WireGuard Has No Clients or Servers

Most VPNs teach you to think in terms of clients and servers. WireGuard breaks that pattern: every device is a peer. The configs are symmetrical, and the difference between a “server” and a “client” comes only from who listens and who initiates — not from different software or roles baked into the protocol.

This model is simpler, but also more powerful. A Raspberry Pi at home can be the hub. A laptop can be both client and relay. Even a phone can route traffic for another peer. Once you see that peers are interchangeable, you realize you can design your network topologies however you want — from simple point-to-point tunnels to relays that link whole networks together.

And remember: it’s baked into the Linux kernel (and into Windows too).

WireGuard Config Basics

Peer
Any WireGuard participant. There’s no functional distinction between client and server — configs are the same on both sides.

Interface
The [Interface] block defines the peer itself: private key, address, and optional port or DNS.

Peer Block
The [Peer] block lists who you connect to: their public key, endpoint, and routing rules via AllowedIPs.

Endpoint
The reachable IP:port of a peer. A “server” is just a peer that listens for incoming connections.

Relay
A peer that connects to multiple others and forwards traffic between them, bridging otherwise separate networks. For example: Peer → Relay → Peer. And it’s all the same software.