In this short post I will show you how to make your home network accessible from the outside using WireGuard as VPN. WireGuard is a very versatile tool and I have not much experience with setting up networks, but in the end the whole process was pretty simple.

In the end, you will be able to open your browser on the phone wherever you are and open some web service you have running at home at e.g. 192.168.1.23, and it will just work as if you are currently in your home WiFi network.

Preparations

Choose a Suitable Gateway Device

If you happen to have a fancy internet router, you might be able to also set it up as the WireGuard gateway. But most routers will not allow to do that without flashing some custom firmware or using other tricks.

So the common case is to have a distinct gateway device which is accessible from the outside and will route the traffic between the home network and the devices connected via VPN. Obviously, it should be low-power, running all the time and be physically connected to the router for reliability and speed. I have a Raspberry Pi 3B that I already use for various purposes in my home network, so it was a natural choice.

Make Sure the Gateway is Accessible

Persistent IP or Domain

If like most private ISP customers you do not have a persistent public IP address, you should use a DynDNS service to point to your currently assigned IP. I have a domain registrar that directly supports setting up a DynDNS subdomain which is updated automatically by my home internet router.

Port Forwarding

In any case, make sure to set up port forwarding for the Wireguard port (by default, 51820) via UDP from your public IP or domain to your Wireguard gateway device. Make sure that no firewall (of the router and/or the gateway) is blocking this port. How this is done is out of scope of this post. Of course you can also choose and configure any other free port, I just decided to stick with the default.

Install WireGuard Utilities

Wireguard is running mainly in the Linux kernel, but for configuration you might need to install the tools wg and wg-quick. On Arch Linux they are part of the wireguard-tools package and technically this is all you need. To connect from an Android device, you can use the WireGuard app.

Generate key pairs

You need to generate the VPN encryption keys for the gateway as well as for each mobile device (smartphone, laptop, etc.) you want to connect to your home network from the outside.

You can generate a pair of keys for some device XYZ with:

wg genkey | tee XYZ_wg_private | wg pubkey > XYZ_wg_public

The two generated text files will contain the respective Base64-encoded keys which you have to copy into WireGuard config files. After everything is done, you can delete them or store them in some safe (possibly encrypted) location.

Configuring the Gateway

Prepare the WireGuard VPN

On the gateway, create a WireGuard configuration file in /etc/wireguard/, e.g. /etc/wireguard/wg-home.conf. The file name will determine the name of the virtual network interface, so in my case, it will be called wg-home.

[Interface]
Address = 10.0.0.1/24
PrivateKey = <gateway private key>
ListenPort = 51820

[Peer]
PublicKey = <XYZ public key>
AllowedIPs = 10.0.0.2/32

# add one section per client you want to be able to connect,
# with their respective public keys and a unique assigned
# static IP in the chosen subnet (10.0.0.1/24).

To make sure that the WireGuard VPN starts up automatically when your gateway reboots, you have to enable it as a service. On Arch Linux:

systemctl enable wg-quick@wg-home

As usual, to bring it up or down manually (e.g. after updating the configuration), you can run:

systemctl [start|stop|restart] wg-quick@wg-home

Enable NAT for the Gateway

We have to make sure that the kernel allows packet forwarding and configure the firewall to support NAT and forward the traffic correctly.

Add the following lines to the Wireguard config in the [Interface] section, replacing eth0 with your actual network interface which is connecting your gateway to the local home network

PreUp    = sysctl -w net.ipv4.ip_forward=1
PostUp   = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg-home -o eth0 -j ACCEPT; iptables -A FORWARD -o wg-home -i eth0 -j ACCEPT -m state --state RELATED,ESTABLISHED
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg-home -o eth0 -j ACCEPT; iptables -D FORWARD -o wg-home -i eth0 -j ACCEPT -m state --state RELATED,ESTABLISHED

The first line enables packet forwarding in the kernel, the next lines set up required firewall rules when the WireGuard interfaces is brought up and removes them when it is brought down.

After (re)starting the WireGuard interface, you can verify that the firewall configuration works by checking that iptables -L contains the lines

ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

in the Chain FORWARD section, and that iptables -t nat -L contains the line

MASQUERADE  all  --  anywhere             anywhere

in the Chain POSTROUTING section. If you don’t see such entries, maybe you have to check permissions. For example, if you run wg-quick as a normal user, usually you cannot modify iptables rules. But if you run it as described using systemctl, it should just work.

Configuring the Clients

Configuring the gateway correctly was already the most difficult part. Now for the clients, you just have to create a matching configuration looking like this:

[Interface]
Address = 10.0.0.2/24
PrivateKey = <XYZ private Key>

[Peer]
PublicKey = <gateway public Key>
Endpoint = <gateway domain or IP>:51820
PersistentKeepalive = 25

# to forward ALL traffic through the VPN:
# AllowedIPs = 0.0.0.0/0
# to forward only the VPN+home network:
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

Adapt the subnet for your home network accordingly, if you happen to use something different than the common 192.168.1.0/24 range.

Conclusion

Now you should be able to connect to the VPN from a client and access other devices in the VPN and/or home network. Note that in this setup, VPN peers can talk to any home network devices, but home network devices that are not part of the VPN cannot talk to externally connected clients.

Note that the most tricky part was in fact not WireGuard itself, but setting up the firewall to forward the traffic between the networks correctly. With that out of the way, you can now easily run dozens of self-host services at home and access them from anywhere without worrying too much about security, with just a single open port for establishing the VPN connection!