Setting up your own VPN server with WireGuard and connecting from Android is one of the easiest ways to have Secure remote access to your home network or your VPSAlthough at first glance it may seem intimidating to see commands, keys and configuration files, in reality the process is quite mechanical if you follow the steps calmly.
In this guide you will learn how to deploy a WireGuard server on Linux (for example, on a VPS with Ubuntu) and connect from your Android mobile device to be able to Access your LAN, NAS, IP cameras, routers, or browse the web as if you were at home.In addition, it explains background concepts, security tips, configuration examples, and how to leverage local domain names to make remote access convenient and seamless.
What is WireGuard and why use it for remote access from Android
WireGuard is a modern VPN protocol that stands out for being much simpler, faster and safer than classic alternatives like OpenVPN or IPsec. Its implementation is minimalist (a few thousand lines of code) and relies on state-of-the-art cryptography such as Curve25519, ChaCha20, Poly1305 or BLAKE2s.
Their philosophy centers on the configuration being as clearly as possible: each device has a public/private key pairYou define just a few options (internal IP, port, AllowedIPs…) and that's all you need for a functional encrypted tunnel. No dozens of cryptic parameters or files full of difficult-to-understand directives.
In terms of performance, WireGuard only works over UDP and can even be integrated into the Linux kernel, which translates to low latency, high speeds, and efficient use of resourcesThis is especially noticeable when you connect from Android using mobile networks or WiFi with variable quality.
Another powerful advantage is that WireGuard is It is cross-platform and has official apps for Android, iOS, Windows, macOS, and Linux.This means you can set up the server on a VPS or your compatible router and connect from your mobile device simply by importing a .conf file or scanning a QR code.
Prerequisites before setting up the WireGuard server
Before you start typing commands, it's a good idea to make sure you have the basic elements you need ready. WireGuard VPN server accessible from AndroidThis will save you a lot of time and silly mistakes along the way.
The most common approach is to use a VPS or a dedicated Linux server, where you will install the service. Ubuntu 22.04 is one of the most convenient optionsbecause it includes WireGuard in the official repositories and there is plenty of documentation, but any modern distribution will do.
You will also need a user with administrative privileges, either direct root or a user with sudoSince you'll be installing packages, modifying network settings, and enabling IP forwarding, it's important that you have SSH access to the server and know how to connect from your computer.
Finally, you'll need a client to connect to that server: it can be your Android mobile with the official WireGuard appbut also other systems (Windows, macOS, Linux, iOS). In this article, we'll focus specifically on Android, although you'll see that the configuration file is practically the same for all of them.
Linux server setup: WireGuard upgrade and installation
With the VPS or server already initialized and installed with Ubuntu 22.04 (or a similar version), the first reasonable step is update system packages to ensure that everything is up to date and you are not carrying over known errors or vulnerabilities.
Connect to the server via SSH and run:
apt update
apt upgrade -y
The first command refreshes the list of packages in the repositories, and the second updates the packages already installed to their latest versions automatically. This may take a little while, especially if the server is new or hasn't been updated in a while.
Once the system is up to date, proceed to install WireGuard from the official repositories with:
apt install -y wireguard
That command will install the main package, utilities such as wg and wg-quick and, if necessary, the required kernel module will be loaded. Some tutorials will also explicitly show the use of:
modprobe wireguard
This command simply forces the manual loading of the WireGuard module into the kernel, which can be useful. if for whatever reason the module has not loaded automatically or if you're in a somewhat more unusual environment.
Key generation and basic server configuration structure
The heart of the WireGuard system is its key management, so the next step is create the server's private and public key pairAll configuration is usually located in the standard directory /etc/wireguard/.
Enter that directory with:
cd /etc/wireguard/
To protect the keys, it's advisable to first adjust the default permission mask so that the files created have restrictive permissions and are not readable by other users of the system. That is done with:
umask 077
Next, generate the server key pair in a simple way:
wg genkey > privatekey
wg pubkey < privatekey > publickey
The file privatekey The private key must be kept secure and never shared, while the public key can be distributed to authorized clients. To further strengthen security, explicitly adjust the permissions of the private key:
chmod 600 privatekey
If you want to see the contents of the keys on screen, you can use a simple tail:
tail privatekey publickey
This will give you a view of the strings that you will then need to copy into the wg0.conf configuration file and the client configurations. always respecting which is public and which is private.
Creating and editing the wg0.conf file on the server
WireGuard is organized by virtual interfaces, which by convention are usually called wg0, wg1, etc.Each interface has its own configuration file in /etc/wireguard/. In our case, we will create wg0.conf as the main interface.
To edit the file, you can use any text editor in console mode, but many tutorials recommend nano due to its simplicity. If you don't have it installed, you can add it with:
apt install -y nano
Once you have it, create and open the server configuration file:
nano /etc/wireguard/wg0.conf
Before writing the configuration, it's advisable to find out the name of the physical network interface through which the server connects to the Internet, since You'll need it for the NAT ruleTo do this, use:
ip a
In many VPSs the interface is called ens3, eth0, enp0s3 or similar, and it will be the one assigned the public IP or the internal IP through which you connect via SSH.
A complete example of a block on the server could be:
PrivateKey = <tu_clave_privada_servidor>
Address = 10.30.0.1/24
ListenPort = 51928
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <nombre_interfaz_salida> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <nombre_interfaz_salida> -j MASQUERADE
In this example you assign the internal IP to the server. 10.30.0.1/24 inside the VPNYou listen on UDP port 51928 and add iptables rules to allow forwarding and apply NAT when the wg0 interface comes up (PostUp) and remove those rules when it comes down (PostDown).
Remember that in nano you can save with Ctrl + A and go out with Ctrl + XOnce saved, wg0.conf will be the base on which you will add the different peers (clients) later.
Enable IP forwarding and the WireGuard service on the server
In order for clients connected via WireGuard to access the Internet or other networks behind the server, it is essential enable IP packet forwarding at the system level. This is done by editing the sysctl configuration.
In many cases, simply launching the following is enough:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
This activates forwarding for both IPv4 and IPv6 and reloads the kernel parameters with `sysctl -p`. It's important not to forget this step, because if forwarding is disabled, You'll have a tunnel, but you won't be able to reach the LAN or the Internet. from the customers.
You can now start the WireGuard service associated with wg0 using the wg-quick command, which greatly simplifies interface management:
systemctl start wg-quick@wg0
If you want the WireGuard interface to start automatically on every server boot, enable the service with:
systemctl enable wg-quick@wg0
To check if it's active, you can take a look at the service status:
systemctl status wg-quick@wg0
The status should appear as active (running)Additionally, you can use the command:
wg
to view real-time information about the interface, keys, configured peers, and traffic being exchanged through the tunnel.
Add clients to the server: PC, Android mobile, and other devices
Once the server portion is up and running, you need to start adding clients that will connect as peers. For each device you want to connect (PC, phone, tablet, client router, etc.) You must generate a new key pair and assign it an IP address within the VPN network.
For simplicity, many administrators generate client keys directly on the server, although from a security point of view, the ideal would be create them on the client device itself and transfer only the public key to the server. The process is the same, so we'll look at the simple case of generating the keys in /etc/wireguard/.
For example, for a desktop computer you could do:
wg genkey > mypc_privatekey
wg pubkey < mypc_privatekey > mypc_publickey
And for your Android mobile:
wg genkey > myphone_privatekey
wg pubkey < myphone_privatekey > myphone_publickey
With a simple:
ls
You'll see all the key files. And with:
tail mypc_publickey myphone_publickey
You will be able to see their values on the screen. These public keys are what you will paste into the server's wg0.conf file within separate blocks, assigning each one its tunnel IP address.
Open wg0.conf again:
nano wg0.conf
and add the customer definitions, for example:
PublicKey = <clave_publica_mipc>
AllowedIPs = 10.30.0.2/32
PublicKey =
AllowedIPs = 10.30.0.3/32
With these lines you are indicating that the peer whose public key matches mypc_publickey will use the IP address 10.30.0.2 within the VPN, and that The Android mobile will use version 10.30.0.3AllowedIPs with /32 implies that it is an individual IP, which is common in road-warrior configurations.
Save the changes and restart the service so that the server can read the new configuration:
systemctl restart wg-quick@wg0
Whenever you modify wg0.conf on the server (for example, to add or remove peers) you will need to recharge the service For the changes to take effect, a new `systemctl status wg-quick@wg0` will confirm that everything is still green.
Creating configuration files for clients
With the peers now registered on the server, the next step is to prepare the .conf files that clients will use to connect. These files contain the client's private key, their tunnel IP, DNS and the server details (public key, IP and port).
Following the example, for the PC you could create a mypc.conf file in /etc/wireguard/:
nano mypc.conf
and write something similar to:
PrivateKey = <clave_privada_mipc>
Address = 10.30.0.2/32
DNS = 8.8.8.8
PublicKey =
Endpoint = :51928
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20
This section describes the client side: the device's private key, its IP address on the WireGuard network, and the DNS server it will use when the tunnel is active. The server is defined in the `defines` section, specifying... your public key, the IP address or domain through which you can reach it and the port you configured earlier (51928 in this example).
Setting AllowedIPs = 0.0.0.0/0 routes all client traffic through the VPN (typical when you want to hide your real IP address or always use the server's IP address). If you only want to reach certain remote subnets, you could limit it, for example, to 10.30.0.0/24 or 192.168.0.0/24, depending on your network topology.
The PersistentKeepalive parameter maintains a small, periodic exchange of packets to prevent the connection from being closed when the client is behind NAT or firewalls that drop inactive connections. A value of 20-25 seconds usually works well. for mobile customers connected by 4G/5G.
Android client-specific configuration with WireGuard
For Android the approach is exactly the same as for PC: the mobile needs its own private key, which is assigned to it. its tunnel IP address and the server's public key are referenced.You can generate the keys on the server itself (as we did before) or directly from the Android app.
Following the previous flow, you should already have `myphone_privatekey` and `myphone_publickey` created in `/etc/wireguard/`. You still need to register the client configuration, which you will then import onto the mobile device. An example file for Android could be:
nano myphone.conf
and inside:
PrivateKey = <clave_privada_mitelefono>
Address = 10.30.0.3/32
DNS = 8.8.8.8
PublicKey =
Endpoint = :51928
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20
That file contains everything necessary for the official WireGuard app on Android to function create the tunnel and negotiate the handshake with the serverThe tricky part here is getting this file to the phone securely, avoiding, as much as possible, leaving any unsafe traces along the way.
In a lab environment, you could set up a web server (for example, Apache), copy myphone.conf to the document root, and download it from the Android browser. However, in a real-world scenario, it's more advisable to... Use methods such as USB, encrypted synchronization tools, or, even better, a QR code generated from the server itself.
To do this, you can install the qrencode utility on the server:
apt install -y qrencode
and from the configuration directory execute:
qrencode -t ansiutf8 -r myphone.conf
That command will display a QR code in characters in the terminal, which you can scan. directly from the WireGuard app on Android Using the option to add a new tunnel via "Scan from QR code". This way you don't need to send the file by email or upload it to external services.
Configuring remote LAN access, DNS, and local domain names
Besides creating the basic tunnel, often what you want is to be able to access from your Android mobile to server LAN devices, such as a NAS, an IP camera, a router, or an internal server, using their local domain names instead of memorizing IP addresses.
Some routers that act as WireGuard servers (for example, certain brands that integrate a VPN server into their firmware) have a section for managing these local names. Within the web administration panel, you'll usually find options such as NETWORK → DNS → Edit Hosts, from which you can define IP/name pairs (for example, 192.168.1.50 nas-casa.local).
If your router isn't automatically resolving local domains correctly, you can manually add entries for the devices you want to be accessible through the VPN and apply the changes. This ensures that both the router itself and any clients using its DNS can resolve the issue. resolve those internal names correctly.
WireGuard servers embedded in routers with different firmware versions often have specific settings to allow remote access to the LAN. For example, some interfaces offer options called "Allow Remote Access the LAN Subnet" or "Remote Access LAN" that you must enable in the WireGuard server's configuration section.
Enabling this option makes the router and devices on the local network accessible through the tunnel, allowing you to reach them from the client network (for example, your secondary home LAN or Android mobile network) the internal services of the server router and the equipment on the main LAN.
In many cases, these routers allow you to export the WireGuard configuration profile for use on external clients. From the "WireGuard Server" tab, you can usually generate a .conf file that already includes the tunnel IP address, the correct DNS (pointing to the server's tunnel interface IP address), and all the necessary parameters to connect from another client router or the mobile app.
Verification, troubleshooting, and security in WireGuard
Once you've set up the tunnel and imported the configuration into Android, the first check is to verify that the handshake It is completed successfully. The WireGuard app on your mobile device will display the tunnel status and the latest handshake timestamps.
On the server, run the following command:
wg
It will show you, for each peer, the public key, the endpoint IP address from which it is connecting, the last handshake, and the bytes transferred. If you see that the last activity is empty or very old, it's likely the client It may not be connecting, or there may be a firewall or port forwarding problem..
If there is no connection, check that the configured UDP port (for example, 51928 or 51820) is correctly open in the server's firewall and on any intermediate routers. Remember that if your server is behind a home router, you will need to... port forwarding of WireGuard's UDP port to the server's internal IP address.
If the tunnel is up but you don't have internet access from the client, check that packet forwarding (net.ipv4.ip_forward and net.ipv6.conf.all.forwarding) is enabled and that the NAT rule in iptables has been correctly applied to the correct outgoing interface (eth0, ens3, etc.).
DNS problems usually manifest themselves in that you can ping specific IPs but not resolving domain namesIn that case, verify that in the client configuration file (Android, PC, client router) the DNS field points to the correct server: it can be a public DNS (8.8.8.8, 1.1.1.1) or the IP of the server tunnel if you want it to also act as a resolver.
In terms of security, beyond the cryptographic robustness of the protocol, the following is fundamental:
- Protect private keys and never share them.
- Restrict as much as possible the AllowedIPs of each peer so that they only have access to what is strictly necessary.
- Use non-standard UDP ports to reduce noise from automatic scanners.
- Keep the system and, of course, WireGuard itself up to date.
- Apply additional firewall rules to limit who can access the WireGuard port on your server.
This entire set of measures makes your VPN with WireGuard not only fast and functional, but also robust against common attacks that exploit misconfigurations or carelessness in key management.
With all these steps, you'll have a properly set up WireGuard server, with remote access from Android and other systems, encrypted traffic, full tunnel browsing capability, and the ability to access your home or office devices using internal domain names; in short, a rather elegant way to Take your net with you wherever you go without breaking your head.
