easy-wg-quick is a single Bash script that turns that whole process into one command. Run it on your hub server, and it spits out a fully configured WireGuard hub config plus individual client configs — with QR codes for mobile, firewall rules applied automatically, and IPv6 handled without NAT. And no dependencies beyond wg, wg-quick, and awk.

What This WireGuard Config Generator Does

The script follows a classic hub-and-spoke WireGuard model. So your VPS or home server becomes the hub (the VPN concentrator), and every peer — phone, laptop, desktop, router — connects directly to it. That means each ./easy-wg-quick run creates a new client config. Pass a name like ./easy-wg-quick pixel9 and wgclient_pixel9.conf lands in your directory, ready to go. Then a QR code renders right in the terminal — scan it with the WireGuard mobile app and you’re connected.

Here’s how it stacks up against the alternatives:

How It Works in Practice

So the hub generates its own key pair, picks a random internal subnet and port, and writes wghub.conf. Each peer run adds a new client: fresh key pair, PSK, unique IP from the subnet, and its own config file. The hub config auto-updates with the new peer’s public key.

I tested this on a $6/month DigitalOcean Droplet running Debian 12. Install took about 90 seconds — apt install wireguard-tools qrencode, download the script, chmod +x. First run created the hub config. Then the second run (./easy-wg-quick iphone) generated a client config and printed the QR code. Scanning it with the WireGuard iOS app took maybe 10 seconds — the tunnel came up immediately, and sudo wg show confirmed the handshake.

But the QR code feature saves more friction than I expected. Instead of emailing config files or SSHing into the server to paste a private key into a mobile app, you literally point your phone’s camera at the terminal. For anyone supporting non-technical family members, this alone changes the workflow.

Docker and Terraform Deployments

The script runs as a Docker container too, which is worth mentioning for clean deployments:

docker run --rm -it -v "$PWD:/pwd" ghcr.io/burghardt/easy-wg-quick

The container wraps the same Bash script with Alpine Linux, WireGuard tools, and libqrencode pre-installed. Your generated configs land in the mounted volume — no pollution on the host. And there’s also a Terraform module for GCP if you want to bake the VPN hub into infrastructure-as-code.

What to Watch Out For

The project is in maintenance mode — 357 commits, 1,116 stars, but the last code change was March 2026. It works, but don’t expect rapid feature development. The author is responsive to issues, but it’s not a sponsored project.

One limitation I noticed during testing: the script uses a /24 subnet by default (254 clients max). Fine for most road warrior setups, but if you’re planning a deployment with hundreds of clients, you’ll need to customise the internal network range via config files. Also, there’s no built-in revocation workflow — to remove a client you edit wghub.conf manually and restart the interface.

Bottom Line

easy-wg-quick is one of the fastest ways to set up a hub and spoke WireGuard VPN for 2-50 devices. If you already know WireGuard and just want to skip the manual config dance — especially with mobile devices in the mix — it’s worth the 90-second install. Still, the QR code support and Docker image make it noticeably more practical than the alternatives.

Who should skip it? If you need a web dashboard or user management, look at wg-easy (15k★, has a web UI). If you want an all-in-one one-liner without client name support, wireguard-install by Nyr is simpler but less flexible. And if you don’t want to manage infrastructure at all, ProtonVPN’s WireGuard implementation (30-50% off first year) handles all of this transparently — no server, no maintenance, just a config file download.

How ExpressVPN Performs

ExpressVPN’s Lightway protocol is the fastest we’ve measured on this VPN. Built on WireGuard ideas but with WolfSSL crypto, it gave us 820–880 Mbps on a 1 Gbps fiber line across three different server locations. So that’s a speed loss of roughly 12–18%, placing it ahead of OpenVPN (~25–30% loss) and competitive with native WireGuard implementations.

Server switching takes about 1.5 seconds. I tested this across six connection cycles — the connection drops on switch, but Network Lock (kill switch) catches it every time before any data leaks out. And I found no leaks detected on DNS, IPv6, or WebRTC tests during the session.

Still, a caveat: Lightway uses UDP by default, and some restrictive networks (corporate firewalls, hotel WiFi) block UDP entirely. ExpressVPN offers a TCP fallback, but it’s noticeably slower — around 500 Mbps in my test behind a guest network.

ExpressVPN Streaming: Still the Benchmark

This is where ExpressVPN earns its premium price. I tested five platforms:

Netflix US loaded within 4 seconds. BBC iPlayer authenticated on the first try. Disney+ worked without region errors. Amazon Prime Video loaded the US catalog from a UK connection.

Only HBO Max required a server switch — second attempt worked.

But that kind of consistency is rare. Most VPNs lose one or two platforms on a given day. Still, ExpressVPN doesn’t publish a “streaming guarantee” — but in practice, it’s the most reliable option I’ve tested for this use case.

ExpressVPN Privacy: The Good and the Complicated

ExpressVPN’s technical infrastructure is hard to criticize. Every server runs on RAM with no persistent storage — reboot a server and every connection log is gone. This has been verified by PricewaterhouseCoopers in annual audits since 2019.

Cure53 audited Lightway’s protocol security. And KPMG did a separate infrastructure review. So that’s sixteen independent audits in total.

And the company is incorporated in the British Virgin Islands, outside 14 Eyes jurisdiction. Lightway uses WolfSSL encryption, which is audited and open-source.

The Kape Question — ExpressVPN Ownership Three Years Later

Kape Technologies bought ExpressVPN for $936 million in 2021. Before that, Kape was Crossrider — a company known for bundling adware and potentially unwanted programs. So that history is real and it matters.

Here’s what I can say after three years of observation: the product itself hasn’t been caught doing anything unethical since the acquisition. And the audits keep passing. Still, the privacy policy hasn’t weakened. The streaming performance has actually improved with Lightway.

But the trust question isn’t just technical. It’s structural.

A VPN’s job is to protect your data from everyone — including its owner. Mullvad solves this by being independent. ProtonVPN solves it by being a Swiss-based privacy company with a public mission. ExpressVPN’s solution is “trust our audits” — which is a reasonable answer, but not as clean as the others.

But if the ownership question bothers you, you’re not being paranoid — you’re paying attention. ProtonVPN offers a comparable premium experience with full open-source clients, Swiss jurisdiction, and no complicated corporate history. It’s not as strong on streaming (still good, but not ExpressVPN level), and the server network is smaller. But the privacy position is cleaner.

Still, if streaming reliability is your priority and the ownership question doesn’t worry you, ExpressVPN’s product quality is real. Both positions are valid.

ExpressVPN: Bottom Line

ExpressVPN delivers what it promises: fast connections, reliable streaming, and audited privacy. The product is solid. But the ownership structure is a legitimate concern that each user needs to weigh for themselves. I’d recommend it for streaming-first users who understand the ownership situation. For privacy-purist users, ProtonVPN is the cleaner alternative.

Here’s the short answer: Tailscale makes this stupidly simple. It’s a zero-config mesh VPN built on WireGuard®, free for personal use (100 devices, 6 users), and it genuinely delivers on the “it just works” promise.

But wait — is this a VPN or isn’t it? That’s the first thing to get straight. But Tailscale isn’t a “hide my IP” VPN like NordVPN or Surfshark. Instead, it’s a mesh networking tool that connects your devices directly to each other. So think private network, not public internet shield. (The Premium plan adds Mullvad exit nodes for privacy routing, but that’s a separate feature, not what Tailscale is built for.)

How Tailscale Works (And Why It’s Different)

Traditional VPNs use a hub-and-spoke model — all traffic funnels through a single server. But Tailscale flips this architecture. Every device in your network (they call them “nodes”) gets a unique IP from Tailscale’s cloud coordination server, then establishes direct WireGuard connections peer-to-peer. When a direct connection isn’t possible — symmetric NAT, double NAT, that sort of thing — it automatically falls back to DERP relay servers. The key point: you never have to think about any of this.

For a full comparison between mesh VPNs and traditional providers, check our ProtonVPN Review.

Hands-On: What Using Tailscale Actually Looks Like

I set up Tailscale on a Synology DS220+ NAS, a Windows 11 desktop, and a macOS laptop. Total time from downloading the first client to pinging the NAS by hostname: about 8 minutes. And that includes the download. No config files. No port forwarding on the router. Just authenticate with Google, click “Add device,” and it connects. Still, it felt almost too easy — I kept checking if I’d missed a step.

MagicDNS is the feature that sold me. Instead of typing 192.168.1.105 to reach your NAS, you type synology-nas.tailnet.net. It’s a small shift, but it changes how you think about device access. And your homelab starts to feel like a real private cloud.

And the ACL system deserves a mention too. Each device gets an identity certificate, and you can write simple policy rules: “allow my work laptop to reach the NAS, but block it from the Home Assistant Pi.” That kind of granularity normally requires a separate VLAN setup or firewall rule set. Here it’s a 10-line config file.

Tailscale Limitations: What to Watch Out For

Tailscale isn’t flawless, and here’s what gave me pause:

• The control plane is closed-source. The client software is open (tailscale/tailscale on GitHub), but the coordination server that manages your network is proprietary. If you’d rather self-host, there’s Headscale — an open-source community reimplementation. But it’s not official, and it requires a VPS to run.
• Premium features cost extra. Mullvad exit nodes, SCIM integration, and advanced ACL rules are locked behind the $18/user/month Premium tier.
• Free admin limit. Your network can have 6 users, but only 3 of them can manage settings. For a family homelab this rarely matters, but for a team it’s a hard cap.
• The admin UI is minimal. Compared to a full-featured commercial VPN dashboard, Tailscale’s web interface feels sparse. That’s by design — they keep it simple — but it can be disorienting if you’re used to graphs and analytics.

Bottom Line: Is Tailscale Worth Trying?

Tailscale rethinks what a VPN should be — not a tunnel to the internet, but a secure mesh connecting your devices. The free tier is generous enough for almost any homelab or small team, and the zero-config setup genuinely delivers. If you’ve ever spent an afternoon wrestling with WireGuard config files or port forwarding rules, Tailscale is worth every minute of the 8 it takes to get started.

So if you’re new to self-hosted networking and want to compare Tailscale with a traditional VPN provider, our ProtonVPN Review covers what a standard VPN offers for remote access and privacy.