RandomKeygen

WireGuard Key Generation

Demo Only

WireGuard VPN keys should be generated locally using the wg command. This page provides guidance for secure key generation and configuration.

Never generate VPN keys online

WireGuard private keys control access to your VPN network. Always generate them locally on the machine where they will be used. A compromised private key allows attackers to intercept all your VPN traffic.

Install WireGuard

macOS (Homebrew)

$brew install wireguard-tools

Debian/Ubuntu

$sudo apt install wireguard

Fedora

$sudo dnf install wireguard-tools

Generate Key Pair

Generate private and public key files

$wg genkey | tee privatekey | wg pubkey > publickey

Generate private key only (outputs to stdout)

$wg genkey

Derive public key from private key

$echo 'PRIVATE_KEY' | wg pubkey

Preshared Key (Optional)

For additional security, you can add a preshared key between peers:

Generate preshared key

$wg genpsk

Save to file

$wg genpsk > preshared.key

Example Configuration

/etc/wireguard/wg0.conf (Server)
[Interface]
# Server's private key
PrivateKey = SERVER_PRIVATE_KEY_HERE
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

[Peer]
# Client's public key
PublicKey = CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.2/32
/etc/wireguard/wg0.conf (Client)
[Interface]
# Client's private key
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
# Server's public key
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Management Commands

Start WireGuard interface

$sudo wg-quick up wg0

Stop WireGuard interface

$sudo wg-quick down wg0

Show WireGuard status

$sudo wg show

Enable on boot (systemd)

$sudo systemctl enable wg-quick@wg0

WireGuard best practices

  • Generate unique key pairs for each device
  • Never share private keys between devices
  • Set restrictive permissions on config files (chmod 600)
  • Use preshared keys for additional security on sensitive connections
  • Regularly rotate keys, especially if a device is lost or compromised
  • Keep the AllowedIPs as restrictive as possible