Docs / Security / How to Set Up WireGuard VPN on Your Breeze

How to Set Up WireGuard VPN on Your Breeze

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 31 views · 2 min read

How to Set Up WireGuard VPN on Your Breeze

WireGuard is a modern, high-performance VPN protocol that offers simplicity, speed, and strong cryptography. Running a WireGuard VPN on your Breeze instance creates an encrypted tunnel for secure remote access to your server and private network resources.

Installing WireGuard

On Ubuntu or Debian-based Breeze instances, install WireGuard from the default repositories:

sudo apt update
sudo apt install -y wireguard

On AlmaLinux or Rocky Linux:

sudo dnf install -y epel-release
sudo dnf install -y wireguard-tools

Generating Key Pairs

WireGuard uses public-key cryptography. Generate a key pair for the server:

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Generate a key pair for each client:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Configuring the Server

Create the WireGuard configuration file at /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Enabling IP Forwarding

Allow traffic to flow through the VPN tunnel:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Starting and Enabling WireGuard

sudo systemctl enable --now wg-quick@wg0
sudo wg show

Client Configuration

On the client device, create a configuration file:

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = your-breeze-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Firewall Rules

Open the WireGuard port in your firewall:

sudo ufw allow 51820/udp
sudo ufw reload

Best Practices

  • Rotate keys periodically — regenerate key pairs every few months for improved security
  • Limit AllowedIPs — only route necessary traffic through the tunnel rather than all traffic
  • Use PresharedKey — add an extra layer of symmetric encryption between peers
  • Monitor connections — run wg show regularly to verify active peers and data transfer
  • Keep WireGuard updated — apply patches promptly to benefit from security fixes

WireGuard provides an excellent balance of performance and security for encrypting traffic to and from your Breeze instance.

Was this article helpful?

Related Articles