Port 51820 — WireGuard VPN

WireGuard is a modern, high-performance VPN protocol built into the Linux kernel since 5.6. It uses UDP port 51820 by default. WireGuard is significantly simpler than OpenVPN or IPSec — the entire codebase is ~4,000 lines vs 600,000 for OpenVPN — which means less attack surface, faster auditing, and easier debugging. Speeds are typically 2–3x faster than OpenVPN.

WireGuard Server Setup (Ubuntu/Debian)

# Install
sudo apt install wireguard

# Generate server keys
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

# Server config: /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [server private key]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = [client 1 public key]
AllowedIPs = 10.0.0.2/32

# Enable IP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Start WireGuard
sudo systemctl enable --now wg-quick@wg0

Client Configuration

# Generate client keys (on client machine, or generate separately)
wg genkey | tee client-private.key
cat client-private.key | wg pubkey > client-public.key

# Client config: /etc/wireguard/wg0.conf (Linux) or import into WireGuard app
[Interface]
PrivateKey = [client private key]
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = [server public key]
Endpoint = your-server-ip:51820
AllowedIPs = 0.0.0.0/0  # Route all traffic through VPN
# AllowedIPs = 10.0.0.0/24  # Only route VPN subnet (split tunneling)
PersistentKeepalive = 25

AllowedIPs — Full Tunnel vs Split Tunnel

AllowedIPs	Mode	Effect
0.0.0.0/0, ::/0	Full tunnel	All internet traffic through VPN — hides real IP
10.0.0.0/24	Split tunnel	Only VPN subnet goes through — home network access only
192.168.1.0/24, 10.0.0.0/24	Split + home LAN	Access both VPN subnet and home LAN, rest goes direct

Easy Setup with wg-easy (Docker)

# wg-easy provides a web UI for managing WireGuard clients
docker run -d \
  --name=wg-easy \
  -e LANG=en \
  -e WG_HOST=your-server-public-ip \
  -e PASSWORD=yourpassword \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

Then manage clients at http://your-server:51821 — generate QR codes for phones, download .conf files for computers.

Router/Firewall Port Forwarding

To reach your WireGuard server from outside: forward UDP port 51820 on your router to the server's local IP. WireGuard uses UDP — do not forward TCP. See the port forwarding guide for per-brand instructions.

WireGuard Clients

Platform	Client	Import Method
Windows	WireGuard for Windows (wireguard.com)	Import .conf file or tunnel from clipboard
Mac	WireGuard from App Store	Import .conf file or scan QR code
iPhone/iPad	WireGuard from App Store	Scan QR code or import .conf from Files
Android	WireGuard from Play Store	Scan QR code or import .conf file
Linux	wireguard-tools (apt/dnf/pacman)	wg-quick up wg0

Troubleshooting

No handshake / no connectivity: Check that UDP 51820 is open on the server's firewall (sudo ufw allow 51820/udp) and forwarded by your router. Verify server is listening: sudo wg show. The server IP in the client config must be the public IP or domain, not the local LAN IP.

Handshake established but no internet: IP forwarding not enabled, or PostUp NAT rules are wrong. Verify: cat /proc/sys/net/ipv4/ip_forward (should be 1). Check the interface name in PostUp (replace eth0 with your actual WAN interface: ip route | grep default).