Why WireGuard on Windows Server?
WireGuard is a modern VPN protocol known for strong cryptography, fast performance, and a simple configuration model. While it is often associated with Linux, it also works well on Windows Server 2022—especially for small and mid-sized organizations that need secure remote access to internal resources without deploying a complex VPN appliance.
In this tutorial, you will set up Windows Server 2022 as a WireGuard VPN gateway, enable NAT so VPN clients can reach your internal LAN, and lock down access with Windows Firewall. The end result is a clean, maintainable remote access VPN you can scale as needed.
Prerequisites
Server requirements: Windows Server 2022 (Desktop Experience is easier for first-time setup), local admin privileges, and a static internal IP address. If you want clients to connect from the internet, you also need a public IP or port-forwarding on your edge router.
Network plan: Choose a dedicated VPN subnet that does not overlap your LAN. Example used below: VPN subnet 10.30.0.0/24, WireGuard server VPN IP 10.30.0.1, LAN subnet 192.168.10.0/24.
Step 1: Install WireGuard for Windows
Download and install WireGuard for Windows from the official site (wireguard.com). After installation, open the WireGuard application. On Windows Server, it’s best to run it interactively first to confirm the tunnel comes up correctly, and later decide whether you want it to run at startup.
In WireGuard, click Add Tunnel and choose Add empty tunnel. WireGuard will generate a key pair automatically. Keep the generated PrivateKey on the server confidential.
Step 2: Create the Server Tunnel Configuration
Paste a server configuration similar to the following. Replace placeholders with your own values. If you don’t know your public endpoint yet, you can still configure it now and update later.
Example server config (wg0):
[Interface]
Address = 10.30.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
At this stage, do not add peers yet. Save the tunnel as something recognizable like WG-RemoteAccess.
Step 3: Enable IP Forwarding on Windows Server
To route traffic between the VPN interface and the LAN, Windows must forward IP packets. On Windows Server, this is typically controlled via registry settings.
Open PowerShell as Administrator and run:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v IPEnableRouter /t REG_DWORD /d 1 /f
Reboot the server or restart the Routing service (a reboot is the simplest way to ensure it takes effect).
Step 4: Configure NAT (So VPN Clients Can Reach the LAN)
If your LAN routers do not have a route back to the VPN subnet, NAT is the quickest reliable approach: internal systems see the VPN traffic as coming from the server’s LAN IP, and replies return without adding static routes everywhere.
Open PowerShell as Administrator and identify the WireGuard adapter name:
Get-NetAdapter
Then configure NAT. This example NATs any VPN client traffic sourced from 10.30.0.0/24:
New-NetNat -Name "WG-NAT" -InternalIPInterfaceAddressPrefix 10.30.0.0/24
This is simple and effective for remote access. In larger environments, you may prefer proper routing instead of NAT, but NAT keeps the rollout fast and reduces dependencies.
Step 5: Open the WireGuard UDP Port in Windows Firewall
WireGuard uses UDP. If the server is internet-facing (or receiving port-forwarded traffic), allow inbound UDP on your chosen port (default 51820).
Run in an elevated PowerShell:
New-NetFirewallRule -DisplayName "WireGuard UDP 51820" -Direction Inbound -Protocol UDP -LocalPort 51820 -Action Allow
If your server has multiple network profiles, consider scoping the rule to the correct interface or remote IP ranges for extra security.
Step 6: Add a Client Peer (Laptop Example)
On the client device, install WireGuard and create a new tunnel. WireGuard will generate a public/private key pair for the client. You will copy the client’s PublicKey into the server config as a peer.
Server-side peer entry:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.30.0.2/32
Now configure the client tunnel like this (replace values accordingly):
Client config:
[Interface]
Address = 10.30.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 192.168.10.10
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.yourdomain.com:51820
AllowedIPs = 192.168.10.0/24, 10.30.0.0/24
PersistentKeepalive = 25
The AllowedIPs line determines what routes go through the tunnel. The example routes only your internal LAN and the VPN subnet, not all internet traffic. If you want a full-tunnel VPN, you would use 0.0.0.0/0 (and optionally ::/0 for IPv6), but that changes your security and bandwidth planning.
Step 7: Test Connectivity and Troubleshoot
Bring up the tunnel on the server and the client. On the client, confirm you have a 10.30.0.2 address and then test:
Ping 10.30.0.1 (WireGuard server VPN IP) and then ping 192.168.10.10 (an internal host). If the VPN connects but LAN access fails, verify NAT exists (Get-NetNat) and check that Windows Firewall on the target LAN host allows the traffic.
If the client can’t handshake at all, confirm UDP/51820 is reachable from the internet (router port-forwarding, upstream firewall rules, and correct endpoint DNS). Also ensure the server’s WireGuard tunnel is active and listening on the expected port.
Hardening Tips (Recommended)
For better security, limit inbound firewall rules to known remote IP ranges if possible, and keep peer definitions tight (use /32 for individual client addresses). Avoid reusing client IPs, and document which user/device owns each peer. Finally, keep Windows Server patched and consider running WireGuard on a dedicated VM if the server also hosts critical roles.
With these steps, you now have a lean WireGuard VPN gateway on Windows Server 2022 that supports secure remote access and can be expanded by adding more peers as your team grows.
Comments
Post a Comment