WireGuard a Fast, Modern, and Secure way to Connect to Your Home Network
Last updated: Jul 4, 2020There are many guides out there on how to use WireGuard to create your own personal VPN to route all your traffic through a VPS (Virtual Private Server) for privacy or other reasons.
This guide will focus on creating a VPN so you can connect to your home network on the go.
This is guide is based on How to setup your own VPN server using WireGuard on Ubuntu.
Motivation / Why?
To connect to home network which is behind a typical NAT/Router securely in order to:
- Access file shares
- Access movies through Plex
- Grab the code you were working on that you forgot to push
You can ping your phone (or access any running services) wherever it is as long as it is connected to the VPN.
Requirements
You will need a public server on the internet with a static IP address as most of our devices like phones, ipad, home server, etc will be behind a NAT/firewall. The public server will give our VPN a central spoke to route traffic to the devices behind a NAT. Fortunately, these are about $5/month these days.
Install WireGuard on Ubuntu or see: WireGuard Installation
add-apt-repository ppa:wireguard/wireguard
apt-get update # you can skip this on Ubuntu >= 18.04
apt-get install wireguard
Activate the wireguard kernel module without having to reboot.
sudo modprobe wireguard
cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey
sudo apt install openresolv
You have to get client pub key from the output of sudo wg the publickey file is not correct when setting the peer on the server.
Add a peer:
sudo wg set wg0 peer THEIRPUBLICKEY allowed-ips 10.10.0.4/32,fd86:ea04:1111::4/128
Remove a peer:
sudo wg set wg0 peer THEIRPUBLICKEY remove
If you already have a config in /etc/wireguard/wg0.conf you can use wg-quick up wg0 to connect to the VPN.
You may need to sudo modprobe wireguard after a kernel upgrade.
Enable on reboot:
sudo systemctl enable wg-quick@wg0
Add an iOS device:
- Install the WireGuard app
- Add a tunnel from scratch
- Set name to whatever makes sense
- Generate keypair
- Set address to the IP address you want this device to take i.e.
10.10.0.5/32 - Add spoke/VPS as peer
- Add endpoint as the public static IP of your VPS/spoke
- Added allowed IPs i.e.
10.10.0.0/24 - Persistent keepalive 1
- Copy phone’s public key to server
sudo wg set wg0 peer THEIRPUBLICKEY allowed-ips 10.10.0.5/32,fd86:ea04:1111::4/128
Need to print shipping labels on your site?
Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.