WireGuard VPN on Pulsed Media Seedboxes

Your Pulsed Media seedbox sits in a datacenter Pulsed Media owns outright — not rented racks, not cloud instances — and it has been there, continuously, since the company opened in 2009. That same server can run WireGuard as a personal VPN endpoint, routing all of your home internet traffic through Finland under Finnish law, using cryptographic keys that never leave your own device. This guide walks through the five-step setup and the reasons behind the design choices.

What WireGuard is

WireGuard is a VPN protocol that sets up an encrypted tunnel between your device and a server. What sets it apart from older protocols like OpenVPN or IPsec is its simplicity and fixed security design. OpenVPN, which ran most consumer VPNs through the 2010s, relies on OpenSSL and negotiates encryption settings on the fly — cipher suites, key exchanges, all decided during the handshake. That flexibility opened doors to downgrade attacks or weak configurations. Its codebase clocks in at about 70,000 lines of C, which means more code to audit, more bugs to find, more complexity overall.

IPsec piles on even more: modes like transport versus tunnel, IKEv1 or IKEv2, vendor-specific quirks that have tripped up deployments for years. WireGuard flips the script. Its entire codebase is around 4,000 lines. No negotiation — the crypto is locked in place across every implementation worldwide. Curve25519 handles the Diffie-Hellman key exchange at a 128-bit security level. ChaCha20 encrypts the data stream. Poly1305 authenticates messages to block tampering. BLAKE2s does the hashing, SipHash24 maps keys internally. You can't tweak any of it. No AES option, no RSA fallback. It either works or it doesn't, eliminating the handshake vulnerabilities that plagued the others.

The key exchange follows the Noise Protocol Framework's IKpsk2 pattern, the same framework powering Signal and WhatsApp. Noise handshakes are lean, verifiable, and forward-secure — each session mixes ephemeral keys that get discarded after use. WireGuard lives at layer 3, creating a virtual interface like wg0. Packets hit that interface, get encrypted into UDP datagrams, and ship off to the peer. Incoming packets decrypt straight into the kernel's routing stack. No session state to track, no timeouts to babysit. That's why it shrugs off network changes — Wi-Fi to mobile data, IP swaps — better than protocols glued to TCP sessions.

Since Linux kernel 5.6 in March 2020, WireGuard runs natively in the kernel on Pulsed Media's Debian 12 servers. No userspace process burning CPU, no OpenSSL baggage — encryption happens where it's fastest, in kernel space. The wg-quick tool from wireguard-tools sets up the interface and routes, but the heavy lifting is kernel-side. Clients are straightforward: official apps for Windows, macOS, iOS, Android, all using the same INI-style config with [Interface] and [Peer] sections.

On the server end, PMSS handles the Pulsed Media specifics. It spins up wg0 listening on UDP port 51820, pulling peer public keys from your ~/wireguard-public-key file to build the config.

Why use a VPN with a seedbox

Pairing a VPN with your seedbox tackles problems that HTTPS alone doesn't touch. Start with torrenting: your seedbox's IP shows up in peer lists and tracker logs, keeping your home IP out of swarms entirely. You pull files over HTTPS from the panel or SFTP, but your ISP still spots those connections — destination IP, ports, timing patterns, even SNI in TLS 1.2 handshakes revealing hostnames. WireGuard encrypts that management traffic into UDP blobs to port 51820. No more visible seedbox panel hits.

Your ISP normally logs everything: destinations, ports (443 for web, 22 for SSH), data volumes, DNS queries if you're using their resolvers. Full-tunnel WireGuard with AllowedIPs = 0.0.0.0/0 blinds them — just UDP to your seedbox. Split-tunnel options let you route only seedbox traffic (AllowedIPs = 10.90.90.0/24) or add PM's range (185.148.0.0/22), leaving general browsing direct.

Beyond ISP eyes, untrusted networks like hotel Wi-Fi or airports expose you to ARP spoofing or packet sniffing. VPN traffic punches out encrypted, dodging local threats. If UDP 51820 gets blocked — real issue in some spots — PMSS offers OpenVPN over TCP 443 as fallback, mimicking HTTPS.

Full tunnel puts your home traffic out via Finland: geo-unblock for EU content, but datacenter IPs like PM's AS203003 range can flag on strict services. No shared exits here — your seedbox IP is yours alone, unlike commercial VPNs mixing thousands of users. Cost-wise, commercial VPN providers charge EUR 3–10/month. PM includes it free, even on the permanent free tier (125 MB RAM, 20 GiB disk, 200 GiB/month traffic).

Tunnel-local services shine too. Bind Sonarr or Jackett to 10.90.90.X — reachable only by your authenticated peers, no public exposure or extra auth layers. IPv6 needs care: without ::/0, leaks happen. Disable it locally or let clients blockhole it.

Setting up WireGuard on PM

This is the meat of it — five steps to get your tunnel live. It takes about 10 minutes if your prerequisites line up.

Prerequisites

You need a Pulsed Media seedbox — any plan, including the free tier at https://pulsedmedia.com/free-seedbox.php. WireGuard comes standard, no upsell. SSH access is key; grab your FQDN from the welcome email or PMSS panel. See the SSH guide if you're new to it.

Install WireGuard client on your device: apt install wireguard on Debian/Ubuntu Linux, the official app on Windows (from wireguard.com/install), Mac App Store for macOS, app stores for iOS/Android. Command-line works everywhere too — brew install wireguard-tools on macOS, for example.

Step 1: Read wireguard.txt on the seedbox

SSH in: ssh username@yourserver.pulsedmedia.com. Then cat ~/wireguard.txt. PMSS preps this with your server's public key, endpoint (FQDN:51820), your unique 10.90.90.X/32 tunnel IP, DNS suggestion (often 1.1.1.1), AllowedIPs, PersistentKeepalive=25, and a PrivateKey placeholder.

Copy the whole block to your local text editor. Don't touch the placeholder yet. If the file's missing, your server predates WireGuard in PMSS — ping support to deploy it.

Step 2: Generate a client key pair on your local machine

Keys stay local — never ship the private one to the server. On Linux/macOS terminal:

umask 077
wg genkey | tee private.key | wg pubkey > public.key

Umask locks permissions to 600 (owner read/write only). wg genkey spits a 32-byte random Curve25519 private key in base64 (44 chars). Tee saves it to private.key while piping to wg pubkey, which derives the public counterpart. Guard private.key like a password — exposure lets someone hijack your tunnel.

Windows GUI: Fire up the WireGuard app, Add Tunnel > Add empty. It generates keys, shows the public one. Copy the [Interface] block. Command-line mirrors Linux. Mobile apps generate on new tunnel creation.

Step 3: Register your public key on the seedbox

Back on the seedbox: echo "$(cat public.key)" >> ~/.wireguard-public-key. Or paste the string directly: echo "abc123...xyz==" >> ~/.wireguard-public-key. >> appends — don't use > or you'll nuke existing keys. Verify with cat ~/.wireguard-public-key — your 44-char key on its line.

PMSS's wireguardPeersRefresh.php scans this every few minutes, rebuilds /etc/wireguard/wg0.conf with a [Peer] for your key, and syncs the running config. Wait 2-3 minutes.

Step 4: Build your client configuration file

Paste your private.key contents over the placeholder in the copied wireguard.txt. Final config looks like:

<syntaxhighlight lang="ini"> [Interface] Address = 10.90.90.123/32 PrivateKey = dGhpc2lzYXNhbXBsZXByaXZhdGVrZXl3aXRoYmFzZTY0ZW5jb2Rpbmc= DNS = 1.1.1.1

[Peer] PublicKey = c3ViamVjdHByaXZhdGVrZXl3aXRoYmFzZTY0ZW5jb2Rpbmc= Endpoint = yourserver.pulsedmedia.com:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 </syntaxhighlight>

Breakdown: Address is your /32 tunnel IP — private RFC-1918 space. PrivateKey is secret. DNS routes queries through the tunnel, killing leaks (1.1.1.1 works everywhere).

Peer side: PublicKey authenticates the server. Endpoint uses FQDN for IP stability; swap to IP if DNS flakes. AllowedIPs routes traffic — 0.0.0.0/0 full-tunnels IPv4; 10.90.90.0/24 split-tunnels just the subnet. It doubles as an ACL: server accepts only matching source IPs from you. PersistentKeepalive=25 pings every 25s to keep NAT mappings alive — essential behind routers.

Import it: Linux saves as /etc/wireguard/pm-wg0.conf, sudo wg-quick up pm-wg0; enable with systemctl enable wg-quick@pm-wg0. Apps: import .conf or paste. Mobile? qrencode -t ansiutf8 < config.conf for scannable QR (private spot only — embeds private key).

Step 5: Connect and verify

Activate: wg-quick up on Linux, toggle in apps. Check IP at ifconfig.me — should show seedbox's, not home. Linux: sudo wg show — recent "latest handshake" (seconds ago), rx/tx bytes confirm flow. Traceroute public IPs — hops via seedbox subnet first. dnsleaktest.com — DNS servers match your config or Finland, no home ISP.

Multiple devices? Repeat 2-4 per device — fresh keys each. PMSS assigns unique /32s. Revoke by deleting lines from ~/.wireguard-public-key — stateless drop next packet.

Finnish jurisdiction and privacy

Jurisdiction shapes what a VPN server can log and whom it hands data to. Finland, as an EU state, runs under GDPR: data minimization means collect only what's needed, purpose limits stop repurposing, you get access/erasure rights, breaches trigger notifications. No blanket VPN data retention law — the EU's old directive died in 2014 court ruling, and Finland's telecom-focused rules skip hosting providers like Pulsed Media.

PMSS logs operationally in /var/log/pmss/checkWireguard.log — module loads, restarts — no traffic or connection details. WireGuard's kernel module skips logs entirely: knows your public key from wg0.conf, tracks handshakes in RAM (gone on reboot), passes packets to routing without files.

Finland's grid hits 99.99995% uptime — 0.82 minutes average annual outage — thanks to Fingrid's distributed hydro, nuclear, and wind mix. 95% of Finnish electricity is fossil-free. Servers in PM's owned datacenters: Lauttasaari (Helsinki, Kiviaidankatu 2, sea fiber hub to Stockholm; C-Lion1 cable connects onward to Germany) and Kerava (PM-built, near Helsinki). No colo's mean no extra hands on hardware.

Trust PM? Files have been there since 2009. Open-source PMSS at https://github.com/MagnaCapax/PMSS lets you peek. Versus commercial VPNs (Sweden, Panama, BVI), it's the same Finnish law — GDPR, no Five Eyes — but on infrastructure you picked. Stable democracy beats offshore gambles. No absolutes — serious probes pierce any VPN — but this stacks privacy odds your way.

Troubleshooting

Problems hit everyone; here's how to diagnose the common ones with full steps.

Tunnel says "connected" but no internet traffic passes

App shows active, wg show lists a peer, but browsing fails, IP check shows home address. First, inspect AllowedIPs — if it's 10.90.90.0/24 not 0.0.0.0/0, you're split-tunneled; general traffic skips the tunnel. Edit and restart.

DNS next: missing or bad DNS = no name resolution despite routing. Curl an IP like http://1.1.1.1 — works? Hostnames fail? Add DNS=1.1.1.1 to [Interface]. Server-side: SSH in, sudo wg show — your peer's handshake recent? Old/missing means packets aren't arriving.

Local firewall blocking UDP 51820 outbound? Temporarily disable. Server forwarding: cat /proc/sys/net/ipv4/ip_forward — 1? NAT: sudo iptables -t nat -L POSTROUTING -n shows MASQUERADE for 10.90.90.0/24?

Handshake fails — cannot connect at all

No "latest handshake" ever, traffic dead. Endpoint mismatch: cat ~/wireguard.txt, match client config exactly. nslookup yourserver.pulsedmedia.com from home — resolves? Use IP if not.

PublicKey exact? sudo wg show wg0 public-key on server vs client [Peer]. One char off kills it. Key registered? cat ~/.wireguard-public-key has it? Wait 3-5 min post-add for PMSS rebuild. UDP blocked? Test mobile hotspot; fallback OpenVPN TCP 443.

Server status: sudo systemctl status wg-quick@wg0 active? Start if not. lsmod | grep wireguard loaded? iptables -L INPUT -n allows 51820/UDP?

Tunnel connects but drops frequently

Up for minutes, then flakes. NAT expiry: confirm PersistentKeepalive=25. Roaming IP change? WireGuard adapts, but restart if stuck. Packet loss: ping seedbox IP — >1% loss? Path issue.

MTU: overhead pushes packets over 1500, fragments kill speed. Add MTU=1420 to [Interface].

DNS leaks

IP via seedbox, but dnsleaktest.com shows home ISP DNS. No [Interface] DNS? Add it. Windows multi-homing queries all; app's DNS isolation fixes. IPv6: disable or blockhole. App DoH (Firefox/Chrome) bypasses — configure to system resolver.

Speed is slower than expected

Home upload/download limits it first. CPU fine on modern gear — ChaCha20 flies without AES-NI. Seedbox port shared on 1Gbps plans competes with torrents. Test MTU=1420. Ping RTT to server <50ms ideal from Europe; higher adds latency. Extra hop through Finland lengthens distant paths.

No wireguard.txt file

Old provision: support deploys it.

Security considerations

Private key lives only on your device — generate local, register public only. PM never touches it, so no impersonation, no breach exposure. Forward secrecy per-session via Noise.

Rotate yearly or on device loss: new pair, swap public in ~/.wireguard-public-key, update client. Per-device keys for granular revoke.

No private key to seedbox, ever. PMSS isolates tenants in 10.90.90.0/24 — no cross-user reach. Bind services deliberately: tunnel-only to 10.90.90.X.

WireGuard encrypts transit, not endpoints. Browser fingerprinting, cookies, app DoH leak identity. Not Tor anonymity — seedbox ties to your account. Server outbound is app-encrypted only (HTTPS).

PSK optional for quantum hedge, but PMSS skips it now.

At Pulsed Media — PM-specific operational detail

PMSS owns server-side: generates keys on provision (/etc/wireguard/ private stays server-local, public to wireguard.txt). wireguardPeersRefresh.php cron-reads ~/.wireguard-public-key, assigns /32s, syncs wg0.conf live. checkWireguard.php watches module/service, auto-restarts, logs ops only.

wg0: 51820/UDP, 10.90.90.0/24. FQDN endpoint auto-set. Both WireGuard/OpenVPN included — UDP blocks use TCP 443 OpenVPN.

Free tier full PMSS/WireGuard. Docker option ~/bin/docker-install-wireguard.sh for custom.

Migrations regen keys — update client PublicKey/Endpoint from new wireguard.txt. AS203003, 185.148.0.0/22, no IPv6.

Pulsed Media has operated its own datacenter infrastructure in Finland since 2009 — over 16 years of continuous operation under the same ownership, running its own autonomous system (AS203003) with its own IPv4 allocation. V/M-series plans on 1G/10G ports — tunnel throughput maxes at your home link or seedbox port speed, whichever is lower.

Running WireGuard through your own Finnish server means the VPN you use every day is the same server you already paid for — no separate subscription, no exit node shared with anyone, no company's privacy policy to evaluate independently. PM's seedbox plans include WireGuard and OpenVPN on every tier, starting with a permanent free tier at 20 GiB of storage and 200 GiB/month of traffic. No payment information required to start.