How do I set up WireGuard on iPhone?

Install the official WireGuard app from the App Store, tap the plus button, and add a tunnel. The easiest method is 'Create from QR code': scan the QR your server generates (PiVPN's 'pivpn -qr', NetBird, or qrencode on a manual setup) and the whole config imports at once. You can also import a .conf file from the Files app. Toggle the tunnel on and allow the VPN configuration when iOS prompts. WireGuard needs a server endpoint to connect to — a Raspberry Pi or a cheap VPS.

How do I import a WireGuard config on iOS?

In the WireGuard app's plus menu you have three options: 'Create from QR code' (scan a QR — fastest), 'Create from file or archive' (import a .conf you saved to the Files app or AirDropped to the device), and 'Create from scratch' (paste keys and the peer endpoint manually). QR is the least error-prone. After importing, check the tunnel's DNS and endpoint fields, then enable it; iOS will ask permission to add a VPN configuration the first time.

Does iOS have an always-on VPN / kill switch for WireGuard?

Yes, via the WireGuard app's On-Demand feature. Edit the tunnel, enable 'On-Demand' and choose to activate it on Wi-Fi and/or cellular — iOS then keeps the tunnel up and reconnects automatically. Combined with 'Exclude private IPs' off as needed, On-Demand is the practical iOS equivalent of an always-on VPN. Note that a true system-wide kill switch on iOS is best achieved with a configuration profile (MDM) for managed devices; for most users, On-Demand is sufficient.

Why won't my WireGuard tunnel connect on iPhone?

The usual causes: a wrong endpoint IP/port or the server's UDP port not open in its firewall; a mismatched public key between client and server; or a clock/time skew. If the latest-handshake stays at 'never', verify the server is listening on the right UDP port and reachable from outside. If it connects but pages don't load, lower the MTU (e.g. to 1280) in the interface config — this fixes many cellular-network MTU problems on iOS.

Is WireGuard on iOS battery-friendly?

Yes. WireGuard is lightweight and designed to handle roaming and sleep efficiently, so it uses noticeably less battery than older protocols like OpenVPN on iOS. With On-Demand enabled it stays connected with minimal drain, reconnecting quickly after the phone wakes. For most users the battery impact of an always-on WireGuard tunnel is small.

WireGuard on iPhone & iPad: Complete iOS Setup (2026)

WireGuard is the cleanest VPN protocol to run on an iPhone or iPad — fast, light on battery, and a single toggle once it's set up. This guide walks through WireGuard on iOS end to end in 2026: installing the app, importing your server config, enabling On-Demand (always-on), and fixing handshake and MTU issues. It works with any WireGuard server — PiVPN, NetBird, or a manual setup. (For Android, see our WireGuard on Android guide.)

Step 1 — Install the app

Install the official WireGuard app from the App Store. Avoid third-party clones.

Step 2 — Import your server config

Tap + and choose:

Create from QR code — scan the QR your server generates (pivpn -qr, NetBird, or qrencode). Fastest and least error-prone.
Create from file or archive — import a .conf from the Files app or AirDrop.
Create from scratch — paste keys and the [Peer] endpoint manually.

WireGuard is the client; it needs a server. A Contabo VPS at €4.99/month runs a personal WireGuard server comfortably.

Step 3 — Connect and verify

Toggle the tunnel on and allow the VPN configuration when iOS prompts. Check the latest handshake updates (not "never") and that your public IP changes. For the protocol background, see WireGuard vs OpenVPN.

Step 4 — On-Demand (always-on)

Edit the tunnel → enable On-Demand → activate on Wi-Fi and/or cellular. iOS keeps the tunnel up and reconnects automatically — the practical iOS equivalent of an always-on VPN. A true system-wide kill switch on iOS needs a configuration profile (MDM) for managed devices; for most users, On-Demand is enough.

Troubleshooting

No handshake ("never"): wrong endpoint IP/port, server UDP port not open, or mismatched public key. Verify the server is reachable.
Connects but no internet: lower the MTU (e.g. 1280) in the interface config — fixes many cellular MTU issues.
DNS leaks: set the tunnel's DNS to your server or a trusted resolver and test.

For reusable client/server templates, see WireGuard config templates.

The bottom line

WireGuard on iOS is a five-minute setup: install the official app, import your server config by QR, allow the VPN config, and enable On-Demand for always-on. Keep the MTU trick handy for flaky cellular networks. You just need a WireGuard server to point it at — a Contabo VPS or a home Raspberry Pi does the job.

Editorial guide based on the documented behaviour of the official WireGuard iOS client and iOS On-Demand VPN. Security depends on your server configuration and key hygiene. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.

★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed

Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→

WireGuard on iPhone & iPad: Complete iOS Setup (2026)

Step 1 — Install the app

Step 2 — Import your server config

Step 3 — Connect and verify

Step 4 — On-Demand (always-on)

Troubleshooting

The bottom line

Read next

What Port Does WireGuard Use? Default Port, Changing It & Forwarding (2026)

WireGuard on Android: Complete Setup Guide (2026)

What Is NAT? Network Address Translation Explained (2026)