WireGuard config generator
Generate matching server and client WireGuard configurations, including fresh X25519 keypairs and an optional preshared key. All keys are generated inside your browser and never leave it: nothing is uploaded, logged or stored. Download the .conf or scan the QR code with the WireGuard mobile app.
Server config
Save as /etc/wireguard/wg0.conf on the server, then: systemctl enable --now wg-quick@wg0
Client config
QR code for the mobile app
In the WireGuard app: add tunnel, "Create from QR code". The QR is drawn locally on a canvas; it encodes the client config above, including its private key, so only scan it on a device you trust.
Notes on the security model
WireGuard keys are Curve25519 (X25519) keypairs. This page asks your browser's Web Crypto API to generate them, which means no third-party cryptography library is downloaded or trusted: the same code that protects your TLS sessions generates the keys. The QR code is drawn by a small, version-pinned library served from this site with an integrity hash, and it never sees the network.
The preshared key is an optional extra: WireGuard mixes it into the handshake as a symmetric secret, so even if Curve25519 were broken some day (for example by a large quantum computer), recorded traffic would still not decrypt without the preshared key. The tradeoff is operational: it is one more secret to distribute to both ends, which is why many setups skip it.
Generating keys in a browser is convenient but not the gold standard: on a hardened server you would run wg genkey so the private key never exists outside that machine. For a homelab, a VPS or a road-warrior phone setup, browser generation with keys that never leave the page is a reasonable middle ground, and strictly better than the sites that upload your keys to render the config server-side.