WireGuard on VPS: 5-minute setup with a web panel

To deploy WireGuard on a VPS, a server with 1 vCPU, 512 MB RAM, and Ubuntu 22.04 or 24.04 is sufficient. Using the wg-easy Docker container allows you to set up a full-featured VPN server with a web interface and client management via QR codes in less than 5 minutes.

Advantages of WireGuard VPN over OpenVPN and IPsec

WireGuard is a modern communication protocol that operates at the Linux kernel level, providing massive performance gains compared to OpenVPN. While OpenVPN runs in userspace and constantly performs CPU context switching, WireGuard minimizes latency and places almost no load on the CPU.

Protocol Comparison

For clarity, let's look at the technical parameters of the main protocols used to create personal networks.

Parameter	WireGuard	OpenVPN (UDP)	IPsec (IKEv2)
Lines of Code	~4,000	~100,000+	Very many
Cryptography	ChaCha20, Poly1305	AES, RSA, SHA (various)	Various suites
Connection Speed	Instant (0.1 sec)	2-8 seconds	1-3 seconds
Throughput	High (up to 95% of link)	Medium (60-70%)	High
Battery Usage (Mobile)	Minimal	High	Medium

Using WireGuard VPN is particularly justified for mobile devices because the protocol does not maintain a persistent connection if there is no traffic. This saves smartphone battery life and allows for instant switching between Wi-Fi and 4G without dropping the session.

Selecting Configuration and Specs for wg-easy VPS

To run wg-easy VPS, powerful resources are not required. However, for stable operation under load (for example, if 5-10 people use the VPN simultaneously), you should pay attention to network latency and server location.

Minimum and Recommended Requirements

• Processor: 1 core (vCPU) — sufficient for encrypting traffic up to 500 Mbps.
• RAM: 512 MB — minimum, 1 GB — for comfortable operation with Docker and the web panel.
• Disk: 10 GB SSD/NVMe — logs and Docker images take up little space.
• Network: 100 Mbps to 1 Gbps port with unlimited traffic.

If you are looking for favorable terms, consider a DigitalOcean alternative, where you can get similar power for a lower cost. For professional tasks where disk and CPU performance are critical, it is useful to study the Contabo vs Valebyte comparison to choose the optimal node in Europe or the USA.

Step-by-Step WireGuard Ubuntu Installation via Docker

The fastest way to perform a WireGuard server setup is to use the wg-easy project. This is a Docker container that combines the VPN server itself and a convenient GUI for managing keys.

Step 1: System Preparation

First, update the packages on your WireGuard Ubuntu system and install Docker.

sudo apt update && sudo apt upgrade -y
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER

Step 2: Creating Docker Compose Configuration

Create a directory for the project and a configuration file. Using Docker Compose allows you to easily update the server with a single command.

mkdir ~/wireguard && cd ~/wireguard
nano docker-compose.yml

Insert the following config, replacing YOUR_SERVER_IP with your VPS's public IP and YOUR_ADMIN_PASSWORD with a strong password for the panel login:

services:
  wg-easy:
    environment:
      - WG_HOST=YOUR_SERVER_IP
      - PASSWORD=YOUR_ADMIN_PASSWORD
      - WG_PORT=51820
      - WG_DEFAULT_DNS=1.1.1.1
      - WG_ALLOWED_IPS=0.0.0.0/0
      - UI_TRAFFIC_STATS=true
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - .:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

Step 3: Starting the Server

Start the container in the background:

docker compose up -d

Now the web panel is available at http://your_ip:51821. Here you can create clients in one click and download their configs or scan QR codes.

Security and Firewall Configuration for WireGuard on VPS

After completing the WireGuard on VPS installation, it is necessary to restrict access to ports so that attackers cannot target your management panel or attempt to brute-force SSH.

UFW (Uncomplicated Firewall) Setup

It is recommended to leave only the necessary ports open:

1. 22/TCP — for SSH (better to change to a non-standard port).
2. 51820/UDP — the main WireGuard port.
3. 51821/TCP — the web interface (it is recommended to close it after setup or use a VPN to access it).

Configuration commands:

sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw allow 51821/tcp
sudo ufw enable

To increase security, consider migrating to more secure hosting providers if your current provider frequently blocks accounts. Check out Hetzner alternative to find platforms with a more lenient attitude toward personal VPN servers.

Integration with AdGuard Home and Pi-hole for Ad Blocking

One of the most requested features when setting up WireGuard on VPS is traffic filtering. You can force all traffic to pass through AdGuard Home, which will remove ads in apps and on websites across all connected devices.

DNS Configuration in wg-easy

To integrate AdGuard, you need to run it in a separate Docker container and specify its IP address in the WG_DEFAULT_DNS variable in the docker-compose.yml file.

• Install AdGuard Home via Docker.
• In the wg-easy settings, specify the local IP address of the AdGuard container (usually 172.x.x.x within the Docker network).
• Now all WireGuard clients will automatically receive "clean" internet without trackers.

This significantly saves mobile data and speeds up page loading on smartphones.

How to Bypass Blocks: Obfuscating WireGuard as TCP

In some regions, the WireGuard protocol is blocked via DPI (Deep Packet Inspection) because it uses specific UDP packets. If your WireGuard VPN stops connecting, there are several ways to solve the problem.

Using AmneziaWG or Obfuscation via Shadowsocks

Standard WireGuard cannot mimic regular HTTPS traffic. However, you can:

1. Use AmneziaWG — a modified version of WireGuard with altered packet headers that successfully passes through filters.
2. Set up a combination with VLESS Reality. This is a more complex but highly reliable method. Details can be found in the article Your own VPN on VPS: VLESS Reality + Xray-core in 10 minutes.
3. Apply UDP2RAW — a tool that encapsulates WireGuard UDP packets into fake TCP packets, deceiving traffic analysis systems.

MTU Optimization for Mobile Networks

A common problem when using WireGuard Ubuntu on smartphones is that websites stop opening even though the connection is established. This happens because WireGuard packets, along with their headers, exceed the standard MTU size (1500 bytes) of the carrier.

Recommended MTU Values

For stable operation, it is recommended to set the MTU in the client settings (in the mobile app or config file):

• 1280 — the most universal value, works everywhere.
• 1380 — optimal for most LTE networks.
• 1420 — standard for wired internet.

In the wg-easy panel, you can set a global MTU value for all new clients by adding the environment variable WG_MTU=1280 to the container.

Monitoring and Client Management

The wg-easy web panel provides basic statistics: how much data a specific user has downloaded and uploaded, as well as the last connection time. This is convenient if you share access with friends or family. For professional use, for example, if you plan to launch a proxy service or a VPN business, you will need more advanced billing tools and APIs, but for personal needs, the Docker + wg-easy combination is more than enough.

Conclusions

To set up WireGuard on a VPS, it is best to use the wg-easy Docker container, which provides automatic network configuration and a user-friendly web interface. If the standard protocol is blocked by your provider, it is recommended to switch to AmneziaWG or use a combination with VLESS Reality for traffic obfuscation.