WireGuard Config Generator

Interface name:

Use the interface name that will map to /etc/wireguard/<name>.conf.

Server tunnel addresses:

Comma or newline separated CIDRs; dual-stack addresses are allowed.

Listen port:

Use the UDP port opened on the server firewall.

UDP

Public endpoint:

Use a DNS name or public address plus port.

Client AllowedIPs default:

Comma separated route CIDRs for client configs.

Client DNS:

Optional comma separated DNS values inherited by every peer unless a row overrides them.

Peer rows:

Use pipes so route lists can contain commas; blank columns inherit sensible defaults.

Samples overwrite peer rows only; key placeholders stay visible in the generated configs.

Fix WireGuard inputs

{{ error }}

Server private key token:

The server Interface PrivateKey value.

Server public key token:

Use the real server public key when you are ready to hand configs to clients.

MTU:

Optional interface MTU in bytes.

bytes

Persistent keepalive:

Applied to every generated client Peer block.

seconds

Route table mode:

Most wg-quick deployments should keep automatic route handling.

Custom route table:

Integer route table ID to emit as Table.

Preshared key placeholders:

Adds PresharedKey fields to both server and client configs unless a peer row supplies its own value.

{{ result.serverConfig }}

{{ result.peerBlocks }}

{{ result.clientBundle }}

Peer	Client address	Server AllowedIPs	Client AllowedIPs	DNS	Client file	Copy
{{ row.peer }}	`{{ row.address }}`	`{{ row.serverAllowedIps }}`	`{{ row.clientAllowedIps }}`	{{ row.dns }}	`{{ row.clientFile }}`
No valid peers yet.

Severity	Check	Detail	Recommendation	Copy
{{ row.severity }}	{{ row.check }}	{{ row.detail }}	{{ row.recommendation }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

WireGuard setup is mostly a question of identity and routes. A private key belongs to one local interface, a public key identifies one remote peer, and AllowedIPs names the IP prefixes that peer is allowed to use inside the tunnel. Once those three pieces are wrong, the configuration may still look tidy while traffic goes to the wrong device, disappears into the wrong route, or never reaches the endpoint that should answer the first packet.

Small remote-access VPNs often start with a hub-and-spoke shape: one server listens on a UDP port, and each laptop or phone receives a single tunnel address such as 10.80.0.10/32. Site-to-site designs add another choice because a peer can represent a router rather than a single device. In that case, the peer's allowed prefixes may include a whole office network such as 10.55.0.0/16, and the server must know that the branch router owns that route.

Common WireGuard planning choices and risks
Planning choice	What it means	Common risk
Host peer	One peer owns one tunnel address, usually a `/32` for IPv4 or `/128` for IPv6.	Reusing the same address for two peers makes route ownership ambiguous.
Site peer	One peer advertises additional prefixes behind a gateway, such as a branch LAN.	A broad prefix can capture traffic that should stay local or go to another peer.
Split tunnel	Only selected private networks are routed through WireGuard.	Missing a needed subnet makes the tunnel appear connected while some services stay unreachable.
Full tunnel	`0.0.0.0/0` and optionally `::/0` route default traffic through the peer.	DNS, firewall, and network address translation must also support the new default path.

Diagram linking a WireGuard server, client peer, site peer, AllowedIPs route ownership, and endpoint contact.

The endpoint is only the first place a peer tries to send encrypted UDP traffic. After a valid packet arrives, WireGuard can remember the latest authenticated source address for roaming. That is helpful for mobile clients, but it does not remove the need for a reachable public host and port when off-network clients start a connection.

wg-quick adds practical interface settings around the core WireGuard peer model. Address assigns tunnel IPs, DNS can set resolvers or search domains, MTU can override automatic sizing, and Table controls route installation. Those conveniences make short files useful, but they also make intent easy to overread. A configuration draft cannot prove that keys were exchanged safely, a firewall is open, network address translation is ready, or the selected route table matches the rest of the host.

The safest review habit is to treat every peer as a route owner. Confirm who owns each tunnel address, whether the advertised prefixes are host routes or networks, whether default routes are intentional, and whether secret key material is still a placeholder. That review matters before the file reaches a server, a laptop, a phone, or a branch gateway.

How to Use This Tool:

Start with the server listener, add one peer row per client or site, then use the generated review and ledger to catch route or key problems before copying configs.

Set Interface name, Server tunnel addresses, Listen port, and Public endpoint. The summary should show the interface, UDP port, and endpoint in one line when those values are usable.
Choose Client AllowedIPs default for the routes ordinary client profiles should send through the server. Use private network CIDRs for split tunnel, or use 0.0.0.0/0, ::/0 only when client default traffic should enter WireGuard.
Add Client DNS when client profiles should receive resolver addresses or search domains. Internal DNS values only help when clients can reach the resolver through the tunnel.
Enter Peer rows with one line per peer. Pipe-separated rows can include name, tunnel CIDR, server-side AllowedIPs, client-side AllowedIPs, DNS override, public key, private key, and preshared key.
Use Hub sample for individual remote-access peers or Site sample for a branch-style peer that advertises an extra LAN. The sample buttons replace peer rows only, so server fields and advanced settings remain under your control.
Open Advanced when you need real server key tokens, an explicit MTU, a non-default Persistent keepalive, a Route table mode, or preshared-key placeholders in generated profiles.
Fix every Error in Config Review before using Server Config, Peer Blocks, or Client Configs. Then read the warnings and compare Peer Ledger against your intended address plan.

Interpreting Results:

The strongest signal is the Config Review severity, not the fact that text was generated. Error rows mean a value breaks the page's structural checks, such as bad CIDR notation, a missing peer address, an invalid endpoint, a port outside range, duplicate normalized peer names, or duplicate peer tunnel addresses. Generated config text is still shown so the broken area is easier to inspect, but it should not be applied.

Warning rows call out choices that might be intentional but need human review. Placeholder keys are warnings because planning with placeholders is useful, but real configs need keys generated and distributed through a controlled path. Private IPv4 endpoints may work for peers already on the same network, but off-network clients usually need a public DNS name or public address. A peer address outside the server's IPv4 tunnel network may be valid in an advanced routing plan, but it deserves a second look.

Peer Ledger is the route-ownership view. Check each peer's Client address, Server AllowedIPs, Client AllowedIPs, DNS value, and generated client filename before distributing profiles.
Server Config gives a complete server-side file with an [Interface] section and all generated peer blocks. Use it when building a new server file or replacing a reviewed draft.
Peer Blocks omits the server interface and gives append-only peer sections for adding clients to an existing server file.
Client Configs gives one client profile per valid peer address. A peer with an invalid tunnel CIDR appears in review but does not produce a usable client config.
JSON, CSV, and DOCX exports are review artifacts. They help hand off the route plan, but they should be treated as sensitive if real private keys or preshared keys were entered.

Technical Details:

WireGuard configuration has two main levels. The local [Interface] section gives the interface private key and, on a listening server, the UDP port. Each [Peer] section names a remote public key and the prefixes associated with that peer. The public key authenticates the peer; AllowedIPs tells WireGuard which decrypted source addresses are accepted from that peer and which outgoing destination addresses should be encrypted to that peer.

wg-quick extends the core peer format with convenience fields that affect the host operating system. Address assigns tunnel addresses, DNS can configure resolvers or search domains, MTU can override automatic sizing, and Table decides whether routes are installed automatically, disabled, or placed into a numeric routing table. Full-tunnel routes plus Table = off require a separate routing plan because wg-quick will not create the default route for that file.

Rule Core:

WireGuard config generation rules and review boundaries
Rule	Boundary	Review result
Interface name	1 to 15 characters using letters, numbers, underscore, equals, plus, dot, and dash	Values outside the pattern create an Error.
CIDR values	IPv4 prefixes must be 0 to 32; IPv6 prefixes must be 0 to 128	Missing or invalid prefixes create Error rows.
Endpoint	Host plus port is required; IPv6 endpoints use bracket notation; port range is 1 to 65535	Bad syntax creates an Error; private IPv4 endpoints create a Warning.
Peer names	Names are normalized for exported client filenames	Duplicate normalized names create an Error.
Peer tunnel addresses	One peer tunnel CIDR should belong to one peer	Duplicate peer addresses create an Error.
Default routing	`0.0.0.0/0` or `::/0` in client `AllowedIPs`	The review adds an Info row because DNS, firewall, and NAT choices matter.

Formula Core:

IPv4 subnet review uses a masked network comparison. A peer IPv4 address fits a server IPv4 tunnel network when both addresses match after applying the server network mask.

(A & M) = (N & M)

A is the peer IPv4 address, N is the server network address, and M is the mask produced by the server prefix length. IPv6 CIDRs are checked for notation and prefix range, but the subnet-fit warning is limited to comparable IPv4 values.

Field Map:

WireGuard fields and review cues
Field	Where it appears	Meaning	Review cue
`Address`	Interface	Assigns IPv4 or IPv6 CIDR addresses to the tunnel interface.	Client host addresses are commonly `/32` for IPv4 or `/128` for IPv6.
`ListenPort`	Server interface	Sets the UDP port used by the server interface.	The public endpoint and firewall should agree with this port.
`PrivateKey`	Interface	Stores the local interface secret.	Placeholder values must be replaced before deployment.
`PublicKey`	Peer	Identifies the remote peer.	Each side needs the other side's public key, not its own private key.
`AllowedIPs`	Peer	Maps prefixes to a peer for outgoing routing and accepted decrypted source addresses.	Broad values such as `0.0.0.0/0` should be deliberate.
`Endpoint`	Client peer block	Gives the host and port used for the first contact with a peer.	IPv6 endpoints need brackets, for example `[2001:db8::10]:51820`.
`PersistentKeepalive`	Client peer block	Sends periodic authenticated empty packets to keep stateful firewall or NAT mappings open.	`25` seconds is a common NAT-friendly value; `0` omits the field.
`Table`	Interface	Controls route-table handling for routes inferred from peer prefixes.	`auto` is the normal path; `off` leaves route creation to another system.

Peer Row Translation:

A peer row can supply up to eight values in order: peer name, peer tunnel CIDR, server-side AllowedIPs, client-side AllowedIPs, DNS override, peer public key, peer private key, and preshared key. Blank route fields inherit defaults where available. Blank key fields become visible placeholders so missing secrets remain obvious during review.

Privacy Notes:

WireGuard private keys and preshared keys are secrets. If you enter real key material, generated configs, copied rows, downloads, JSON, CSV, DOCX exports, and screenshots can all contain sensitive VPN credentials.

Use placeholders while discussing topology or collecting review feedback.
Replace placeholders only in a controlled handoff path for the intended server or peer.
Do not send one peer's client profile to another peer because the profile can contain that peer's private key.
Keep the final peer ledger with the deployed configs so route ownership can be checked later.

Worked Examples:

Remote-access laptop. A server uses wg0, 10.80.0.1/24, UDP 51820, and vpn.example.com:51820. The peer row laptop-01 | 10.80.0.10/32 | 10.80.0.10/32 | 10.80.0.0/24, 10.44.0.0/16 should produce one Client Configs profile and one Peer Ledger row. The ledger should show the laptop address, the server-side host route, and the private networks the laptop will route through WireGuard.

Full-tunnel phone. A phone row with client AllowedIPs set to 0.0.0.0/0, ::/0 creates a client profile that routes default IPv4 and IPv6 traffic through the server. Config Review adds an Info row for default routing. Before sharing that profile, confirm DNS, firewall forwarding, and NAT behavior on the server because the generated text cannot verify those host settings.

Branch route. A site peer such as branch-gw | 10.80.0.20/32 | 10.80.0.20/32, 10.55.0.0/16 | 10.80.0.0/24, 10.44.0.0/16 tells the server that the branch gateway owns both its tunnel address and the 10.55.0.0/16 LAN. Peer Ledger should make that route visible under the branch peer, not under a laptop or phone peer.

Duplicate peer names. Rows named Ops Laptop and ops-laptop normalize to the same client filename. Config Review reports Duplicate peer names. Rename one row, such as ops-laptop-backup, then confirm the filenames in Peer Ledger are distinct.

FAQ:

What does AllowedIPs do?

AllowedIPs maps IP prefixes to a peer. It affects which outgoing packets are sent to that peer and which decrypted source addresses are accepted from that peer.

Can I use placeholder keys while planning?

Yes. Placeholder keys let you review routes before real secrets are available, but Config Review keeps warning until server, peer, and preshared placeholders are replaced where needed.

Why does a private endpoint get a warning?

A private IPv4 endpoint can work inside one network, but clients outside that network usually need a public DNS name or public address plus the UDP listen port.

When should I use Persistent keepalive?

Use it for peers behind NAT or stateful firewalls that need to receive traffic after idle periods. The default value is 25 seconds; 0 omits the field.

Why did a peer not produce a client config?

A peer needs a valid tunnel address CIDR before it can produce a usable client profile. Check Config Review for the peer row error, then correct the address and prefix length.

Glossary:

AllowedIPs: The peer prefix list used for cryptokey routing and accepted decrypted source addresses.
CIDR: Address notation that combines an IP address with a prefix length, such as 10.80.0.10/32.
Endpoint: The host and UDP port a peer uses for first contact before roaming updates occur.
Persistent keepalive: A periodic authenticated empty packet used to keep a NAT or stateful firewall mapping open.
Preshared key: An optional symmetric secret mixed into WireGuard's public-key cryptography.
Peer ledger: The generated table that records peer address, route, DNS, and client filename choices.

References:

WireGuard conceptual overview, WireGuard project.
WireGuard quick start, WireGuard project.
Protocol & Cryptography, WireGuard project.
wg(8) manual page, Linux man-pages project.
wg-quick(8) manual page, Linux man-pages project.
How to configure WireGuard VPN in openSUSE and SLES, simplified.guide.