WireGuard Windows setup

Before proceeding with the commands described, please ensure you're using the latest version of WireGuard and have administrator rights on your device

Setup

1) Download the current version for Windows: https://www.wireguard.com/install/ and install
2) Run C:\Program Files\WireGuard\wireguard.exe and add an empty tunnel (we will configure the server side):
Add tunnel → Add empty tunnel ...

We register the settings:
Name - the name of the network connection
Public key - public key of the WireGuard server (needed to configure the client side)

[Interface]
PrivateKey = # private key of WireGuard server 
ListenPort = # port that WireGuard will listen to 
Address = # desired IP address of WireGuard server

Enable settings to allow the WG server to use the main network interface

3) Add another empty tunnel (we will configure the client side): Add tunnel → Add empty tunnel
We register the settings:
Name - the name of the network connection
Public key - the public key of the WireGuard client (needed to configure the server side)

[Interface]
PrivateKey = # WireGuard client private key
Address = # desired IP address of WireGuard client
[Peer]
PublicKey = # public key of the WireGuard server (from step 2)
AllowedIPs = # specify the IP addresses for which you want to use the created WG tunnel (specifying the subnet 0.0.0.0/0 will allow you to route all traffic to the WG tunnel)
Endpoint = # Server IP address (real, not WireGuard) and port that WireGuard server listens on (configured in step 2)

4) Now we need to add our client to the WireGuard server part, to do this go back to step 2 and add its config:

...
[Peer]
PublicKey = #WireGuard client public key (from step 3)
AllowedIPs = #IP user address

5) Let’s configure the Windows Firewall for WireGuard. To do this:

Create a new inbound rule:
- Open "Windows Defender Firewall with Advanced Security."
- In the left panel, select "Inbound Rules."
- Click "New Rule...".
Specify the protocol (UDP) and ports (e.g., 51820):
- In the "New Inbound Rule Wizard" window, select "Port" and click "Next."
- In the "Protocol and Ports" section, select the protocol type:
  - Choose "UDP."
- Specify the specific local ports:
  - For example, the default WireGuard port is 51820.
  - If multiple ports are used, list them separated by commas (e.g., 51820, 51821).
- Click "Next."
Allow the connection:
- In the "Action" section, select "Allow the connection."
- Click "Next."
Save the rule:
- Specify the profiles to which the rule will apply:
  - Domain;
  - Private;
  - Public.
- Click "Next."
- Provide a meaningful name for the new rule, such as "WireGuard UDP 51820."
- Click "Finish."

Now, your firewall is configured to allow traffic through the specified WireGuard ports.

6) Now it is sufficient to export the configuration files Export all tunnels to zip→ Specify location for export→Save

Next, open the saved archive, there will be configurations of all our tunnels.
Give the client its configuration file.
7) On the server, select the server config and run the program

8) On the client add configuration file to WireGuard. Add Tunnel→Select client configuration file->Open

Select client config and run

This completes the configuration of the first client, similarly configuring the other clients by adding their data to the server config (step 4)

Auto-start WireGuard after a server restart.

1) Add the startup file to the Windows scheduler autorun: Start→taskschd.msc

Click on "Create simple task" → Enter a Name for the task (e.g. wireguard) → Next

Select "On computer startup"→ Next

Select "Start programme"→ Next

In the "Program or Script" field, select our file to run WireGuard (default is "C:\Program Files\WireGuard\wireguard.exe")
Add arguments:

/installtunnelservice "C:\Program Files\WireGuard\wg_server.conf"

where:

C:\Program Files\WireGuard\wg_server.conf - location of the configuration file .conf

Check "Open the Properties window for this task after you have clicked 'Done'"→ Done

In the window that opens, tick the "Run with the highest rights"→OK

Done. Do a reboot, check