unlike older VPN protocols (like OpenVPN or IPSec), WireGuard is built into the Linux kernel and uses modern cryptography that actually makes sense.
If you’ve got a VPS with root access (any LumaDock plan using KVM or LXC will do), you can have a fully working VPN in less than 10 minutes. Here’s how.
What you’ll need
- A LumaDock VPS (Ubuntu 20.04 or later works best)
- Root access (included with every plan)
- A local device (your laptop, phone, or PC) to connect from
- 10 minutes and a terminal
Step 1: Update your VPS
Before installing anything, make sure your system is up to date.
sudo apt update && sudo apt upgrade -y
Step 2: Install WireGuard
On Ubuntu/Debian-based systems:
sudo apt install wireguard -y
On CentOS or AlmaLinux:
sudo dnf install epel-release -y
sudo dnf install wireguard-tools -y
This installs the core tools you’ll need to generate keys and run the VPN.
Step 3: Generate keys
WireGuard uses public and private keys for each device.
On your VPS, run:
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
This creates two files:
server_private.key– keep this safeserver_public.key– you’ll share this with clients
Do the same on your local device to create a separate keypair for the client.
Step 4: Configure the VPN interface on your VPS
Create a new config file:
sudo nano /etc/wireguard/wg0.conf
Paste this (adjust IPs as needed):
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <your_server_private_key>
SaveConfig = true
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
Replace <your_server_private_key> with the contents of server_private.key, and <client_public_key> with the key you generated on your local machine.
Step 5: Enable IP forwarding
Edit the system config:
sudo nano /etc/sysctl.conf
Uncomment or add this line:
net.ipv4.ip_forward=1
Apply changes:
sudo sysctl -p
Step 6: Set up firewall rules (if using ufw)
Allow the WireGuard port and enable NAT:
sudo ufw allow 51820/udp
sudo ufw enable
Then add NAT rules (replace eth0 with your VPS’s network interface):
sudo nano /etc/ufw/before.rules
At the top, below *nat, add:
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
Save and restart:
sudo ufw disable && sudo ufw enable
Step 7: Start the VPN
Now bring up the interface:
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
Check it’s running:
sudo wg show
Step 8: Configure your client
On your local device, create a WireGuard config (use the official WireGuard app on Linux, macOS, Windows, iOS, or Android):
[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private_key>
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
Endpoint = <your_vps_ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Once connected, all your traffic will route securely through the VPS.
Bonus: Limit the VPN to specific services
If you just want to tunnel traffic to certain apps or destinations, you can replace:
AllowedIPs = 0.0.0.0/0
with something like:
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
This gives you fine-grained control over what routes through the VPN.
Final thoughts
That’s it. You now have a fully working, secure WireGuard VPN – hosted on your own VPS, with no third-party logs, no traffic shaping, and no limitations.
You can use it to:
- Encrypt public Wi-Fi traffic
- Route your dev machine through your server
- Access internal apps securely
- Hide your IP and location from prying eyes
And best of all? You’re in full control.
Need help getting it set up on your LumaDock VPS? Drop us a message. We’ll guide you through it.