I love Wireguard, but if you want to do this, I think there are only two ways that make sense for most users.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
I've had wireguard in a container for a few years, and it's never failed me. I will say it took me a long time to get the firewall part of the configuration right but the configuration is otherwise simple. When I'm on the road I can access all the things I self host, which I don't have to expose anything of to the outside world.
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
+1 to ’just use tailscale’ crowd. I used to run my own WireGuard server and it’s painful compared to tailscale. Note it isn’t bulletproof, but it’s work in most cases, whereas I’ve had trouble with WireGuard being blocked in places I needed it the most.
> If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
I am also one of those people who "don’t usually do a lot of networking stuff", so here's a question.
The article contains this:
#replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
However, I use mullvad and the .conf files that they provide contains none of this, and works just fine. It contains just: interface, private key, address, dns and peer public key, allowed ips, entrypoint.
I have a wireguard server at home, and it is great.
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…
Good writeup. Love wireguard. PiVPN is also worth checking out and supports wireguard. Bundle with PiHole and you never have to see ads again. Even when out and about.
16 comments
[ 3.2 ms ] story [ 39.8 ms ] threadThe best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
I also really like using qr codes to transfer a configuration to a phone (mostly used by me once when I replaced my phone): https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-c...
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
The article contains this:
However, I use mullvad and the .conf files that they provide contains none of this, and works just fine. It contains just: interface, private key, address, dns and peer public key, allowed ips, entrypoint.So, which one is right and why?
Setting up a home VPN server with WireGuard - https://news.ycombinator.com/item?id=21421365 - Nov 2019 (198 comments)
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…