How to Configure WireGuard on Windows [Step-by-Step]

Beginner-friendly WireGuard Windows config guide

Reading time icon 3 min. read


Readers help support VPNCentral. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help VPNCentral effortlessly and without spending any money. Read more

WireGuard Windows config

Is it difficult to create a WireGuard Windows config from scratch? Not really, and we’ll show you why.

Setting up WireGuard on your PC is one of the smartest ways to increase your online anonymity. Best of all, you can bolster your cybersecurity without experiencing the kind of speed loss associated with VPN sessions.

Ready? Let’s get into it:

How to configure WireGuard on Windows?

You’ll need three ingredients for a successful WireGuard Windows server config:

Installing WireGuard on a VPS is a topic for an entirely separate guide. So, this tutorial assumes that you’ve already done so.

Here are the simple steps you need to follow:

  1. Download the WireGuard Windows Installer from the official site.

    WireGuard Windows Installer

  2. Run the msi file to install the WireGuard Windows client.

    WireGuard Windows Installer File

  3. Open the WireGuard GUI.

    WireGuard Client

  4. Click on Add Tunnel > Add empty tunnel to generate a pair of public and private keys automatically.

    WireGuard Client Add empty tunnel

  5. Name the tunnel.

  6. Add the following Interface and Peer sections to the configuration. Feel free to change the IP addresses and keys as you see fit.


    [Interface]
    PrivateKey = 6MfKZxmFlVcmwtTDH0djHSEy672449WZaXjwm/vzW08=
    Address = 194.128.2.2/32
    DNS = 192.168.2.1

    [Peer]
    PublicKey = dZek49BWgVCLJRMsG6k6QK5mzHFrfy4uhOLjPyTe5WE=
    AllowedIPs = 0.0.0.0/0
    Endpoint = 32.185.112.15:12345

    For context:

    PrivateKey: The Windows client’s private key.
    Address: The client’s IP, which must be different from all clients.
    DNS: The DNS server’s IP.
    PublicKey: The VPS’s public key.
    AllowedIPs: The IPs you route over your VPN. The 0.0.0.0/0 address is a catch-all. So, you’ll transmit everything through the VPN.
    Endpoint: The server’s external IP. Also, it’s the listening port. So, it should be identical to the server configuration’s ListenPort data.

  7. Insert this Peer section to the WireGuard configuration file:


    [Peer]
    PublicKey = rbkuZ+3SyPtT/QLZhFhiTo555ekSCJRsHf3jJb5kdkI=
    AllowedIPs = 192.168.2.2/32

    For context:

    PublicKey: The Windows client’s public key.
    AllowedIPs: The IPs are permitted to use this tunnel.

  8. Make sure that both configurations reference the right keys and IPs.

  9. Leave the Block untunneled traffic box checked.


    Do this only when you have a single Peer section and use a catch-all configuration to restrict unwanted traffic.

  10. Click on Save.

  11. Click on Activate to establish your VPN connection.

That’s it!

To verify whether your VPN is leak-proof, go to ipleak.net. If your connection works, it should show your WireGuard server’s IP and not your device’s.

If you want to add more clients to your server, you can follow the same steps. Just make sure that each one uses a unique IP.

Related reads:

Summary

Setting up WireGuard on your Windows system is more intimidating in your imagination than in practice.

As long as you follow the above steps, the status of your connection should say Active at the end. If it doesn’t, it means your client and server configurations don’t match.

So, you’ll just have to double-check the Log tab and look for errors in your WireGuard Windows config!

More about the topics: configuration, windows, WireGuard