Who is client and who is server in Wireguard?

Wireguard doesn’t really use the concept of client and server the same way OpenVPN does. A wireguard interface does not have a fixed role as client or server - think about it like this:

• A wireguard connection is a link between two peers
• One wireguard interface can host one or many connections

For a single connection:

• A connection can be considered a client if it knows a fixed endpoint (IP address or hostname) to connect to, i.e. if you have Endpoint set in your wireguard config like this:

Endpoint = vpn.mydomain.com:31265

A client will take the initiative and send packets to the server without having received any packet from the server beforehand - just like in classical VPNs.

• A connection can be considered a serverif it doesn’t have an Endpoint set to connect to. A server will learn which IP address to send packets to once a client has completed the handshake. If a client IP address changes, the server will learn the new IP address as soon as it receives a validated packet from the client.

Most real-world wireguard connections have one clientand one server. There are exceptions to this, namely if both endpoints have a static IP address or fixed host name, so both wireguard instances always know which IP address or hostname to send packets to.