Understanding Your WireGuard Configuration File

Last updated 15 Mar 2026 · 6 views

When you create a WireGuard user and download the .conf file, it contains all the settings your WireGuard client needs to establish a secure tunnel to your dedicated server. This article explains each part of the configuration.

Example Configuration

A typical configuration file looks like this:

[Interface]
PrivateKey = cGF0aC90by9wcml2YXRla2V5...
Address = 10.66.66.2/32
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = c2VydmVyLXB1YmxpYy1rZXk...
PresharedKey = cHJlc2hhcmVkLWtleS1oZXJl...
Endpoint = 203.0.113.10:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

[Interface] Section

This section defines your device's identity on the VPN.

PrivateKey — Your device's unique private key. This is generated on the server when you create the user and is only stored in your configuration file and encrypted in the PremierVPN database. Never share this key with anyone.

Address — Your device's internal IP address within the WireGuard network. Each user gets a unique address (for example, 10.66.66.2, 10.66.66.3, etc.). The /32 means this is a single host address.

DNS — The DNS servers your device will use while connected to the VPN. By default these are set to Cloudflare (1.1.1.1) and Google (8.8.8.8) for fast, reliable resolution.

[Peer] Section

This section defines the server you are connecting to.

PublicKey — The server's public key. Your client uses this to verify it is connecting to the correct server.

PresharedKey — An additional symmetric key shared between your device and the server. This adds a layer of post-quantum security on top of the standard key exchange.

Endpoint — The server's public IP address and WireGuard port. This is where your client sends encrypted packets.

AllowedIPs — Defines which traffic goes through the VPN tunnel. 0.0.0.0/0, ::/0 means all IPv4 and IPv6 traffic is routed through the VPN (full tunnel mode).

PersistentKeepalive — Sends a keepalive packet every 25 seconds. This keeps the connection alive through firewalls and NAT devices, which is important for maintaining port forwards and receiving incoming connections.

Security Notes

  • Your PrivateKey is the most sensitive part of the configuration. Anyone with access to it can impersonate your device on the VPN.
  • The configuration file should be stored securely and not shared publicly.
  • If you suspect a configuration has been compromised, remove the user from your WireGuard management page and create a new one. This generates entirely new keys.
  • PremierVPN stores your private key in an encrypted form. Our staff cannot see your raw private key.

Modifying the Configuration

You can manually edit the configuration file if needed:

  • Change DNS: Replace the DNS values with your preferred servers.
  • Split tunnelling: Change AllowedIPs to only route specific subnets through the VPN. For example, 10.66.66.0/24 would only route traffic destined for the WireGuard network, while all other traffic uses your normal internet connection.
  • Change MTU: Add MTU = 1420 under the [Interface] section if you experience connectivity issues on certain networks.

FAQs

Can I use the same configuration file on two devices at the same time?

Technically yes, but it is not recommended. WireGuard allows only one active session per key pair, so the second device may cause the first to disconnect intermittently. Create a separate user for each device instead.

Do I need to update the configuration if the server IP changes?

Yes. If your server's IP address changes (which is rare), you will need to download a new configuration file or manually update the Endpoint value.

Dedicated WireGuard VPN All Articles