Wireguard Windows Setup [2021]: Powerful VPN for Windows

Want to use your Windows system as a VPN server for your devices to connect as clients? This guide shows Wireguard Windows setup in detail.

After Wireguard's inception in Linux, it has been ported to nearly every other operating system. We published an introduction to Wireguard for beginners, in a previous article and followed it up with a WireGuard Linux setup and WireGuard Docker setup.

In this guide, I will show you how to setup a Wireguard Server on Windows 10. We will cover Wireguard client configurations in a future post, so stay tuned.

Wireguard Server on Windows

In our Wireguard server for Linux article, we relied heavily on command line tools and used the "server" and "client" model.

The reality is that Wireguard runs more in a peer-to-peer method, and each peer can be given different properties. Some of these will allow a peer to act as a server. In this guide, I will show how to setup a Wireguard VPN tunnel to act as a "server".

This guide assumes you have a reasonable understanding of the principles involved in setting up a Wireguard server. Although we are using the Windows Wireguard program, the guiding principles and many of the steps mirror that of our comprehensive Wireguard Server on Linux guide.

I recommend having it open alongside this guide to follow along with the why and how of Wireguard.

Be the 1 in 200,000. Help us sustain what we do.
25 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

1. Install Wireguard on Windows

We begin by heading to the Wireguard website to download the Wireguard Windows program:

Wireguard Windows Installer
Windows Installer

Once installed, we will be greeted by an empty Wireguard window.

Wireguard Server On Windows Start Up
Wireguard Startup Screen

2. Create our Server "Adapter"

To create the server (new tunnel), we can do everything from the GUI.

Begin by clicking the arrow next to Add Tunnel and click on Add empty tunnel... or simply use Ctrl + N.

Wireguard Create A New Windows Tunnel
Create A New Tunnel

We will be greeted with a new window. You can see that two of the components are already available for us. The program generated a private key for us, and the derivative - the public key.

If you have read our Wireguard basics and Wireguard Linux guides, this is the equivalent to the server's "lock" and "key".

Wireguard Tunnel On Windows 10Width=
Newly Created Wireguard Tunnel

Customize the Wireguard Windows Tunnel

Name your Wireguard Windows adapter anything you like, but to stay consistent, I will call it wg0. The other components we need to complete include giving the interface an Address range (in CIDR notation) and a Listening Port as shown below:

If you do not understand IP ranges, Netmask, CIDR notation, etc., here is a tool you can use to find out relevant network information for your situation.
Wireguard Adapter Details
Fill In The Other Details

Remember to choose a port greater than 1024. Those below 1024 are generally restricted. The best choice is to choose something in the ephemeral port range (49152โ€“65535).

With this information, we can save and start our Wireguard VPN server. But just like Linux tutorial, let's generate a client configuration file and add it to our server. If you already have a client config, skip ahead to "Add Client (Peer) to Server".

Which commercial VPN service do you use for privacy, geo-unblocking, etc.?

View Results

Loading ... Loading ...

3. Add a Client To Windows Wireguard Server

Each client needs to have a unique set of keys to access the server. These are held in configuration (sometimes referred to as "config") files which can easily be imported by most clients. Once completed, you should copy them securely to the client - i.e. Avoid email, or Facebook Messenger and the like.

Create a Client Config File

Begin by creating a new text document with Notepad (or your favorite text editor). The basic format is below, feel free to copy and paste:

[Interface]
PrivateKey = 
Address = 

[Peer]
Endpoint = 
AllowedIPs =
PublicKey = 
PresharedKey = 
Wireguard Client Config File Blank
Blank Client Config File
Fill in Existing Information

We can already fill in a few sections. Let's start by assigning our client an available Address in CIDR notation. (10.254.0.2/32).

Note that the client IP 10.254.0.2 is in the 10.254.0.1/24 (10.254.0.0 to 19.254.0.255) range we defined above in the server configuration's Address field.

Next, we fill in the Endpoint with the public IP of your network (or domain name/dynamic DNS), along with the port listed in our server config (ListenPort field).

Under AllowedIPs, we will only add our local network for now (10.254.0.0/24). Remember from our Linux server setup, this is where you can add additional IP's for the client to connect to. Set to 0.0.0.0/0 to pass all data through the Wireguard server.

Finally, we can copy and paste the server's Public Key, and add it under the [Peer] section.

We should have something like below so far:

Filled Wireguard Windows Client Config
Partially Filled Client Config
Generate Client Keys

The client key generation is most easily done through a command prompt. To open your command prompt, simply go to your start menu, type cmd and hit enter. When we installed Wireguard, it also installed a set of simple tools for generating keys, identical to those in the Linux tutorial.

These keys also need to be kept secure, and it's important to ensure the files are not world accessible. I recommend creating a special folder to hold credentials and ensuring it has limited permissions (right-click to folder, go to the security tab, and make sure to remove access to anyone but your user - and Administrator if you wish). Even after doing so, I got a warning (as can be seen below).

We can generate the same keys from the Linux tutorial with the following 3 commands:

wg genkey > peer1.key
type peer1.key | wg pubkey > peer1.pub
wg genpsk > peer1.psk

The main difference here is that we have to do the same key generation in a couple of steps, and using the Windows specific command type to read the contents of the file before passing it to our wg pubkey command.

Generating Wireguard Client Keys On Microsoft Windows
Generating Client Keys In A Windows Command Shell
Add Keys to Client Config

We can now either read the contents in the command prompt using the type command followed by the file name, or opening the files in Windows Explorer. Either way, let's make sure we copy and paste the correct ones into the correct spots! My final client config file is shown below:

Complete Windows Wireguard Client Config
Complete Client Config

Now I'll save the file and rename it to peer1.conf - make sure to put it in the same location for security and change the "Save as type" to All Files which will allow you to set the custom file type.

Save Wireguard Client Config
Make Sure To Select "All Files" So You Don't End Up With Peer1.Conf.txt As A Filename!

4. Add Client (Peer) to the Wireguard Windows Server

Lastly, we need to add the peer to our server. The full server config should have the following format:

[Interface]
PrivateKey = 
Address = 
ListenPort = 

[Peer]
AllowedIPs = 
PublicKey = 
PresharedKey = 

Note: You can append as many peers as you like to the end of the file. In this scenario, I am using /24 to allocate addresses available to my Wireguard VPN server. You may adjust according to your needs.

Adding our peer's keys, we have the following completed server config in the end:

Wireguard Peer Details On Windows 10
Peer (Client) Details Added To The Windows Wireguard Server.

Click "Save".

Other Posts in the Wireguard Series:

5. Start your Wireguard Server

You'll see the Wireguard device listed but inactive. Clicking Activate will start your Wireguard server!

Starting Wireguard Vpn Server On Windows
Successfully Started Our Wireguard Vpn Server On Windows!

Once started, you should be able to connect to the Windows wireguard server remotely via VPN. This opens up a whole new world of possibilities. You can:

  • You can secure open your Windows on a remote system using Remote Desktop Protocol (RDP).
  • Or, if you have a Traefik Docker stack running elsewhere, you can connect the stack to your Windows system via Wireguard and use apps such as Guacamole to RDP into Windows from anywhere in the world with just a modern browser.

Wireguard Windows Server Quirks

After starting, I noticed I had limited capabilities when connecting a client to the Wireguard server. For example, I wasn't able to connect to a basic FTP server I had setup on the same machine as the Wireguard server. After digging a bit, I came across a detailed discussion on the quirks of Windows Networking written by Jason A. Donenfeld, the creator of Wireguard.

Setting Wireguard Interface to "Private"

With regards to connecting to a local FTP or webserver on my Wireguard host machine, I found the issue occurs with the Wireguard interface in the "Public" space, as opposed to the "Private" space.

Wireguard Virtual Adapter On Windows
Even Though The Wireguard Virtual Adapter Is Definitely Private, Windows Automatically Places It In The "Public" Network.

This isn't the place to discuss the intricacies between Public and Private network spaces in Windows. But the general idea is that Public is used for less secure (think of connecting to the coffee shop's open Wifi), while Private is used for trusted networks (like your home network). Since the newly created Wireguard interface doesn't show up in my Windows settings menu, we will have to use a Powershell command to switch our Wireguard interface to the "Private" network space.

Using Powershell

Open your start-menu, type in "powershell" and be sure to select "Run as Administrator". We can see the status of our Wireguard interface with the following command:

Get-NetConnectionProfile
Wireguard Internet Details
Details Of Our Internet Connections In Powershell.

To change our interface to "Private" we simply use the command:

Set-NetConnectionProfile -InterfaceAlias 'wg0' -NetworkCategory 'Private'

Be sure to replace wg0 with the name you gave your Wireguard server, and shown in the prior command.

I was given no output, but running the Get-NetConnectionProfile command again shows the change occurred:

Wireguard Adapter As Private On Windows
Wireguard Adapter Is Now Set To Private!

With this setting, I was able to easily access my FTP server and interact directly with the Windows computer. We can now see in the Wireguard window that the client has had a recent "handshake" and is able to send and receive data.

Wireguard Windows Active Connections
Active Peer Connection To Our Windows Wireguard Server.

Adding Additional Clients to Your Wireguard Server

Adding clients to your Windows machine is both a simple and yet mildly frustrating process. This is due to how Windows creates internet adapters. The short version is: When we modify our Wireguard configuration, a "new" adapter is created; thus undoing our previous work to put the virual adapter in the "Private" space. According to the above document by Jason A. Donenfeld, work is being done to remedy this, but it isn't finished yet.

Begin with another blank client configuration file. Generate your client keys and fill in the same as stated above. To the server configuration file, we just add an additional peer below with an incremented IP address.

Adding More Peers To Wireguard Vpn On Windows
We've Added A Second Peer To Our Wireguard Server's Configuration.

After saving the file, you should get a notification again that the adapter has restarted. Unfortunately, this new adapter is "unknown" to our Windows machine, and is thus placed in the "Public" space. Repeat the above Powershell command to set the newly created adapter back into the "Private" space.

Access other Wireguard clients on your Network

If you would like to access other clients connected to your Wireguard server, we have to enable NAT. This is a fairly dense topic thoroughly covered in the Ubuntu Wireguard article. In Windows networking, this is called Internet Connection Sharing (ICS).

Enable Internet Connection Sharing (ICS) a.k.a. NAT

To enable, we will begin by clicking your Windows icon, and typing "Network Connections". Hit Enter.

Now we should see a list of our devices, including the Wireguard "adapter". We want to open the properties for the device that connects to the Internet. In my example, it is the adapter called "Ethernet 2". Right-click and select "Properties"

Choosing Wireguard Adapter
Choose The Adapter With Internet Access.

A new window will pop up. We want to select the "Sharing" tab. Check the first box that says "Allow other network users to connect through this computer's internet connection". This enables NAT or ICS in Windows terms.

22 Sharing On | Smarthomebeginner
Nat (Ics) Is Now Enabled.

Clicking "OK" gives a short warning about your internet adapter being set to a new IP to avoid conflicts. This is quite annoying but we must click "Yes".

Wireguard Windows Problems
Windows Being "Helpful"...

Reset Static IP of Wireguard Interface

This killed my Wireguard server. Going back to the previous message, it appears Windows has decided to change the IP address of our Wireguard server *cue eyeroll*. Let's open up the properties of our Wireguard adapter by right clicking on it and selecting "Properties". A familiar window should pop up. This time, we want to select the "Internet Protocol Version 4" option, and click "Properties".

Properties
Open The "Properties" Window Of Our Wireguard Adapter.

Windows has changed our IP address to 192.168.137.1. This is not helpful when we set it to use 10.254.0.1. Let's reset it. Afterwards it should look like below.

Wireguard Static Ip Fixed
Static Ip Fixed.

Click "OK" and "Close" the Properties window. Now everything is back to normal. This should be all you need to connect to other devices on your Wireguard network.

Passing All Traffic Through Your Wireguard Server

As discussed in our Ubuntu write-up, you might want to do more than just connect to a few local resources on your home network. If you'd like to pass all of your internet traffic through your home network, we must enable NAT (see above) and change our client's AllowedIPs setting. This should be set to 0.0.0.0/0 in the client configuration, as shown previously in this Wireguard Windows guide.

Surviving a restart

Once again, we have to look at the quirks of working with Windows to make sure our server easily survives restarts. Upon restarting, the Wireguard server starts automatically, and the adapter should appear in your "Network Connections" window. It didn't happen every time, but if I was having trouble connecting to the Internet with a client, I had to disable and re-enable the "Sharing" of the Ethernet connection as shown above.

Be the 1 in 200,000. Help us sustain what we do.
25 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

FAQs

Can setting up Wireguard Server on Windows be automated?

The short answer is yes, but it will involve a bit more depth into Powershell. Here's a link to a script to automate the ICS. Here's a link to my script for finding and putting the active Wireguard adapter in the "Private" networking space.

Is Wireguard better than OpenVPN?

In short yes. Wireguard is the latest VPN protocol, which is much simpler to setup while offering better performance compared to traditional VPN protocols such as OpenVPN and IPSec.

Please refer to our Wireguard introduction guide for beginners for more details.

Does Wireguard work on Windows?

Yes. Both the Wireguard server and client work on Windows. As discussed above, setting up Wireguard server on Windows can be a little bit tricky due to a few quirks in Windows environment, compared to Linux.

Concluding Remarks

Setting up Wireguard servers does take a bit of time to invest in learning how your system works. But that shouldn't stop you from setting up a Wireguard VPN server on your Windows machine as the benefits of using Wireguard are plenty.

Whether you are using Linux or Windows, Wireguard can be a great addition to a smart home setup or homelab.

If you are willing to dive a little deeper into the topic, you can automate much of the repetitive clicking tasks involved when doing everything through the GUI.

Fortunately, setting up a Windows machine as a client is even easier and doesn't come with a set of quirks related to internal networking. The good news is, the client for Windows is being actively developed and appears to improve quite significantly with each release. I wouldn't be surprised if a number of these workarounds get ironed out in the next few releases.

Be the 1 in 200,000. Help us sustain what we do.
25 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

Kristopher

Kristopher is a tech enthusiast interested in teaching and simplifying technology for others. Online privacy and responsibility has become of upmost importance and he aims to help others reduce their reliance on tech giants.