WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation

While you can install and configure WireGuard manually, you really need to know what you’re doing. But you’re reading this, so using a setup script is probably best.

I recommend using complexorganisations wireguard-manager script. It gives you the option to deploy your own recursive DNS resolver (unbound) as well, but I didn’t test that.

ℹ️

wireguard-manager uses nftables. If you want/need to use iptables, you have to find another way to setup WireGuard :(

A lot of people recommend angristans wireguard-install script for easy setup of WireGuard - personally, I didn’t have much luck with it and it seems rather abandoned.

Endpoint availability

I’m running WireGuard to connect to my home network. That means the WireGuard server needs to be reachable from the Internet. I don’t have a public IPv4 (my ISP uses DS-Lite) and even my public IPv6 changes daily, so a domain and DDNS (Dynamic DNS) are needed. See DDNS page.

MacOS