How to Set Up WireGuard on Windows (Step by Step, 2026)

WireGuard is the fastest, simplest VPN protocol to run on a desktop, and the official WireGuard client for Windows turns a connection into a single click once it is set up. This guide walks through WireGuard on Windows end to end in 2026: installing the official client, importing or creating a tunnel, activating it, verifying the handshake, and fixing the issues people hit on Windows.

Quick answer: Install the official WireGuard client from wireguard.com/install, then either import a .conf file your server gave you (Import tunnel(s) from file) or use Add empty tunnel to generate a key pair and paste the server's [Peer] details. Click Activate, confirm the Latest handshake updates, and you're connected. WireGuard on Windows is only the client — it needs a WireGuard server to point at.

What you need before you start

Windows 10 or 11 (the official client supports both; it runs as a system service).
A running WireGuard server with a reachable public endpoint. This is the half WireGuard on Windows does not provide — you supply it with a self-hosted server on a Contabo VPS or a home Raspberry Pi with a forwarded UDP port.
The client details for this device: either a complete .conf file the server generated, or — if you "Add empty tunnel" — the server's public key and endpoint so you can finish the [Peer] section. Give each device its own key pair; reusing one config across machines breaks the handshake because two peers then share a public key.

If you're new to the protocol, our what is WireGuard explainer covers the cryptography and why it's faster than OpenVPN.

Step 1 — Install the official client

Download the Windows installer from the official site, wireguard.com/install. It installs the WireGuard GUI plus the background service that actually runs tunnels. Avoid third-party "WireGuard" downloads — a VPN client sees all your traffic, so the publisher matters. After installing, launch WireGuard; you'll see an empty tunnel list with Add Tunnel at the bottom.

A black desktop PC tower with blue-lit case fans glowing in a dark room

Step 2 — Get or create a tunnel config

You have two real paths in the client, both genuine features of the Windows app:

Import a .conf your server made. If your server already generated a per-device config, this is the simplest route — skip to Step 3.
Add empty tunnel. Click the arrow next to Add Tunnel → Add empty tunnel…. The client generates a fresh key pair and shows the new public key at the top. Copy that public key to your server (add it as a [Peer]), then fill in the rest of the config below.

Anatomy of a WireGuard `.conf`

A config has two sections. Here is the shape, with explicit placeholders — never paste real keys from a guide; your own server and client generate these:

[Interface]
PrivateKey = <this-device-private-key>
Address = 10.0.0.2/32
DNS = <dns-resolver-ip>

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-host-or-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

What each field does:

[Interface] PrivateKey — this Windows device's private key (kept local; never shared). With "Add empty tunnel" the client fills this in for you.
Address — the VPN IP this device takes inside the tunnel, assigned by your server's addressing plan.
DNS — the resolver used while connected; set it to your server or a trusted resolver so lookups don't leak.
[Peer] PublicKey — the server's public key (not yours). A mismatch here is the top cause of a silent failure.
Endpoint — the server's reachable host/IP and UDP port (commonly 51820). For a home server this is your public IP and the forwarded port.
AllowedIPs — which destinations route through the tunnel. 0.0.0.0/0, ::/0 is a full tunnel (everything); a narrow range like 10.0.0.0/24 is split-tunnel (only that subnet).
PersistentKeepalive = 25 — keeps the path alive behind NAT; useful when the Windows machine is behind a home router.

Step 3 — Import the tunnel and activate

If you have a .conf file: Add Tunnel → Import tunnel(s) from file…, pick the .conf, and it appears in the list. Select the tunnel and click Activate. Windows may prompt for administrator permission the first time, because the client installs a background service. The status switches to Active and you'll see live transfer counters.

Step 4 — Verify it's working

A connected tunnel isn't proof the VPN is doing its job. Check three things:

Latest handshake — the tunnel panel shows a recent handshake time (a few seconds/minutes ago), not blank. A handshake means the two peers actually authenticated.
Your public IP changed — visit any "what is my IP" page; it should show the server's IP, not your ISP's.
No leaks — run a WebRTC leak test and confirm DNS goes through the tunnel with our WireGuard DNS-leak prevention guidance.

A network patch panel with blue and grey Ethernet cables plugged into numbered ports

Troubleshooting on Windows

No handshake (stays blank): wrong Endpoint IP/port, the server's UDP port not open (or no router port-forward for a home server), or a mismatched public key. WireGuard stays silent to unauthenticated packets, so there's no error — verify the server is listening and reachable. Deeper steps in our handshake troubleshooting guide.
Windows Defender Firewall blocks it: allow the WireGuard outbound UDP connection if a strict firewall or third-party security suite drops it.
DNS doesn't apply / lookups leak: make sure the [Interface] DNS line is set; without it Windows may keep using your ISP's resolver inside a full tunnel.
Connected but no internet: with AllowedIPs = 0.0.0.0/0 the server must forward and NAT your traffic — if it doesn't, pages won't load. Check the server side, and lower the interface MTU (e.g. 1280) if some sites stall.
Full tunnel vs split tunnel: AllowedIPs = 0.0.0.0/0, ::/0 sends everything through the server; a narrow range sends only that subnet — pick based on whether you want full privacy or just to reach a home LAN.
The "WireGuard service": if a tunnel won't activate, check the service exists and is running in services.msc (WireGuardTunnel$<tunnel-name>).

Auto-start: the tunnel as a Windows service

There's no mobile-style "always-on" toggle on Windows — and you don't need one. Activating a tunnel installs it as a Windows service (WireGuardTunnel$<tunnel-name>) that reconnects automatically and starts with Windows, so an active tunnel comes back up after a reboot. You can inspect or stop it from services.msc. That service model is how WireGuard stays persistent on Windows.

Config fields at a glance

Field	Section	Role
`PrivateKey`	`[Interface]`	This device's secret key (kept local)
`Address`	`[Interface]`	The VPN IP this device uses inside the tunnel
`DNS`	`[Interface]`	Resolver used while connected (prevents leaks)
`PublicKey`	`[Peer]`	The server's public key
`Endpoint`	`[Peer]`	Server host/IP + UDP port to reach
`AllowedIPs`	`[Peer]`	Destinations routed through the tunnel (full vs split)
`PersistentKeepalive`	`[Peer]`	Keeps the path alive behind NAT

The bottom line

WireGuard on Windows is a few-minutes setup: install the official client from wireguard.com/install, import a .conf (or "Add empty tunnel" and finish the [Peer]), click Activate, then confirm the handshake and your new IP. The one thing the Windows client can't give you is a server to connect to. A Contabo VPS at €5.50/month runs a personal WireGuard server comfortably, or a home Raspberry Pi does the job.

Editorial guide based on the documented behaviour of the official WireGuard client for Windows. Security depends on your server configuration and key hygiene. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.

★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed

Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→

Frequently asked questions

Is WireGuard safe on Windows?

Yes. The official WireGuard client for Windows is published by the WireGuard project and is open-source, so its code can be audited. WireGuard uses modern cryptography (Curve25519, ChaCha20-Poly1305, BLAKE2s) and has a small codebase, which limits the attack surface. The practical risk on Windows is not the client but your setup: keep the private key on the device that generated it, only connect to a server you control or trust, and download the installer from the official site wireguard.com/install rather than a third-party mirror.

Do I need a server to use WireGuard on Windows?

Yes. The Windows client is only one peer — it connects to another WireGuard peer (the server). You need a reachable endpoint to point it at: a self-hosted server on a VPS, a home Raspberry Pi with a forwarded UDP port, or a router/NAS running WireGuard. The Windows client cannot create a VPN on its own; it needs the [Peer] section's PublicKey and Endpoint to handshake with. If you do not have a server yet, you can run one on an inexpensive VPS.

Why is there no handshake in WireGuard on Windows?

When 'Latest handshake' stays empty, the client cannot reach the server. The usual causes are: a wrong Endpoint IP or UDP port; the server's UDP port not open in its firewall (or no router port-forward for a home server); a mismatched public key between the two peers; or Windows Defender Firewall blocking outbound UDP. WireGuard is silent by design — it does not reply to unauthenticated packets — so check the Endpoint, the open UDP port on the server side, and that the keys match.

How do I autostart WireGuard on Windows?

Activating a tunnel in the WireGuard client installs it as a Windows service that reconnects automatically and survives reboots, so an active tunnel already starts with Windows. You can confirm or manage it in services.msc (look for 'WireGuardTunnel$<tunnel-name>'). There is no separate 'always-on' toggle as on mobile — the service model is how WireGuard stays up on Windows.