Setup your Linux Server

Your Linux server should be accessible via a public IP by UDP. If the IP address changes, use DynDNS.

First install WireGuard on your Linux server. On the official website you will find the right way for your Linux distro:

Then configure the Gateway. We will use the range (RFC 6598) because it doesn’t colide with private IPv4 adresses (RFC 1918).

echo '[Interface]'                   > /etc/wireguard/wg0.conf
echo "PrivateKey = $(wg genkey)"    >> /etc/wireguard/wg0.conf
echo 'ListenPort = 50002'           >> /etc/wireguard/wg0.conf
echo "Address ="      >> /etc/wireguard/wg0.conf

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
systemctl enable --now wg-quick@wg0

Don’t forget to save the iptables rules for the next start. The easiest way is to use cron, but I don’t recommend it.

To get the public key (you need it later on):

wg pubkey <<<$(grep PrivateKey /etc/wireguard/wg0.conf  | cut -d ' ' -f3)

Now the gateway is configured and running. To get some information, type in wg and use systemd:

systemctl status wg-quick@wg0
wg show

Setup your Android

Download the App from F-Droid or Google Play.

In WireGuard, you must manually set an IP address for each client. The area has hosts from to, the first one is already occupied by the gateway, so we use

Open the app and “Create from scratch” Generate a key pair. Make a note of the public key, you will need it later. Name the configuration and add the client IP address with 32 mask. Add a peer. Now enter the gateway information. Allowed IPs is

Add Android Client to Server

Now add the client information to the gateway and restart the interface.

[Peer]                            >> /etc/wireguard/wg0.conf
PublicKey = <Client-Pub-Key>      >> /etc/wireguard/wg0.conf
AllowedIPs =      >> /etc/wireguard/wg0.conf

systemctl restart wg-quick@wg0 && systemctl status wg-quick@wg0


Wireguard Quickstart

Heise Besser tunneln

Witepaper WireGuard: Next Generation Kernel Network Tunnel

Demo Video Test WireGuard VPN net roaming