At GMhost we set up corporate WireGuard for clients almost every week. The server config is ten lines, adding a new user is a 30-line bash script and a QR code on a smartphone in ten seconds.
This guide is the full procedure from a clean Ubuntu install to first connections. About 30 minutes, and you have your own VPN with full control over the logs, holding 1 Gbps on a typical VPS.
Why WireGuard, not OpenVPN
OpenVPN is over 100,000 lines of code, a complex TLS stack in user-space, and a ~250 Mbps cap on a typical VPS. WireGuard is around 4,000 lines, runs in the Linux 5.6+ kernel, and squeezes 850-950 Mbps out of the same VPS without any special tuning.
The cryptography is modern (Curve25519, ChaCha20-Poly1305) — no legacy like 3DES. The server config is ten lines. Out-of-the-box support on iOS, Android, Windows, macOS, OpenWrt, and MikroTik.
The one notable downside — no native 2FA. If you need SSO/MFA, layer Firezone on top (more on that at the end).
VPS or dedicated — how to choose
Team | What's enough |
|---|---|
5-15 users, web + email | VPS 2 vCPU / 2 GB / 50 GB NVMe |
15-50 users + RDP sessions | VPS 4 vCPU / 4 GB / 80 GB NVMe |
50-200 users, intra-office, backup traffic | Dedicated on Xeon Gold 6138/6230, 32-64 GB |
200+ or VPN reseller | Dedicated 2× Xeon Platinum 8163, 64+ GB |
Each WireGuard connection consumes CPU. On a dual-core VPS, 200 simultaneous peers introduce noticeable jitter. On our Xeon Gold servers with AES-NI, WG holds 10 Gbps without breaking a sweat — so for 50+ teams a dedicated server makes sense from day one.
Step 1. Prepare the system (5 min)
A freshly installed Ubuntu 24.04 LTS or Debian 12. Working as root or via sudo.
Step 2. Server config (10 min)
Generate a key pair:
Create /etc/wireguard/wg0.conf:
Replace eth0 with your own (ip route | grep default will show it). Start it:
If wg show shows the interface — the server is alive.
Step 3. Add team members (10 min for 5 people)
One script that generates a client, adds a peer to the server, and prints a QR code for the smartphone.
/usr/local/bin/wg-add-client:
Run it:
The terminal prints a QR code — Maria scans it in her mobile WireGuard app in 10 seconds. For a laptop, send the .conf file over a secure channel — it imports with one click. After adding, save the state: wg-quick save wg0.
Split tunneling — when not all traffic goes through the VPN
By default AllowedIPs = 0.0.0.0/0 sends every byte of client traffic through the VPN. Often you want it the other way around: corporate resources through the tunnel, Zoom and Spotify natively. In the client config, replace it with a list of the subnets you actually need:
The first one is the VPN clients themselves, then the office servers, then a second branch. Anything outside those ranges takes the regular route.
Monitoring
Quick and without extra stack:
Shows the public key and how many seconds ago the last handshake happened. In cron, trigger a Telegram alert if a handshake is older than 10 minutes. For something more serious — prometheus-wireguard-exporter + Grafana dashboard 12177.
What's next
- Backup the configs.
/etc/wireguard/is about 30 KB. Push it to our Backup Storage daily. Without backups and with a lost server, you'll have to reissue keys to every team member. - Rotate the preshared keys. Every 6 months. The
wg-add-clientscript needs only minor tweaks for bulk rotation. - 2FA / SSO. If security is critical — Firezone (a frontend to WireGuard with OIDC, SAML, Google Workspace, Microsoft Entra). It sits on top of the same server, and client configs are issued via a web portal.
- Scaling. Migrating from a VPS to a dedicated server is
scp -r /etc/wireguard new-server:/etc/, swapping the Endpoint in client configs, and a restart. About fifteen minutes.
Want a specific configuration?
We pick a VPS or dedicated for your scenario — number of users, whether you need a backup uplink, whether there will be intra-office routes. Drop us a line at [email protected] or in the bot @gmhost_support_bot — we'll suggest a plan and help with migration.
