November 16, 2021

How to Set Up WireGuard VPN Server on Windows

Introduction

WireGuard aims for improved performance over earlier VPN protocols. After several years in development, it became stable enough for its first production release in March 2020.

The WireGuard project provides a graphical user interface (GUI) client for WireGuard on Windows. However, it does not officially support WireGuard as a server on Windows. It is assumed that your server will run Linux.

Henry Chang has documented a hack that allows you to run WireGuard as a server on a Windows PC. This post fleshes out the details of the method. The WireGuard server can be an ordinary home PC running Windows. It does not need to run the Windows Server edition of Windows.

Bear in mind the disclaimer on Henry Chang’s post: “Using WireGuard on Windows as server is not officially supported. Use at your own risk.”

WireGuard Server

This section covers the steps you need to perform on the computer that will act as your WireGuard server. It is assumed that this computer is on a local area network (LAN) behind a home router.

Step 1: Determine LAN IPv4 Address

Open a Windows Command Prompt by holding down the Win key and pressing r, then typing cmd and pressing Enter.

Issue the command:

ipconfig

Identify your LAN address in the response. It will fall into one of the ranges 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, or 192.168.0.0 through 192.168.255.255.

Make a note of your PC’s IPv4 address on the LAN. You’ll need to know it for the next step.

Close the Command Prompt window.

Step 2: Configure Router

While you can change the port WireGuard uses, in this post we’ll assume you’re using the default, UDP port 51820.

You need to do two things on your router:

  1. Open your router firewall for input on UDP port 51820
  2. Configure your router to forward UDP port 51820 from the outside world (the wide-area network or WAN) to your PC on the LAN

The procedures for opening a router firewall and configuring port forwarding vary from router to router, so detailed instructions cannot be given here. Consult the documentation for your particular make and model of router.

Step 3: Prevent PC from Sleeping

You do not want your computer to be asleep when you try to connect from the outside world. Therefore configure its power plan to prevent the PC from ever going to sleep.

  1. Right-click on the Windows Start button, and select the Settings app
  2. Under the System section, select Power & sleep
  3. Set the options so the screen turns off after a few minutes, but the computer never goes to sleep.
  4. Close the Settings app

Step 4: Configure Dynamic DNS

You probably don’t have a static IP address at home. In this step, you’ll subscribe to a Dynamic DNS service. This will give your Window machine a fixed DNS host name, even if its IP address changes from time to time.

  1. Open a browser and visit https://www.noip.com
  2. Sign up for an account
  3. Enter your email, a password for NoIP, and your choice of DNS host name (an example of a DNS host name would be bob7878.hopto.org)
  4. Select the Free Sign Up
  5. Check your email, and click the link in the account confirmation email
  6. If you are not logged in, log back in to NoIP again
  7. Click My Account
  8. Add a username and security question to complete your account configuration
  9. Go to Dynamic DNS then Dynamic Update Client
  10. Download NoIP’s Dynamic Update Client (DUC)
  11. Install it on your PC, leaving the boxes checked to launch DUC and run DUC as a system service in the background
  12. After launching the DUC, sign in with the username and password you chose for the NoIP site
  13. Select your host name, and click Save
  14. Close the DUC window. The DUC continues to run in the system tray, which is the area at the bottom right of your Windows desktop
Windows NoIP DDNS DUC Dynamic Update Client

Step 5: Open PC Firewall

We are using UDP port 51820 in this example. You have already opened that port in your router and port forwarded it to your PC. Now open that port on your PC:

  1. In the Windows search box, type firewall
  2. Select Windows Defender Firewall with Advanced Security
  3. In the left pane, click Inbound Rules
  4. In the right pane, click New Rule
  5. Select the type Port, and click Next
  6. Select the option for the type UDP and specific local port 51820, and click Next
  7. Select the action Allow the connection, and click Next
  8. Leave all three network locations checked, and click Next
  9. Type the name WireGuard Inbound, and click Finish
  10. Close Windows Defender Firewall with Advanced Security
Windows firewall open UDP port 51820 for WireGuard inbound

Step 6: Install WireGuard

In this step, you’ll install WireGuard on your PC then close the GUI window that opened automatically at the end of the install.

  1. Open a browser and visit https://www.wireguard.com
  2. Click Installation
  3. Click Download Windows Installer
  4. Run the application wireguard-installer.exe
  5. Close the WireGuard GUI that opened automatically
  6. Find the WireGuard icon in your system tray (the area at the bottom right of the Windows desktop), right-click on the WireGuard icon, and select Exit

Not tested: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006887.html announced a new “kernel” version of WireGuard for Windows named WireGuardNT. To enable it, insert a new registry DWORD HKLM > Software > WireGuard > ExperimentalKernelDriver with value 1.

WireGuard context menu in Windows system tray

Step 7: Generate WireGuard Configuration

  1. Open a browser and visit https://www.wireguardconfig.com
  2. Change the Number of Clients to match your intended number of clients
  3. Change the Endpoint (Optional) to match your Dynamic DNS hostname (bob7878.hopto.org:51820 in our example)
  4. Delete the Post-Up rule
  5. Delete the Post-Down rule
  6. Click Generate Config

Scroll down the page. You will see configuration files for your server and client. For example, for the server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = CPEwyMFrjozEtq94SeoIoZv+eg7bntlOSGSfZRSb+WY=

[Peer]
PublicKey = rfIHzbGTVisJm0NIISuKl62TGgBEpyj4AF4bzeu5bAs=
AllowedIPs = 10.0.0.2/32

And for the client:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = KKxM64CbXyciGHIOUF03a+QAraZZDPU+EYcztN7i1Fc=

[Peer]
PublicKey = 5+ZEsuLX+XwPHw3xSzGh8hn4zdBt0zED+dAXRq8pjiU=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = bob7878.hopto.org:51820

Save the generated WireGuard configurations:

  1. Open Windows File Explorer
  2. Navigate to your C: drive
  3. Create a new folder named C:\wireguard
  4. Open Notepad
  5. Copy the server configuration from the website, and paste it into Notepad
  6. Save the server configuration as C:\wireguard\wg_server.conf (with no .txt on the end)
  7. Copy the client configuration from the website, and paste it into Notepad
  8. Save the client configuration as C:\wireguard\wg_client.conf (with no .txt on the end)
WireGuard configuration generator for Windows

Step 8: Install Tunnel Service

Open a Windows Command Prompt as administrator by typing cmd in the Windows search box and selecting Run as administator.

Issue this command (it is one long command, even though it may appear to span multiple lines on narrow screens):

"C:\Program Files\WireGuard\wireguard.exe" /installtunnelservice "C:\wireguard\wg_server.conf"

This creates a service called WireGuardTunnel: wg_server, which can be controlled using standard Windows service management utilites.

Close the Command Prompt window.

WireGuard install tunnel service from command line on Windows

Step 9: Optionally Set Network Category to Private

Windows assigns a category to each network you connect to:

Optionally set the WireGuard’s network category to Private in order to give clients easy access to networked resources:

  1. Right-click on the Windows Start button
  2. Open Windows PowerShell (Admin) (sometimes called running Windows Terminal as administrator)
  3. Issue the command Get-NetConnectionProfile
  4. Note the InterfaceIndex of your new WireGuard server connection
  5. Set the interface’s category to private, for example:
Set-NetConnectionProfile -InterfaceIndex 10 -NetworkCategory Private
Setting network connection profile to Private

Step 10: Enable Physical Interface Sharing

The WireGuard interface does not yet have access to your physical interface. This will severely limit what clients can do. Enable sharing of the main physical interface as described in this step.

Save the following PowerShell script module as C:\Windows\System32\WindowsPowerShell\v1.0\Modules\wireguard\wireguard.psm1:

wireguard.psm1

Now open PowerShell running as administrator, and run the following commands to enable NAT for your WireGuard interface:

Set-ExecutionPolicy Unrestricted

Import-Module wireguard

Set-NetConnectionSharing "wg_server" $true

Check the settings in the GUI:

  1. Right-click on the Windows start button, and select Settings
  2. Go to Network & Internet > Status
  3. Click the link Change adapter options
  4. Right-click on your main Ethernet or Wifi interface, and select Properties
  5. Go to the Sharing tab
  6. The box Allow other network users to connect through this computer’s Internet connection should be checked
  7. The box Allow other network users to control or disable the shared Internet connection should be checked
  8. Click OK
  9. Close the Network Connections window
  10. Close the Settings window
Allow other network users to connect through this computer's Internet connection

Step 11: Change Default Internet Connection Sharing IP

  1. Type regedit in the Windows search box
  2. Select the Registry Editor app
  3. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > SharedAccess > Parameters
  4. Set the value of ScopeAddress to 10.0.0.1
  5. Set the value of ScopeAddressBackup to 10.0.0.1
  6. Close the Registry Editor
Windows registry editor for shared access parameters

Step 12: Persist Internet Sharing

  1. Type service in the Windows search box
  2. Select Services app and Run as administrator
  3. Select Internet Connection Sharing
  4. Right-click, and select Properties
  5. Change Start-up type to Automatic (Delayed Start)
  6. Click OK
Windows service automatic delayed start

Step 13: Enable Reboot Persist Connection

  1. Type regedit in the Windows search box
  2. Select the Registry Editor app
  3. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > SharedAccess
  4. Do Edit > New and insert a new DWORD (32bit) value named EnableRebootPersistConnection
  5. Set its value to 1
  6. Close the Registry Editor
Windows registry editor for EnableRebootPersistConnection

Step 14: Reboot

Restart the Windows computer that will be your WireGuard server.

Wait for the delayed start service (Internet Connection Sharing) to start running.

WireGuard Client

This section shows you the steps to perform on the computer that will travel with you — for example, your Windows laptop.

Step 1: Install WireGuard GUI

  1. Open a browser and visit https://www.wireguard.com
  2. Click Installation
  3. Click Download Windows Installer
  4. Run the application wireguard-installer.exe
Windows WireGuard client fresh install

Step 2: Configure Client

  1. Securely copy the file C:\wireguard\wg_client.conf from your server to your client
  2. Once you have the wg_client.conf file on the client, click Add Tunnel > Import tunnel(s) from file
  3. Select your wg_client.conf file, and import it into the WireGuard client GUI
Windows WireGuard client after importing tunnel configuration

Step 3: Test

  1. Visit a hotel or coffee shop that offers wifi
  2. Click Activate to connect your WireGuard VPN client to your server at home
  3. Open a browser, and visit https://whatismyipaddress.com
  4. Check that you see your home computer IP address and location, not those of your client in the hotel or coffee shop
Windows WireGuard client after activating connection

Support Channels

A reminder that using WireGuard on Windows as server is not officially supported. Keep in mind that requests for support are likely to be rejected: