After Wireguard's inception in Linux, it has been ported to nearly every other operating system. We published an introduction to Wireguard for beginners, in a previous article and followed it up with a WireGuard Linux setup and WireGuard Docker setup.
In this guide, I will show you how to setup a Wireguard Server on Windows 10. We will cover Wireguard client configurations in a future post, so stay tuned.
Table of Contents
Wireguard Server on Windows
In our Wireguard server for Linux article, we relied heavily on command line tools and used the "server" and "client" model.
The reality is that Wireguard runs more in a peer-to-peer method, and each peer can be given different properties. Some of these will allow a peer to act as a server. In this guide, I will show how to setup a Wireguard VPN tunnel to act as a "server".
This guide assumes you have a reasonable understanding of the principles involved in setting up a Wireguard server. Although we are using the Windows Wireguard program, the guiding principles and many of the steps mirror that of our comprehensive Wireguard Server on Linux guide.
I recommend having it open alongside this guide to follow along with the why and how of Wireguard.
Be the 1 in 200,000. Help us sustain what we do.Join Us (starting from just $1.67/month)
1. Install Wireguard on Windows
We begin by heading to the Wireguard website to download the Wireguard Windows program:
Once installed, we will be greeted by an empty Wireguard window.
2. Create our Server "Adapter"
To create the server (new tunnel), we can do everything from the GUI.
Begin by clicking the arrow next to Add Tunnel and click on Add empty tunnel... or simply use Ctrl + N.
We will be greeted with a new window. You can see that two of the components are already available for us. The program generated a private key for us, and the derivative - the public key.
If you have read our Wireguard basics and Wireguard Linux guides, this is the equivalent to the server's "lock" and "key".
Customize the Wireguard Windows Tunnel
Name your Wireguard Windows adapter anything you like, but to stay consistent, I will call it wg0. The other components we need to complete include giving the interface an Address range (in CIDR notation) and a Listening Port as shown below:
Remember to choose a port greater than 1024. Those below 1024 are generally restricted. The best choice is to choose something in the ephemeral port range (49152โ65535).
With this information, we can save and start our Wireguard VPN server. But just like Linux tutorial, let's generate a client configuration file and add it to our server. If you already have a client config, skip ahead to "Add Client (Peer) to Server".
3. Add a Client To Windows Wireguard Server
Each client needs to have a unique set of keys to access the server. These are held in configuration (sometimes referred to as "config") files which can easily be imported by most clients. Once completed, you should copy them securely to the client - i.e. Avoid email, or Facebook Messenger and the like.
Create a Client Config File
Begin by creating a new text document with Notepad (or your favorite text editor). The basic format is below, feel free to copy and paste:
[Interface] PrivateKey = Address = [Peer] Endpoint = AllowedIPs = PublicKey = PresharedKey =
Fill in Existing Information
We can already fill in a few sections. Let's start by assigning our client an available Address in CIDR notation. (10.254.0.2/32).
Next, we fill in the Endpoint with the public IP of your network (or domain name/dynamic DNS), along with the port listed in our server config (ListenPort field).
Under AllowedIPs, we will only add our local network for now (10.254.0.0/24). Remember from our Linux server setup, this is where you can add additional IP's for the client to connect to. Set to 0.0.0.0/0 to pass all data through the Wireguard server.
Finally, we can copy and paste the server's Public Key, and add it under the [Peer] section.
We should have something like below so far:
Generate Client Keys
The client key generation is most easily done through a command prompt. To open your command prompt, simply go to your start menu, type cmd and hit enter. When we installed Wireguard, it also installed a set of simple tools for generating keys, identical to those in the Linux tutorial.
These keys also need to be kept secure, and it's important to ensure the files are not world accessible. I recommend creating a special folder to hold credentials and ensuring it has limited permissions (right-click to folder, go to the security tab, and make sure to remove access to anyone but your user - and Administrator if you wish). Even after doing so, I got a warning (as can be seen below).
We can generate the same keys from the Linux tutorial with the following 3 commands:
wg genkey > peer1.key type peer1.key | wg pubkey > peer1.pub wg genpsk > peer1.psk
The main difference here is that we have to do the same key generation in a couple of steps, and using the Windows specific command type to read the contents of the file before passing it to our wg pubkey command.
Add Keys to Client Config
We can now either read the contents in the command prompt using the type command followed by the file name, or opening the files in Windows Explorer. Either way, let's make sure we copy and paste the correct ones into the correct spots! My final client config file is shown below:
Now I'll save the file and rename it to peer1.conf - make sure to put it in the same location for security and change the "Save as type" to All Files which will allow you to set the custom file type.
4. Add Client (Peer) to the Wireguard Windows Server
Lastly, we need to add the peer to our server. The full server config should have the following format:
[Interface] PrivateKey = Address = ListenPort = [Peer] AllowedIPs = PublicKey = PresharedKey =
Note: You can append as many peers as you like to the end of the file. In this scenario, I am using /24 to allocate addresses available to my Wireguard VPN server. You may adjust according to your needs.
Adding our peer's keys, we have the following completed server config in the end:
Click "Save".
Other Posts in the Wireguard Series:
- Wireguard VPN Intro in 15 min: Amazing new VPN Protocol
- Complete Wireguard Setup in 20 min โ Better Linux VPN Server
- Wireguard Windows Setup: Powerful VPN for Windows
- Wireguard Mac OS Client Setup โ The sleek new VPN
- Wireguard Android Client Setup โ Simple and Secure VPN
- Ultimate WireGuard Docker Compose: with CF and Traefik Support
5. Start your Wireguard Server
You'll see the Wireguard device listed but inactive. Clicking Activate will start your Wireguard server!
Once started, you should be able to connect to the Windows wireguard server remotely via VPN. This opens up a whole new world of possibilities. You can:
- You can secure open your Windows on a remote system using Remote Desktop Protocol (RDP).
- Or, if you have a Traefik Docker stack running elsewhere, you can connect the stack to your Windows system via Wireguard and use apps such as Guacamole to RDP into Windows from anywhere in the world with just a modern browser.
Wireguard Windows Server Quirks
After starting, I noticed I had limited capabilities when connecting a client to the Wireguard server. For example, I wasn't able to connect to a basic FTP server I had setup on the same machine as the Wireguard server. After digging a bit, I came across a detailed discussion on the quirks of Windows Networking written by Jason A. Donenfeld, the creator of Wireguard.
Setting Wireguard Interface to "Private"
With regards to connecting to a local FTP or webserver on my Wireguard host machine, I found the issue occurs with the Wireguard interface in the "Public" space, as opposed to the "Private" space.
This isn't the place to discuss the intricacies between Public and Private network spaces in Windows. But the general idea is that Public is used for less secure (think of connecting to the coffee shop's open Wifi), while Private is used for trusted networks (like your home network). Since the newly created Wireguard interface doesn't show up in my Windows settings menu, we will have to use a Powershell command to switch our Wireguard interface to the "Private" network space.
Using Powershell
Open your start-menu, type in "powershell" and be sure to select "Run as Administrator". We can see the status of our Wireguard interface with the following command:
Get-NetConnectionProfile
To change our interface to "Private" we simply use the command:
Set-NetConnectionProfile -InterfaceAlias 'wg0' -NetworkCategory 'Private'
Be sure to replace wg0 with the name you gave your Wireguard server, and shown in the prior command.
I was given no output, but running the Get-NetConnectionProfile command again shows the change occurred:
With this setting, I was able to easily access my FTP server and interact directly with the Windows computer. We can now see in the Wireguard window that the client has had a recent "handshake" and is able to send and receive data.
Adding Additional Clients to Your Wireguard Server
Adding clients to your Windows machine is both a simple and yet mildly frustrating process. This is due to how Windows creates internet adapters. The short version is: When we modify our Wireguard configuration, a "new" adapter is created; thus undoing our previous work to put the virual adapter in the "Private" space. According to the above document by Jason A. Donenfeld, work is being done to remedy this, but it isn't finished yet.
Begin with another blank client configuration file. Generate your client keys and fill in the same as stated above. To the server configuration file, we just add an additional peer below with an incremented IP address.
After saving the file, you should get a notification again that the adapter has restarted. Unfortunately, this new adapter is "unknown" to our Windows machine, and is thus placed in the "Public" space. Repeat the above Powershell command to set the newly created adapter back into the "Private" space.
Access other Wireguard clients on your Network
If you would like to access other clients connected to your Wireguard server, we have to enable NAT. This is a fairly dense topic thoroughly covered in the Ubuntu Wireguard article. In Windows networking, this is called Internet Connection Sharing (ICS).
Enable Internet Connection Sharing (ICS) a.k.a. NAT
To enable, we will begin by clicking your Windows icon, and typing "Network Connections". Hit Enter.
Now we should see a list of our devices, including the Wireguard "adapter". We want to open the properties for the device that connects to the Internet. In my example, it is the adapter called "Ethernet 2". Right-click and select "Properties"
A new window will pop up. We want to select the "Sharing" tab. Check the first box that says "Allow other network users to connect through this computer's internet connection". This enables NAT or ICS in Windows terms.
Clicking "OK" gives a short warning about your internet adapter being set to a new IP to avoid conflicts. This is quite annoying but we must click "Yes".
Reset Static IP of Wireguard Interface
This killed my Wireguard server. Going back to the previous message, it appears Windows has decided to change the IP address of our Wireguard server *cue eyeroll*. Let's open up the properties of our Wireguard adapter by right clicking on it and selecting "Properties". A familiar window should pop up. This time, we want to select the "Internet Protocol Version 4" option, and click "Properties".
Windows has changed our IP address to 192.168.137.1. This is not helpful when we set it to use 10.254.0.1. Let's reset it. Afterwards it should look like below.
Click "OK" and "Close" the Properties window. Now everything is back to normal. This should be all you need to connect to other devices on your Wireguard network.
Passing All Traffic Through Your Wireguard Server
As discussed in our Ubuntu write-up, you might want to do more than just connect to a few local resources on your home network. If you'd like to pass all of your internet traffic through your home network, we must enable NAT (see above) and change our client's AllowedIPs setting. This should be set to 0.0.0.0/0 in the client configuration, as shown previously in this Wireguard Windows guide.
Surviving a restart
Once again, we have to look at the quirks of working with Windows to make sure our server easily survives restarts. Upon restarting, the Wireguard server starts automatically, and the adapter should appear in your "Network Connections" window. It didn't happen every time, but if I was having trouble connecting to the Internet with a client, I had to disable and re-enable the "Sharing" of the Ethernet connection as shown above.
Be the 1 in 200,000. Help us sustain what we do.Join Us (starting from just $1.67/month)
FAQs
Can setting up Wireguard Server on Windows be automated?
The short answer is yes, but it will involve a bit more depth into Powershell. Here's a link to a script to automate the ICS. Here's a link to my script for finding and putting the active Wireguard adapter in the "Private" networking space.
Is Wireguard better than OpenVPN?
In short yes. Wireguard is the latest VPN protocol, which is much simpler to setup while offering better performance compared to traditional VPN protocols such as OpenVPN and IPSec.
Please refer to our Wireguard introduction guide for beginners for more details.
Does Wireguard work on Windows?
Yes. Both the Wireguard server and client work on Windows. As discussed above, setting up Wireguard server on Windows can be a little bit tricky due to a few quirks in Windows environment, compared to Linux.
Concluding Remarks
Setting up Wireguard servers does take a bit of time to invest in learning how your system works. But that shouldn't stop you from setting up a Wireguard VPN server on your Windows machine as the benefits of using Wireguard are plenty.
Whether you are using Linux or Windows, Wireguard can be a great addition to a smart home setup or homelab.
If you are willing to dive a little deeper into the topic, you can automate much of the repetitive clicking tasks involved when doing everything through the GUI.
Fortunately, setting up a Windows machine as a client is even easier and doesn't come with a set of quirks related to internal networking. The good news is, the client for Windows is being actively developed and appears to improve quite significantly with each release. I wouldn't be surprised if a number of these workarounds get ironed out in the next few releases.