VPNSmith
Free tool

WireGuard Config Generator

Generate a production-ready WireGuard server + client config in seconds. Real cryptographic keys generated locally in your browser. Nothing ever leaves your device.

🔒100% client-side
🔑Curve25519 / X25519
🆓Free & open

All keys are generated in your browser (Curve25519 / X25519). Nothing is sent to our servers — your config stays 100% private.

How to use this generator

  1. 01

    Fill in the form

    Enter your server's IP or domain, listening port (default 51820), VPN subnet, DNS resolver and the number of clients.

  2. 02

    Click Generate

    Real Curve25519 key pairs are generated in your browser using WebCrypto. Nothing is sent to our servers.

  3. 03

    Deploy the server config

    Copy or download wg0.conf. On your VPS: sudo cp wg0.conf /etc/wireguard/ && sudo wg-quick up wg0. Enable on boot: sudo systemctl enable wg-quick@wg0.

  4. 04

    Deploy client configs

    Copy each client.conf to the client device, or scan the QR code with the WireGuard mobile app.

Why self-host your own VPN?

Commercial VPN providers hold your traffic logs, share jurisdictions with surveillance alliances and can disappear overnight. With a self-hosted WireGuard VPN on a €4.99/mo Contabo VPS, you own the exit IP, the keys never leave your machine, and you operate under GDPR (Germany) rather than CLOUD Act jurisdiction.

Self-hosted vs commercial VPN — full comparisonSelf-hosting guide for beginners

Host your WireGuard VPN on Contabo

A Contabo Cloud VPS S (4 vCPU, 8 GB RAM, unlimited bandwidth) is plenty for 10+ WireGuard tunnels. €4.99/mo on a 24-month plan — German datacenter, GDPR jurisdiction, dedicated IPv4.

Get Contabo VPS S →

Affiliate link — we earn a commission at no extra cost to you.

Frequently asked questions

Are the generated keys secure?
Yes. Keys are generated in your browser using tweetnacl (Curve25519 / X25519), the same elliptic curve used by WireGuard. They are never sent to our servers — generation is 100% client-side.
What is the default port 51820?
51820/UDP is the unofficial default WireGuard port. You can change it to any port — 443 or 8443 can help bypass some firewalls. Just make sure to open the port on your server firewall (ufw allow 51820/udp).
Full tunnel vs split tunnel — which should I choose?
Full tunnel (0.0.0.0/0) routes all client traffic through the VPN — best for privacy and to bypass censorship. Split tunnel (10.0.0.0/24) only routes traffic destined to the VPN subnet — best for accessing internal resources without slowing down other traffic.
How many clients can I add?
WireGuard itself supports hundreds of peers. This generator supports up to 10 clients for practical use. For more, regenerate in batches and manually append the [Peer] blocks.
What VPS do I need to run WireGuard?
Any Linux VPS works. WireGuard is lightweight — a 1 vCPU / 1 GB RAM server handles 50+ simultaneous tunnels easily. Contabo Cloud VPS S (4 vCPU, 8 GB RAM, ~€4.99/mo) is our tested recommendation.