This page covers common configuration steps for WireGuard deployments and adds a practical minimal baseline for production use.
If you followed the setup guide, your main configuration file is typically:
/etc/wireguard/wg0.conf
wg0.conf)Use this baseline for a single WireGuard server on a private/public host.
[Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = <server-private-key>
SaveConfig = false
# Optional NAT for routed client egress
PostUp = nft add table ip wg 2>/dev/null; nft add chain ip wg postrouting '{ type nat hook postrouting priority 100 ; }' 2>/dev/null; nft add rule ip wg postrouting ip saddr 10.66.66.0/24 oifname eth0 masquerade
PostDown = nft delete table ip wg 2>/dev/null
[Peer]
PublicKey = <client1-public-key>
AllowedIPs = 10.66.66.2/32
[Interface]
Address = 10.66.66.2/24
PrivateKey = <client-private-key>
DNS = 1.1.1.1
[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
PrivateKey, PublicKey)Address, AllowedIPs, DNS)AllowedIPs per peer)SaveConfig, PersistentKeepalive)AllowedIPs precise (/32 per client) to avoid route overlap.SaveConfig=false in managed environments to prevent runtime rewrite drift.51820 in firewall rules to expected source ranges when possible.chmod 600 /etc/wireguard/*.conf).Bring interface up/down with wg-quick:
sudo wg-quick down wg0
sudo wg-quick up wg0
Or with systemd:
sudo systemctl restart wg-quick@wg0
Confirm service health and peer handshakes:
sudo wg show
sudo ip addr show wg0
sudo ip route
Test end-to-end connectivity from a client:
ping -c 3 10.66.66.1