What you'll need
- A VPS running Ubuntu 22.04 or 24.04 with root SSH access.
- A dedicated IPv4 address (any NoctHost box has one).
- A WireGuard client on the device you want to protect (Windows, macOS, Linux, iOS, Android).
Everything below runs as root. If you are on a sudo user, prefix commands with sudo.
Step 1: Install WireGuard
- Update the package index.
- Install the WireGuard tools.
- Confirm the kernel module loads.
apt update && apt upgrade -y
apt install -y wireguard
modprobe wireguard && echo okStep 2: Generate the server keys
WireGuard authenticates peers with public/private key pairs. Generate the server pair and lock down permissions so only root can read the private key.
cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
cat server_private.key server_public.keyStep 3: Write the server config
Create /etc/wireguard/wg0.conf. Paste the server private key into PrivateKey. The 10.8.0.0/24 range is the internal VPN subnet; the server is 10.8.0.1. Replace eth0 with your real public interface if it differs (check with ip route).
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY_HERE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# One [Peer] block per client. Filled in at Step 5.ip route | grep default # confirm your egress interface nameStep 4: Enable IP forwarding and the firewall
The server has to route packets between the tunnel and the internet, which the kernel disables by default. Turn it on persistently, then open the WireGuard UDP port.
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-wireguard.conf
sysctl -p /etc/sysctl.d/99-wireguard.confufw allow 22/tcp
ufw allow 51820/udp
ufw enableStep 5: Add a client
Generate a key pair for the client (you can do this on the server for convenience), then add a [Peer] to wg0.conf with the client public key.
wg genkey | tee client_private.key | wg pubkey > client_public.keyAppend a peer block to the server config, pasting the client public key:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 10.8.0.2/32Now write the client config. AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. Endpoint is your VPS public IP. Use a public DNS resolver so lookups also go through the tunnel.
[Interface]
Address = 10.8.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY_HERE
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Step 6: Bring the tunnel up
Start the interface and enable it so it survives reboots. wg show confirms the peer is registered.
wg-quick up wg0
systemctl enable wg-quick@wg0
wg showOn the client, import the config file into the WireGuard app (or run wg-quick up on Linux) and toggle it on. Visit any what-is-my-ip page; you should see the VPS address.
Keep it running and teardown
- After editing wg0.conf, reload with: wg syncconf wg0 <(wg-quick strip wg0).
- Add more devices by repeating Step 5 with a new IP (10.8.0.3, 10.8.0.4...) and a fresh key pair.
- Phones can scan a QR code: qrencode -t ansiutf8 < client.conf prints one in the terminal (apt install qrencode).
Because billing is hourly from one balance, a VPN box like this costs only a few dollars a month, and you can spin one up in about 60 seconds to test a location, then destroy it the moment you are done and charges stop that hour. Your traffic exits a dedicated IP with clean reputation that nobody else shares.