WireGuard Config Generator

Generate a matching client and server WireGuard config in one step. The keypairs are created in your browser, so nothing is sent anywhere. Set the endpoint, tunnel addresses, DNS, and routing, then paste the two halves where they belong.

How the two halves fit together

WireGuard is symmetric: each side has a private key it keeps and a public key it shares. The client config holds the client private key and the server public key; the server peer block holds the client public key. That is why this tool makes both at once, so the keys line up.

Full tunnel sets AllowedIPs to 0.0.0.0/0, ::/0, which sends all client traffic through the server, the usual choice for remote access and privacy. Turn it off to route only your home subnet and leave normal browsing on the local connection. The preshared key adds a symmetric layer on top, cheap extra protection against future attacks on the handshake.

On the server you also need IP forwarding enabled and, for full tunnel, a NAT rule so replies find their way back. That part is host setup, not config text.

Deciding whether WireGuard is the right VPN for you? WireGuard vs OpenVPN and WireGuard vs Tailscale weigh the options, and the subnet calculator helps you pick tunnel ranges that do not clash with your LAN.