How to best set up & use a VPN with WireGuard on desktop Linux

Community Wiki
1

If you for whatever reason do not trust your VPN apps’ GUI to enable the kill-switch and have it work or stick to ensure of no VPN leaks, then the following is the best way for one to set up and use a VPN on your Linux desktop.

The solution is to set up & use your VPN with WireGuard set up via the CLI (terminal) with the kill-switch enabled.

The following should be easy to understand steps for anyone to follow:

  1. Intall WireGuard for your desktop Linux from the official website here: Installation - WireGuard
  2. Download your VPN config file from your VPN service provider.
  3. Open your VPN config file.
  4. Add the following lines of code under Interface:
PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
  1. Save file.
  2. Add this saved file in your wireguard folder usually found here: admin:///etc/wireguard
  3. Open a new terminal window, enter the following and press enter: systemctl enable wg-quick@config-file-name

Note: config-file-name is the name of the VPN config file you downloaded and moved to the wireguard folder earlier.

  1. Enter your user admin password to authenticate when prompted.
  2. Start your VPN connection by typing the following and pressing enter in your terminal: sudo wg-quick up config-file-name
  3. Your VPN is now connected to the country and location of your choice. Reboot your computer for good measure.

And that’s it. Now upon reboot, your VPN tunnel is established as soon as possible (likely even before your DE GUI loads up for you to see). And the best part is that this method will absolutely prevent any VPN leaks because it is tied to your OS directly with WireGuard.

If at all you need to disable your VPN connection, type the following and press enter in your terminal: sudo wg-quick down config-file-name

Nothing I have shared here is new information on the internet. This write up is meant to serve as an easy to follow guide for the titular statement for those who want a direct answer wanting to potentially avoid spending hours of research to only learn the same information shared here.

Additional resources include the following:

  1. Mullvad: WireGuard on Linux terminal (easy)
  2. Mullvad: WireGuard on Linux terminal (advanced)
  3. Proton VPN: How to use WireGuard on Linux | Proton VPN

Final Note: the aforementioned instructions only work for and on systemd-enabled Linux distributions. And if you are a beginner using desktop Linux, you are most likely already using such a distro so you do not need to worry about why I mention this.

Last edited by @JG 2025-12-15T20:01:10Z

8 Likes
ProtonVPN Additional note: Killswitch failure and IP Leakage on Linux
Critique my VPN set up
How should I install apps that do not have verified flatpak version on fedora atomic distro?
ProtonVPN Additional note: Killswitch failure and IP Leakage on Linux
Best way to establish a VPN connection under Linux