Setting up a home VPN server with WireGuard (2019)
50 comments
·September 8, 2025cyphax
I've had wireguard in a container for a few years, and it's never failed me. I will say it took me a long time to get the firewall part of the configuration right but the configuration is otherwise simple. When I'm on the road I can access all the things I self host, which I don't have to expose anything of to the outside world.
I also really like using qr codes to transfer a configuration to a phone (mostly used by me once when I replaced my phone): https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-c...
SyrupThinker
The amount of people here just exposing their network to Tailscale, and recommending others to do the same, is surprising, to say the least.
I've set up Wireguard on a VPS once six years ago, and nothing needed adjustment since. It is as easy as you make it out to be, and depending on the use case the firewall rules can also be simple.
If I need to add a new device, which is probably a rarity for the average user, and once a year for me, it takes two minutes to edit two files and restart a service.
I can see reasons why one would want to use Tailscale, especially in an organization. But just uncritically recommending it for home-lab like setups seems as harmful as pushing people to Cloudflare for everything.
FrankPetrilli
Inter-node mesh with raw Wireguard is an exercise in patience to say the least; I have a few different colo sites, my house, my phone, LTE/5G hotspots, raspberry pi projects in the field, etc that I want to fully connect together.
Raw Wireguard is fine for a road warrior or site-to-site VPN setup as is common, but when you want multipoint peer-to-peer connections without routing through what might be a geographically distant point, magic DNS, etc, Tailscale really shines through.
If you're paranoid, enable https://tailscale.com/kb/1226/tailnet-lock or run https://headscale.net/ on your own as a control server.
SyrupThinker
For P2P I can totally see the advantage.
Although at that point I'm sure you, and any similar user, would not actually rely on ad-hoc advice like in this thread, and instead just evaluate what is needed.
As an aside, personally speaking, headscale solves basically none of my concerns associated with introducing more software, complexity and third parties (the maintainers) into my network setup. Less so because of paranoia towards the software/product itself, and more so because of the increased surface area to attack.
But I also think that anyone actually bothering to set headscale up probably falls into the aforementioned group of people that actually thinks about their requirements.
robertlagrant
Speaking of Cloudflare - they do have a similar product[0] :)
[0] https://developers.cloudflare.com/cloudflare-one/connections...
SyrupThinker
Ironic, I wasn't aware.
jazzyjackson
whoa that's super useful. I've been trying to figure out what I'm going to do to let my family access my server. What client do you recommend on the phone end? Or does the phone support connecting to wireguard out of the box?
zuhsetaqi
The best client is from WireGuard. It’s super efficient in my experience. It even supports on demand VPN where you can define network it should activate or deactivate the VPN.
cyphax
I use the Android app from Wireguard: https://play.google.com/store/apps/details?id=com.wireguard.... It's pretty basic, but it lets me scan the generated qr codes, and it has an icon in the drawer which makes it easy to access.
paulgerhardt
[2019]
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
dpoloncsak
I am a huge proponent of Tailscale, and I've moved my entire stack into my tailnet. Even my steam deck.
With that said, as another user (th0ma5) pointed out, "The only downside is that the Tailscale organization will be privy to your actions online as well."
While Tailscale and Wireguard serve the same purpose for most, it is not a direct replacements. To most users, this doesn't matter. To a few, it may be a breach of OpSec
With all this said, Tailscale reportedly cannot see anything. Per https://tailscale.com/blog/opensource
"By making the Tailscale clients open, you can see that we don’t collect your private keys. And by making Tailscale’s DERP servers open, you can see that we can’t capture your encrypted traffic. We don’t see your data and we don’t want to. We hope that keeping this code open increases trust and transparency in Tailscale because anyone can review the code and see that Tailscale really works the way we claim."
Lammy
That's a total red herring. They see the metadata (data about data) of every connection you make. They don't need to capture any encrypted data to tell a whole heck of a lot about you: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
SvenL
Exactly, also, as long as there is no way of verifying that the source they opened up is the one they are running, it’s still a trust thing.
spott
I have a wireguard server at home, and it is great.
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…
torium
I am also one of those people who "don’t usually do a lot of networking stuff", so here's a question.
The article contains this:
#replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
So, which one is right and why?
Ingon
I have to double check, but I believe this is server-side/exit node configuration. In case of mulvad, something similar might be on their servers.
thedanbob
Those lines are only needed on the VPN server, not the client(s).
dang
Discussed at the time:
Setting up a home VPN server with WireGuard - https://news.ycombinator.com/item?id=21421365 - Nov 2019 (198 comments)
billy99k
I love WireGuard and use it when I'm traveling. I bought a cheap Lenovo mini-pc, installed Debian, and use it as a dedicated VPN server.
null
Apreche
> If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
thedanbob
I wrote a script that runs periodically on my home server to update DNS (Cloudflare) if my IP changes. In practice, it almost never changes and my ISP's general flakiness is far more of a problem.
calgoo
I used to use a chronjob + script that queried my external IP and then if it is different from the dns record make an API call to my dns hoster (name.com at the time). For a homelab, run it every 5 or 10 minutes and you'll always have an up to date record that you manage.
BikiniPrince
I just run a dynamic dns client on OpenWRT. I’ve never had an issue reaching the joke server.
lucideer
I got an Asus router & installed Merlin. Comes with a Wireguard server & Dyndns support built in, all via a very simple user friendly UI.
distantsounds
if you own a domain you can likely update a dynamic DNS record through the registrar's API
mcoliver
Good writeup. Love wireguard. PiVPN is also worth checking out and supports wireguard. Bundle with PiHole and you never have to see ads again. Even when out and about.
baq
+1 to ’just use tailscale’ crowd. I used to run my own WireGuard server and it’s painful compared to tailscale. Note it isn’t bulletproof, but it’s work in most cases, whereas I’ve had trouble with WireGuard being blocked in places I needed it the most.
pkulak
+2. I did exactly what's in this article since before Tailscale existed. Then there was this Tailscale thing, but I never moved over because why bother? I've already got my setup. I was creating keys and schlepping them to all the devices in my family. I was fixing broken tunnels on vacation, trying to copy keys from my phone because that was the only device that could connect at the moment. I was manually setting packet MTU sizes because my home network uses PPPOE (yes, those are all things I know now that I wish I didn't). I was disabling the Wifi in my local supermarket because they block UDP and that broke my access.
Then I signed up for Tailscale on a whim, installed it on my phone and my Home Assistant box and... that was it. After like 15 minutes of sign up and installation I could access my home network. MTU didn't matter. In the supermarket it uses TCP over a DERP server that's 5ms away. Keys are automatically setup. After years of people blabbing on about how great Tailscale is, I finally get it.
lucideer
If you're looking for a low pain way to run a Wireguard server, an Asus router with Merlin installed is as simple as it gets. UI generates QR codes for clients, & there's even an app.
th0ma5
The only downside is that the Tailscale organization will be privy to your actions online as well.
Lammy
Context: https://tailscale.com/kb/1011/log-mesh-traffic
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.com`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
sgc
Use headscale, and problem solved.
null
You can create prefixed keys (aka vanity key) for each peer using https://github.com/AlexanderYastrebov/wireguard-vanity-key