WireGuard a Fast, Modern, and Secure way to Connect to Your Home Network

Last updated: Jul 4, 2020

There are many guides out there on how to use WireGuard to create your own personal VPN to route all your traffic through a VPS (Virtual Private Server) for privacy or other reasons.

This guide will focus on creating a VPN so you can connect to your home network on the go.

This is guide is based on How to setup your own VPN server using WireGuard on Ubuntu.

Motivation / Why?

To connect to home network which is behind a typical NAT/Router securely in order to:

  • Access file shares
  • Access movies through Plex
  • Grab the code you were working on that you forgot to push

You can ping your phone (or access any running services) wherever it is as long as it is connected to the VPN.


You will need a public server on the internet with a static IP address as most of our devices like phones, ipad, home server, etc will be behind a NAT/firewall. The public server will give our VPN a central spoke to route traffic to the devices behind a NAT. Fortunately, these are about $5/month these days.

Install WireGuard on Ubuntu or see: WireGuard Installation

add-apt-repository ppa:wireguard/wireguard
apt-get update # you can skip this on Ubuntu >= 18.04
apt-get install wireguard

Activate the wireguard kernel module without having to reboot.

sudo modprobe wireguard

cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

sudo apt install openresolv

You have to get client pub key from the output of sudo wg the publickey file is not correct when setting the peer on the server.

Add a peer:

sudo wg set wg0 peer THEIRPUBLICKEY allowed-ips,fd86:ea04:1111::4/128

Remove a peer:

sudo wg set wg0 peer THEIRPUBLICKEY remove

If you already have a config in /etc/wireguard/wg0.conf you can use wg-quick up wg0 to connect to the VPN.

You may need to sudo modprobe wireguard after a kernel upgrade.

Enable on reboot:

sudo systemctl enable wg-quick@wg0

Add an iOS device:

  • Install the WireGuard app
  • Add a tunnel from scratch
  • Set name to whatever makes sense
  • Generate keypair
  • Set address to the IP address you want this device to take i.e.
  • Add spoke/VPS as peer
    • Add endpoint as the public static IP of your VPS/spoke
    • Added allowed IPs i.e.
    • Persistent keepalive 1
  • Copy phone’s public key to server
  • sudo wg set wg0 peer THEIRPUBLICKEY allowed-ips,fd86:ea04:1111::4/128

Need to print shipping labels on your site?

Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.

Get notified on new posts or other things I'm working on