When hosting a Minecraft server on your own computer, the most annoying part isn't starting the server—it's getting your friends to connect.
Without a public IP, not knowing how to configure port forwarding, and ISPs potentially blocking ports... you spend ages messing around, and your friends still can't join. It's pretty frustrating.
I solve this using WireGuard + a VPS. The core idea is: put your home computer and the VPS into the same virtual local area network (VLAN) first, and then let players connect through the VPS or a virtual IP.
Use Case
This guide is for when you are running a Minecraft server at home or in a dorm, but your friends can't connect from the outside network.
- You don't have a public IP, or your public IP is unstable.
- You don't want to deal with complex manual port forwarding on your router.
- You have a VPS with internet access.
- You are okay with Minecraft traffic being relayed through the VPS.
If you already have a public IP and port forwarding works reliably, you don't need WireGuard.
Two Solutions
Look at your needs first. Don't just force everyone to install WireGuard right away.
| Solution | Who installs WireGuard? | Best for | Trade-offs |
|---|---|---|---|
| Solution A: Public Forwarding | Only the server host | When you want friends to connect directly to the VPS IP | All traffic goes through the VPS; latency might be slightly higher |
| Solution B: Full Mesh Network | Host and all players | A small, long-term group of friends wanting a LAN-like experience | Everyone has to configure a client |
For beginners, I recommend starting with Solution A. Get it running first; don't overcomplicate things from the start.
Prerequisites
You will need:
- A VPS with a public IP. Debian/Ubuntu is the easiest to use.
- The WireGuard client installed on the host computer.
- VPS firewall and cloud provider security groups configured to allow:
- UDP
51820 - TCP
25565
- UDP
- A Minecraft server that runs normally on the host computer.
If you can't even connect to Minecraft locally, fix Minecraft first. Don't suspect WireGuard yet.
Final Result
Once finished, friends can connect to your Minecraft server via the VPS entry point. The host computer and the VPS will form a virtual local network using WireGuard, and the VPS will forward external player connections to your home server.
If you use Solution B, players will also join the same WireGuard network, creating an experience closer to a LAN multiplayer game.
Installing WireGuard on the VPS
Run this on your VPS:
sudo apt update
sudo apt install wireguard -yGenerate the server keys:
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickeyView the public key:
sudo cat /etc/wireguard/publickeyDo not share the private key. You can share the public key.
Enable IP forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//' /etc/sysctl.conf
sudo sysctl -pSolution A: Public Forwarding
In this solution, your friends do not need to install WireGuard. They just connect directly to VPS公网IP:25565.
1. Generate Keys on the Host Computer
Open the WireGuard client and add an empty tunnel. The client will automatically generate a private key and a public key.
You only need to copy the host computer's public key to paste into the VPS configuration later.
2. Configure the VPS
Edit the configuration file:
sudo nano /etc/wireguard/wg0.confExample:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <VPS私钥>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.2
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.2
[Peer]
PublicKey = <服主电脑公钥>
AllowedIPs = 10.0.0.2/3210.0.0.2 is the host computer's virtual IP inside WireGuard.
3. Configure the Host Computer
Fill this into the WireGuard client:
[Interface]
PrivateKey = <服主电脑私钥>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25The PrivateKey here is usually already filled in by the client. Don't accidentally overwrite it with the wrong one.
4. Start and Test
Start it on the VPS:
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0Start WireGuard on the host computer.
Then test it on the host computer:
ping 10.0.0.1If the ping goes through, the tunnel is connected.
Next, start the Minecraft server. Have your friends connect to:
<VPS公网IP>:25565If they can't connect, check if 25565 is allowed on the VPS first, and then check if the local firewall is blocking Java.
Solution B: Full Mesh Network
This solution acts more like a true virtual local network. Everyone gets a 10.0.0.x address.
This is best for a steady group of friends playing long-term. The downside is obvious: everyone has to install the client, and if even one config is wrong, they won't be able to connect.
1. Collect Everyone's Public Keys
Have every player install WireGuard, add an empty tunnel, and send their public key to you.
Assign an IP to everyone:
| Person | Virtual IP |
|---|---|
| VPS | 10.0.0.1 |
| Server Host | 10.0.0.2 |
| Player A | 10.0.0.3 |
| Player B | 10.0.0.4 |
Do not overlap IPs. If they overlap, it's game over.
2. VPS Configuration
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <VPS私钥>
[Peer]
PublicKey = <服主公钥>
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = <玩家A公钥>
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = <玩家B公钥>
AllowedIPs = 10.0.0.4/32For every new person, add another [Peer].
3. Player Client Configuration
Everyone's configuration looks similar, just with different private keys and addresses.
Server Host:
[Interface]
PrivateKey = <服主自己的私钥>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25Player A:
[Interface]
PrivateKey = <玩家A自己的私钥>
Address = 10.0.0.3/24
DNS = 1.1.1.1
[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25The private key must belong to that specific person. Do not just mass-send the exact same config file; it won't work.
4. Connecting to the Game
Start on VPS:
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0After everyone starts WireGuard, ping each other:
ping 10.0.0.1
ping 10.0.0.2If the ping goes through, players can just connect to the host's virtual IP:
10.0.0.2:25565Troubleshooting
A few common issues:
| Issue | Where to look first |
|---|---|
| WireGuard isn't handshaking | Public Key, Endpoint, UDP 51820, Security Group |
| Handshake successful but can't ping | AllowedIPs, IP forwarding, Firewalls |
| Can ping but can't enter the server | Is Minecraft running? TCP 25565, Local firewall |
| Solution A players can't connect | VPS port forwarding rules, Cloud provider security group |
Check WireGuard status:
sudo wgYou are only truly connected if you see a latest handshake. If there's no handshake, don't even look at Minecraft; the problem is still at the network layer.
Final Thoughts
My personal recommendations:
- Temporary server: Solution A.
- Fixed group of friends playing long-term: Solution B.
- Don't want to explain configs to everyone: Solution A.
- Want lower latency and better privacy: Solution B.
Get it running first, then optimize. If you try to make everything perfect from the start when dealing with networks, you'll likely get stuck on a really stupid config error.