When hosting a Minecraft server on your own computer, the most annoying part isn't starting the server—it's getting your friends to connect.

Without a public IP, not knowing how to configure port forwarding, and ISPs potentially blocking ports... you spend ages messing around, and your friends still can't join. It's pretty frustrating.

I solve this using WireGuard + a VPS. The core idea is: put your home computer and the VPS into the same virtual local area network (VLAN) first, and then let players connect through the VPS or a virtual IP.

Use Case

This guide is for when you are running a Minecraft server at home or in a dorm, but your friends can't connect from the outside network.

  • You don't have a public IP, or your public IP is unstable.
  • You don't want to deal with complex manual port forwarding on your router.
  • You have a VPS with internet access.
  • You are okay with Minecraft traffic being relayed through the VPS.

If you already have a public IP and port forwarding works reliably, you don't need WireGuard.

Two Solutions

Look at your needs first. Don't just force everyone to install WireGuard right away.

Solution Who installs WireGuard? Best for Trade-offs
Solution A: Public Forwarding Only the server host When you want friends to connect directly to the VPS IP All traffic goes through the VPS; latency might be slightly higher
Solution B: Full Mesh Network Host and all players A small, long-term group of friends wanting a LAN-like experience Everyone has to configure a client

For beginners, I recommend starting with Solution A. Get it running first; don't overcomplicate things from the start.

Prerequisites

You will need:

  1. A VPS with a public IP. Debian/Ubuntu is the easiest to use.
  2. The WireGuard client installed on the host computer.
  3. VPS firewall and cloud provider security groups configured to allow:
    • UDP 51820
    • TCP 25565
  4. A Minecraft server that runs normally on the host computer.

If you can't even connect to Minecraft locally, fix Minecraft first. Don't suspect WireGuard yet.

Final Result

Once finished, friends can connect to your Minecraft server via the VPS entry point. The host computer and the VPS will form a virtual local network using WireGuard, and the VPS will forward external player connections to your home server.

If you use Solution B, players will also join the same WireGuard network, creating an experience closer to a LAN multiplayer game.

Installing WireGuard on the VPS

Run this on your VPS:

sudo apt update
sudo apt install wireguard -y

Generate the server keys:

sudo mkdir -p /etc/wireguard
cd /etc/wireguard
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

View the public key:

sudo cat /etc/wireguard/publickey

Do not share the private key. You can share the public key.

Enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//' /etc/sysctl.conf
sudo sysctl -p

Solution A: Public Forwarding

In this solution, your friends do not need to install WireGuard. They just connect directly to VPS公网IP:25565.

1. Generate Keys on the Host Computer

Open the WireGuard client and add an empty tunnel. The client will automatically generate a private key and a public key.

You only need to copy the host computer's public key to paste into the VPS configuration later.

2. Configure the VPS

Edit the configuration file:

sudo nano /etc/wireguard/wg0.conf

Example:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <VPS私钥>

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.2
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.2

[Peer]
PublicKey = <服主电脑公钥>
AllowedIPs = 10.0.0.2/32

10.0.0.2 is the host computer's virtual IP inside WireGuard.

3. Configure the Host Computer

Fill this into the WireGuard client:

[Interface]
PrivateKey = <服主电脑私钥>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

The PrivateKey here is usually already filled in by the client. Don't accidentally overwrite it with the wrong one.

4. Start and Test

Start it on the VPS:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Start WireGuard on the host computer.

Then test it on the host computer:

ping 10.0.0.1

If the ping goes through, the tunnel is connected.

Next, start the Minecraft server. Have your friends connect to:

<VPS公网IP>:25565

If they can't connect, check if 25565 is allowed on the VPS first, and then check if the local firewall is blocking Java.

Solution B: Full Mesh Network

This solution acts more like a true virtual local network. Everyone gets a 10.0.0.x address.

This is best for a steady group of friends playing long-term. The downside is obvious: everyone has to install the client, and if even one config is wrong, they won't be able to connect.

1. Collect Everyone's Public Keys

Have every player install WireGuard, add an empty tunnel, and send their public key to you.

Assign an IP to everyone:

Person Virtual IP
VPS 10.0.0.1
Server Host 10.0.0.2
Player A 10.0.0.3
Player B 10.0.0.4

Do not overlap IPs. If they overlap, it's game over.

2. VPS Configuration

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <VPS私钥>

[Peer]
PublicKey = <服主公钥>
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <玩家A公钥>
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = <玩家B公钥>
AllowedIPs = 10.0.0.4/32

For every new person, add another [Peer].

3. Player Client Configuration

Everyone's configuration looks similar, just with different private keys and addresses.

Server Host:

[Interface]
PrivateKey = <服主自己的私钥>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

Player A:

[Interface]
PrivateKey = <玩家A自己的私钥>
Address = 10.0.0.3/24
DNS = 1.1.1.1

[Peer]
PublicKey = <VPS公钥>
Endpoint = <VPS公网IP>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

The private key must belong to that specific person. Do not just mass-send the exact same config file; it won't work.

4. Connecting to the Game

Start on VPS:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

After everyone starts WireGuard, ping each other:

ping 10.0.0.1
ping 10.0.0.2

If the ping goes through, players can just connect to the host's virtual IP:

10.0.0.2:25565

Troubleshooting

A few common issues:

Issue Where to look first
WireGuard isn't handshaking Public Key, Endpoint, UDP 51820, Security Group
Handshake successful but can't ping AllowedIPs, IP forwarding, Firewalls
Can ping but can't enter the server Is Minecraft running? TCP 25565, Local firewall
Solution A players can't connect VPS port forwarding rules, Cloud provider security group

Check WireGuard status:

sudo wg

You are only truly connected if you see a latest handshake. If there's no handshake, don't even look at Minecraft; the problem is still at the network layer.

Final Thoughts

My personal recommendations:

  • Temporary server: Solution A.
  • Fixed group of friends playing long-term: Solution B.
  • Don't want to explain configs to everyone: Solution A.
  • Want lower latency and better privacy: Solution B.

Get it running first, then optimize. If you try to make everything perfect from the start when dealing with networks, you'll likely get stuck on a really stupid config error.