WireGuard: setup and connection in 2026 — guide

If you have been given a config or QR code from a VPN service and you don't understand what to do with it — you are in the right place. WireGuard: setup and connection in practice takes 5 minutes if you know the order of actions. But there is a nuance: in Russia, pure WireGuard is increasingly being cut by DPI, and simply importing the config may not be enough. We will talk about this too.

What is WireGuard and what is needed for connection

WireGuard is a VPN protocol, not an application. It operates at the OS kernel level, is very fast and compact: the entire code fits in about 4,000 lines compared to 400,000 for OpenVPN. To use it, you need two things: the official WireGuard client (downloaded for free) and a config — a .conf file or QR code provided by your VPN provider or your own server.

There are no accounts, logins, or passwords within the protocol itself. Authentication is only through a pair of keys: public and private. This is the main reason why WireGuard is so fast and reliable.

Config file (.conf) and QR code — where to get them

The config is obtained from the VPN provider in the personal account. Most normal services — including NvoVPN — provide it in two formats: text .conf for computers and QR code for phones. If you are setting up your own server, the config is generated by the commandwg genkey and configured manually.

The .conf file is a few kilobytes in size and can be opened with any text editor. If you lose it — request a new one in your personal account. Some providers have configs with a limited validity period, so if the connection suddenly stops working — check if it has expired.

What is inside the config: PrivateKey, Endpoint, AllowedIPs, DNS

Open the .conf — and you will see something like this:

[Interface]

PrivateKey — your personal key, do not show it to anyone.Endpoint — the IP address and port of the VPN server.AllowedIPs = 0.0.0.0/0 means "route all traffic through VPN."DNS — the name server that will be used inside the tunnel.PersistentKeepalive = 25 — sending packets every 25 seconds to prevent NAT from dropping the connection.

How WireGuard differs from OpenVPN and IKEv2 for bypassing blocks

WireGuard works exclusively over UDP, which makes it fast but noticeable for DPI. OpenVPN can work over TCP on port 443 and disguise itself as HTTPS — this is slower but better for bypassing. IKEv2 is fast and works well on mobile when switching networks, but is also recognizable.

If you have a normal provider without aggressive filtering — WireGuard will be the fastest. If the provider cuts UDP or there are Roskomnadzor filters — you will have to either use AmneziaWG or switch to VLESS/XRay or Shadowsocks. More on this in the section about bypassing blocks.

Setting up WireGuard on different devices: step by step

WireGuard: setup and connection on each platform looks slightly different, but the logic is the same: install the client → import the config → activate the tunnel → check handshake. Let's go in order.

Android: import via QR code and from file

Install the WireGuard app from Google Play (developer — WireGuard LLC, version relevant for 2026). Click the blue "+" button in the bottom right corner.

• QR code: select "Scan QR code," point the camera — the tunnel will be added automatically. This is the fastest way.
• File .conf: select "Import from file or archive," find the downloaded .conf in storage.

After importing, click the toggle next to the tunnel name. After a couple of seconds, the "Last handshake" field should show a time — this means the handshake has passed and the tunnel is working. On older versions of Android (before 8.0), the official client sometimes behaves unstably — try the alternative client TunSafe or update Android.

iPhone and iPad (iOS): installation from App Store and adding a tunnel

App Store → search for "WireGuard" → install the app from WireGuard Development Team. Click "Add tunnel" in the top right corner.

The methods of adding are the same: "Create from QR code" (the most convenient) or "Create from file or archive" if you downloaded .conf. After adding, the system will ask for permission to create a VPN configuration — agree. Activate the toggle and watch the connection status.

Windows: client installation and .conf import

Download the installer from the official website wireguard.com — the file wireguard-installer.exe is about 10 MB. Install it, open the application. In the bottom left, click "Add tunnel" → "Import tunnels from file" → select your .conf.

The tunnel will appear in the list on the left. Click "Connect". On the right side of the screen, you will see the status: Transfer, Endpoint, Last handshake. If the handshake appears — everything is working. WireGuard on Windows also adds a virtual network adapter — if something goes wrong, check that the Windows firewall is not blocking it.

macOS: setup via App Store

On Mac, there are two options: the app from the Mac App Store (WireGuard by WireGuard Development Team) or installation via Homebrew with the commandbrew install wireguard-tools for the command line. The first option is easier. After installing from the App Store, the logic is the same: open the application, click "+" → "Import tunnels from file", select .conf, activate.

Routers (OpenWrt, Keenetic) and Smart TV / Apple TV

For Smart TVs, Apple TVs, and gaming consoles, there are no native WireGuard clients or they are limited. The most reasonable solution is to set up WireGuard on the router, and then all devices on the network will automatically go through the VPN.

OpenWrt: WireGuard is supported starting from version 21.02. You install the packageluci-app-wireguard via LuCI or opkg, manually enter the parameters from the config. It's more complicated than on a phone, but it works reliably.

Keenetic: starting from firmware 3.3, WireGuard is built-in. Go to "Other connections" → "WireGuard" → "Add connection" and enter the data from the config. Much friendlier than OpenWrt for the average user.

Important point: if another VPN tunnel (for example, OpenVPN) is already set up on the router, WireGuard may conflict with routing. Disable the previous tunnel before setting up.

Connection check and speed test

The tunnel is activated. Now you need to make sure that the traffic is really going through the VPN, not bypassing it.

How to ensure that traffic is going through the VPN (checking IP and DNS leaks)

Open 2ip.ru or ipleak.net in your browser. They will show your external IP address. It should match the Endpoint from the config (IP of the VPN server), not your real provider address.

Also check the DNS server there. If the config specifies DNS = 1.1.1.1, then Cloudflare should show up in the test results, not your provider's DNS. If your provider's DNS is still visible — you have a DNS leak. The reason is usually an incorrect DNS parameter in the config or that the system is using DNS over HTTPS in the browser, bypassing the tunnel.

Where to check the last handshake and traffic volume

In the WireGuard application (on any platform), in the tunnel details, there is a field "Last handshake". If the time updates every 2-3 minutes — the tunnel is alive. If the handshake shows "Never" or the time is more than 5 minutes ago — something is wrong.

Also, look at the Transfer counters: "Received" and "Sent" should increase as you use the internet. If "Sent" is increasing but "Received" is not — data is going to the server, but responses are not coming back. This is a classic picture when UDP is blocked.

How to correctly measure speed before and after connection

The methodology is simple: make 3 measurements on speedtest.net or fast.com without VPN at different times of the day, record the average. Then do the same with WireGuard turned on through the nearest geographically located server.

WireGuard usually loses 10–20% of the base speed under load due to encryption, which is much better than OpenVPN (where losses are often 30–50%). But the actual speed depends on the server load and the route to it through your provider's network. One measurement is not indicative. Three measurements at different times — you can start drawing conclusions.

Bypassing blocks and DPI: when pure WireGuard is not enough

This is where most guides end, and the problems only begin.

Why providers and Roskomnadzor slow down and cut WireGuard

WireGuard uses UDP and has a characteristic signature in the first handshake packets. DPI (Deep Packet Inspection) systems, which are present at most large Russian providers and are implemented at the request of TSPU (technical means of counteracting threats), can recognize this signature.

The result: the provider does not block WireGuard directly (this is noticeable), but simply slows down UDP traffic on known ports or introduces throttling for specific IP addresses. The connection exists, the handshake passes, but the speed drops to 1–5 Mbps instead of the normal 50–100. This is especially noticeable in the evening during peak hours.

AmneziaWG: obfuscation of WireGuard against DPI

AmneziaWG is a fork of WireGuard with an additional layer of obfuscation. It masks the handshake so that DPI cannot unambiguously identify the traffic as WireGuard. Developed by the Russian team Amnezia, the code is open.

AmneziaWG clients are available for Android, iOS, Windows, macOS, and Linux. The config is similar to regular WireGuard but with additional parameters Jc, Jmin, Jmax, S1, S2, H1–H4 — the values are set by the provider. The downside: the regular WireGuard client will not understand such a config, you need the AmneziaWG client specifically.

In practice, AmneziaWG works well against soft DPI. Against hard blocks — as with some mobile operators — it may not help.

Alternatives for hard blocks: VLESS/XRay, Shadowsocks

If the provider completely blocks UDP or AmneziaWG does not help — protocols that disguise themselves as regular HTTPS traffic are needed.

VLESS/XRay with XTLS-Reality — as of today, the most stable option for Russia. The traffic looks like a TLS connection to a real site. DPI cannot distinguish it from a regular browser. Requires its own server or a provider that supports this protocol.

Shadowsocks — easier to set up, has been tested for a long time, and has clients on all platforms. It disguises itself worse as legitimate traffic than XTLS-Reality, but better than plain WireGuard.

Corporate or hotel Wi-Fi that cuts non-standard ports — changing the WireGuard port to 443 or 80 helps there. But if UDP is completely blocked — only TCP protocols above.

Access to YouTube, Instagram, Facebook, X (Twitter), as well as protection for Telegram and WhatsApp

A legal use case for VPN — to access platforms blocked in Russia: Instagram (Meta), Facebook (Meta), Twitter/X, partially TikTok, as well as to use YouTube without slowdowns. Telegram has been officially unblocked in Russia since 2020, but traffic to some servers is periodically slowed down.

For these tasks, WireGuard performs excellently under normal conditions. If this is your goal and the provider does not block UDP — configure AllowedIPs = 0.0.0.0/0 (all traffic through VPN) and specify a server in a neutral jurisdiction. If DPI interferes — AmneziaWG or VLESS.

NvoVPN supports several protocols to choose from — including WireGuard and alternatives — which is convenient if you need to switch for a specific provider. But the main thing: keep a backup protocol handy in case the primary one starts to be blocked.

Frequent connection errors and how to fix them

Let's analyze by symptoms — without fluff.

The tunnel is active, but there is no internet (no handshake)

If the "Last connection" field shows "Never" — the tunnel is not established. Reasons:

• Invalid Endpoint. Check the IP address and port. Try pinging the IP from the command line.
• The provider blocks UDP on this port. Try another port (if the service provides alternatives) or another server.
• Double NAT / CGNAT. Some mobile operators use CGNAT, causing WireGuard packets to be lost. The solution is PersistentKeepalive = 25 in the config or changing the operator/network.
• The config has expired. Go to the provider's personal account and reissue the config.

Connects, but websites do not open (DNS problem)

Handshake exists, Transfer is increasing, but the browser shows "Cannot find server." This is a DNS problem.

Check the DNS parameter in the config — there should be a working server: 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), or your VPN provider's DNS. An empty DNS field or an incorrect address means the browser cannot resolve domains.

Another reason: AllowedIPs does not include traffic to the DNS server. If you are using split-tunneling (AllowedIPs not 0.0.0.0/0), make sure the DNS server falls within the allowed subnets. The easiest way is to set 0.0.0.0/0 and route all traffic through the VPN.

Connection keeps dropping or is unstable

On mobile networks, this happens when switching between Wi-Fi and mobile data or between towers. WireGuard does not send keepalive packets by default, and the NAT tables on the operator's side expire.

Add the line to the [Peer] sectionPersistentKeepalive = 25 — this will force the client to send packets every 25 seconds, keeping the connection alive. It has minimal impact on the battery. If the config came from the provider without this line — add it manually in any text editor before importing.

Also check the stability of the server itself — if the provider has hardware or channel issues, no keepalive will help.

Config import error and invalid keys

When importing .conf, the application complains about the format — this means the file is corrupted. Common reasons: copied the config via clipboard and lost a character, the file was saved in UTF-16 encoding instead of UTF-8, or there are spaces in the keys.

PrivateKey and PublicKey in WireGuard are base64 strings exactly 44 characters long, ending with “=”. If the key is shorter or contains spaces — it is invalid. Request a new config from the provider. Do not attempt to edit the keys manually — one incorrect character, and the tunnel will not come up.