How to Create a New WireGuard Client on a Linux Server (Debian/Ubuntu)

Wireguard is a modern, fast, and secure VPN solution.
This guide explains how to create a new WireGuard client on a Linux server
(Debian or Ubuntu) and connect it from a mobile device or desktop.

Prerequisites

  • A Linux server with WireGuard already installed
  • Root or sudo access
  • An existing WireGuard interface (e.g. wg0)

Example network used in this guide:

  • VPN subnet: 10.0.0.0/24
  • Server IP: 10.0.0.1
  • New client IP: 10.0.0.2

Step 1: Generate Client Keys

Navigate to the WireGuard configuration directory and set a secure file creation mask: 

cd /etc/wireguard
umask 077

Generate the client private and public keys:

wg genkey | tee client1.key | wg pubkey > client1.pub

This creates:

  • client1.key — private key (keep secret)
  • client1.pub — public key

Step 2: Add the Client to the Server Configuration

Edit the server configuration file:

nano /etc/wireguard/wg0.conf

Add a new [Peer] section:

[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Important: Each client must have a unique IP address.

Step 3: Apply the Configuration

Reload WireGuard without disconnecting active clients:

wg syncconf wg0 <(wg-quick strip wg0)

Or restart the interface:

systemctl restart wg-quick@wg0

Step 4: Create the Client Configuration File

Create a client configuration file:

nano client1.conf

Insert the following configuration:

[Interface]
PrivateKey = CLIENT1_PRIVATE_KEY
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Step 5: Generate a QR Code (Optional)

For mobile devices, you can generate a QR code: 

apt install qrencode
qrencode -t ansiutf8 < client1.conf

Scan the QR code using the WireGuard mobile app to import the tunnel instantly.

Step 6: Verify the Connection

On the server, check the tunnel status:

wg show

If the client is connected, you will see:

  • Latest handshake timestamp
  • Data transfer statistics

Common Configuration Variants

Split Tunnel (VPN only for internal network)

AllowedIPs = 10.0.0.0/24

Full Tunnel (all traffic via VPN)

AllowedIPs = 0.0.0.0/0, ::/0

Security Notes

  • Never reuse client IP addresses
  • Protect private keys with file permissions (600)
  • Use PersistentKeepalive = 25 for mobile clients behind NAT

Conclusion

WireGuard makes VPN client management simple and secure.
By following this guide, you can safely add new clients,
generate configuration files, and connect from any modern device.

This setup works equally well for Android, iOS, Linux, Windows, and macOS clients.

Source: AIBlockLab.com

Views: 4