Setting up WireGuard for secure remote access
If you self-host services at home, you eventually want to access them from outside your network. Port forwarding works but exposes services directly to the internet. A VPN is the safer approach, and WireGuard is the simplest one to set up.
Why WireGuard over OpenVPN
WireGuard is fast, minimal, and built into the Linux kernel. The entire codebase is around 4,000 lines compared to OpenVPN's hundreds of thousands. Fewer lines means fewer bugs and a smaller attack surface.
The configuration is a single file per peer. No certificate authorities, no complex PKI setup. Generate keys, exchange public keys, and you are connected.
Performance is noticeably better too. WireGuard has lower latency and higher throughput than OpenVPN in every benchmark I have seen, and the difference is noticeable when accessing services over the VPN.
Server setup
Install WireGuard on your server (most Linux distributions include it):
# Ubuntu/Debian
sudo apt install wireguard
# Generate server keys
wg genkey | tee server_private.key | wg pubkey > server_public.keyCreate the server config at /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32Start the interface:
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0Client setup
Generate keys on the client the same way, then create the config:
[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 10.0.0.1
[Peer]
PublicKey = <server_public_key>
Endpoint = your-server-ip:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25The AllowedIPs setting controls what traffic goes through the VPN. Set it to 10.0.0.0/24 to only route traffic to your home network through the tunnel. Set it to 0.0.0.0/0 to route all traffic through the VPN.
Mobile access
WireGuard has official apps for iOS and Android. You can either type the config manually or generate a QR code from the server:
sudo apt install qrencode
qrencode -t ansiutf8 < client.confScan the QR code with the WireGuard app and you are connected.
What this enables
With WireGuard running, I can access my home lab from anywhere. Proxmox management, Nextcloud, monitoring dashboards, internal tools. Everything stays behind the VPN and is not exposed to the public internet.
The connection is fast enough that I forget I am on a VPN. SSH sessions feel local, web UIs load instantly, and file transfers are only slightly slower than being on the home network directly.
Port forwarding
You only need to forward one UDP port (51820) on your router to the WireGuard server. Everything else stays internal. This is a much smaller attack surface than forwarding ports for every service individually.
Sources
Related posts
Tailscale: the easiest way to connect your devices
How Tailscale creates a mesh VPN between your devices without port forwarding, firewall rules, or a VPN server.
Caddy as a reverse proxy for self-hosted services
How Caddy simplifies reverse proxying for self-hosted services with automatic HTTPS and minimal configuration.
AdGuard Home: DNS-level ad blocking for your network
How AdGuard Home compares to Pi-hole for network-wide ad blocking, and why I switched to it for my homelab.
Enjoying the blog? Subscribe via RSS to get new posts in your reader.
Subscribe via RSS