Creating your own VPN with WireGuard

I've used commercial VPNs before, but in the last few years I was lazy and just gave whatever ISP I was using all my data. Or I used Tor. The problem with a VPN is that the company you use keeps logs, and then they sell or share those logs with whoever they want. Even if they promise they don't do this, there's no way to prove it. The way around this is to setup your own server somewhere, install VPN software on it, and then connect to it using your mobile, laptop, or workstation. This way YOU keep the logs. You can also rent servers anonymously, if you don't mind paying a bit more. Until recently you had to use some pretty bulky software to do this (ahem, OpenVPN). And that software is closed source. And it's slow. And it's costly - they bill you if you want more than two users.

A few years ago a thing called WireGuard emerged. I had heard about it, but never really had time to explore it until recently. But I regret not taking the time to work this into my network setup earlier. Initially I spent more than four hours learning about how WireGuard works and trying to install it on different machines and in different configurations. It can really have a steep learning curve. If you try to do everything on your own, you can spend A LOT of time with this thing. Fortunately I discovered Stan's blog and script that makes life really, really easy.


  1. Rent a server that gives you root access. I used digital ocean, because I already had an account there. In about 1 minute I could SSH in as root.
  2. On your workstation go to Copy and paste the three lines for "Usage". Use all the defaults and then you'll see a big QR code.
  3. On your mobile download the WireGuard client from the App Store (iOS) or F-Droid (Android). Scan the QR code that your server shows.
  4. Done! Go to on your mobile device and make sure the IP address is the same as your server's IP address.

This entire procedure should take less than 5 minutes, and be just as fast and cheap as going with a VPN through a commercial provider. You might still want to use a commercial VPN if you frequently want different endpoints in different regions, or maybe for some other reasons. But for best privacy, security, cost, and simplicity, a private WireGuard server is now my favorite VPN option.

Note: it took me quite a bit of time to figure out how to setup my Debian workstation as a client. The problem was related to Secure Boot. I solved it using the mokutil method as suggested in the first answer. The only thing I had to do was copy the client config file that was created on the server and paste it into my workstation's wireguard config directory. Then: "$wg-quick up wg0" to test that the interface could be created and then "$curl" to see that the IP address of my workstation is now the IP address of my WireGuard server. Here are a few more helpful tutorials:

Return to main