WireGuard VPN: How to Tunnel All Traffic Through Your Remote Server

Why Route Traffic Through a VPS with WireGuard?

Last verified for accuracy: August 16th, 2025

Running intensive security tools like Nuclei and Dalfox directly on a VPS can quickly exhaust system resources, even on multi-core instances. Memory limitations and CPU constraints can make it impractical to run comprehensive scans from your remote server.

However, you still want the benefits of your VPS’s high-speed network connection and IP address for your security testing, bug bounty hunting and penetration testing work.

The solution? Keep the resource-heavy scanning tools on your local machine (like a Kali laptop) while tunneling all network traffic through your VPS. This approach gives you the best of both worlds: your laptop’s processing power combined with your VPS’s network characteristics and IP reputation.

WireGuard VPN provides an efficient way to route all traffic seamlessly, ensuring tools like vulnerability scanners and web crawlers appear to originate from your VPS while actually running locally where you have adequate system resources.

What is WireGuard?

WireGuard is a modern, high-performance VPN protocol that’s become the gold standard for secure tunneling. Unlike older protocols like OpenVPN or IPSec, WireGuard uses state-of-the-art cryptography with a minimal codebase of just 4,000 lines making it faster, more secure and easier to audit.

Major VPN providers like NordVPN, Surfshark, and ExpressVPN have adopted WireGuard as their preferred protocol due to its superior performance and security. It’s also built into the Linux kernel since version 5.6 (March 2020), ensuring native performance without additional overhead.

For security professionals, WireGuard offers several advantages: significantly lower latency than OpenVPN, better battery life on mobile devices, automatic key rotation, and cryptographic agility that makes it resistant to future attacks. The protocol is also designed to be “cryptographically opinionated” using only proven, secure algorithms rather than offering potentially vulnerable options.

Setting Up WireGuard VPN

Below are the step-by-step instructions for setting up WireGuard VPN on Linux systems. This guide works for Ubuntu, Debian, Kali Linux, and most other Linux distributions.

Step 1: Install WireGuard on Both Systems

Note: You’ll need to run these commands on both your VPS (server) and your laptop (client). Connect to each system via SSH/terminal and run the installation command.

Permission requirements: Most commands require root privileges. Choose one of the following methods:

Option A: Using sudo (prefix each command)

Option B: Switch to root user

Step 2: Generate Keys (Both Systems)

Understanding the WireGuard Key Generation Command

This command creates both your private and public keys for WireGuard in one go:

wg genkey | tee server-private.key | wg pubkey > server-public.key

Breaking It Down Step by Step:

1. wg genkey – Generates a random private key
2. | tee server-private.key | – Saves the private key to a file AND passes it to the next command
3. wg pubkey > server-public.key – Takes the private key, creates the public key, and saves it to a file

The pipe symbols (|) connect these commands together, so they all run in sequence. The tee command is the clever part – it acts like a T-junction in plumbing, sending the data in two directions at once.

What You Get:

After running this command, you’ll have two files:

• server-private.key – Keep this secret! Only your server needs this
• server-public.key – Share this with clients that want to connect

Think of it like creating a lock and key pair – the private key is your master key (keep it safe) and the public key is like giving someone your address so they can find you.

bash:

Step 3: VPS Configuration

Create /etc/wireguard/wg0.conf on the Server:
Note this config has the server (vps) private key and the client (laptop) public key & IP Address.

This configuration file sets up your VPS as a WireGuard server that can route traffic for connected clients:

Server Settings [Interface]

• Address – Server gets IP 10.0.0.1 on the VPN network
• ListenPort – Listens on port 51820 for connections
• PrivateKey – Your server’s secret key
• PostUp/PostDown – Firewall rules that enable internet routing when VPN starts/stops

Client Settings [Peer]

• PublicKey – Your laptop’s public key (so server recognizes it)
• AllowedIPs – Laptop gets IP 10.0.0.2 on the VPN

Essentially, this creates a private network where your server (10.0.0.1) can forward your laptop’s traffic (10.0.0.2) to the internet, acting like a secure tunnel.

Step 4: Laptop Configuration

Create /etc/wireguard/wg0.conf on the client (laptop):
Note this config has the client (laptop) private key and the server (VPS) public key.

Configuration breakdown:

• Address = 10.0.0.2/24 – Your laptop’s IP address within the VPN tunnel
• PrivateKey – Paste the private key you generated on your laptop earlier
• DNS = 8.8.8.8 – Uses Google’s DNS servers for internet lookups
• PublicKey – Paste the VPS’s public key here
• Endpoint – Replace YOUR_VPS_IP with your actual VPS IP address
• AllowedIPs = 0.0.0.0/0 – Routes ALL traffic through the VPS (this is the key setting)
• PersistentKeepalive = 25 – Keeps the connection alive through NAT/firewalls

Step 5: Start the Tunnel

Bash:

Test It Works

Important: Replace eth0 in the VPS config with your actual interface name. Check with ip route | grep default or ip addr show.

That’s it! All laptop traffic now routes through your VPS.

Adding Additional Client Peers

To connect multiple devices to your WireGuard server, you need to add additional peer configurations. Each new client gets its own IP address and peer entry.

Step 1: Generate Keys for New Client

Step 2: Update Server Configuration

Add another [Peer] section to /etc/wireguard/wg0.conf on your VPS:

Step 3: Create Configuration for New Client

Create /etc/wireguard/wg0.conf on the new client:

Step 4: Restart and Connect

Note: Each additional client gets the next IP in sequence (10.0.0.4, 10.0.0.5, etc.) and requires its own [Peer] section on the server.

Common Issue: If you get a resolvconf: command not found error on the new client, install it with:

Alternatively, remove the DNS = 8.8.8.8 line from the client configuration to avoid this dependency.

Making WireGuard Start Automatically

To ensure WireGuard starts automatically after reboots on both systems:

Troubleshooting Common Issues

If you can ping between server and client but have no internet access or DNS resolution on the client, here’s how to diagnose:

1. Check if return traffic is allowed

You should see both outbound requests AND return responses. If you only see outbound traffic, the issue is with return traffic routing.

2. Verify iptables rules include return traffic

You should see both directions:

• wg0 to eth0 (outbound traffic)
• eth0 to wg0 with state RELATED,ESTABLISHED (return traffic)

3. Test basic connectivity

The Problem

Docker automatically sets the FORWARD policy to DROP and adds iptables rules that can block WireGuard traffic from being forwarded to the internet. Even with correct WireGuard rules, Docker’s rules may take precedence.

The Solution

If you experience connectivity issues with Docker installed, modify your WireGuard server configuration to use -I (insert) instead of -A (append) to ensure WireGuard rules take priority:

Edit your /etc/wireguard/wg0.conf and update these lines:

(Replace eth0 with your server’s main network interface if different)

What this does

The -I FORWARD 1 options insert the WireGuard rules at the top of the firewall chain, giving them priority over Docker’s more restrictive rules. This ensures that VPN traffic is handled before Docker’s rules can block it.

After making these changes, restart WireGuard:

⭐ Ready for a reliable, high-performance VPS at an unbeatable price? We host our own Kali labs on Hostinger: 4 vCPU, NVMe storage, 16 GB RAM and 16 TB bandwidth, backed by 24/7 support and a 30-day money-back guarantee. You’ll save up to 20% when you lock in a 24-month plan. Grab a Hostinger VPS using this referral link and support our content.

🚀 Claim Your Hostinger VPS Now (from only US$ 7.99/mo)