Setting Up WireGuard VPN on Your VPS for Remote Homelab Access

Setting Up WireGuard VPN on Your VPS for Remote Homelab Access

We earn commissions when you shop through the links on this page, at no additional cost to you.

CompactHost ·

I've been running homelabs for years, and the moment you need to access your Jellyfin server, Nextcloud, or lab infrastructure from outside your house, you hit a real problem: port forwarding is a security nightmare, and public reverse proxies can leak metadata. WireGuard solves this elegantly. It's fast, modern, and runs on any $40/year VPS from providers like RackNerd. Here's exactly how I set it up and why you should too.

Why WireGuard Over Other VPN Options?

I've tried OpenVPN, and it works, but the configuration files are fragile—100+ lines per client. Tailscale is excellent but costs money for teams, and you're routing through Tailscale's infrastructure. WireGuard is different: it's a kernel-level module with ~400 lines of code, runs at near-native speeds, and you own the infrastructure entirely. The cipher suite is modern (Curve25519, ChaCha20-Poly1305), and there's no legacy cruft.

The trade-off is that WireGuard gives you less granular control than OpenVPN, but for homelab remote access, that's a perfect fit. You configure it once, clients connect, and traffic flows securely with minimal overhead.

Prerequisites and VPS Setup

You'll need:

I prefer a minimal VPS—2 vCPU, 2GB RAM is plenty. WireGuard uses almost no resources. If you're setting up for the first time, RackNerd's annual deals typically include configurations at or below this spec for around $40/year, which is genuinely incredible value for a static IP that you own completely.

Tip: Before deploying WireGuard, verify your VPS provider allows custom UDP ports and hasn't blocked 51820. SSH in and test: telnet 0.0.0.0 51820 should show nothing (that's good). If you can't reach it from outside after setup, your provider likely filters it—switch to port 443 (commonly open for HTTPS) or email support.

Installing WireGuard on Your VPS

SSH into your VPS and update the system first:

sudo apt update && sudo apt upgrade -y
sudo apt install -y wireguard wireguard-tools

Enable IP forwarding so your VPS can route traffic between clients and your homelab:

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Generate the server's private and public keys:

cd /etc/wireguard
sudo umask 077
sudo wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
cat privatekey

Save both—you'll need the private key in seconds and the public key for your clients.

Configuring the WireGuard Server

Create the server configuration file. I'm using the subnet 10.0.0.0/24 for the VPN tunnel; adjust if you have conflicts:

sudo tee /etc/wireguard/wg0.conf > /dev/null <

Don't fill in CLIENT1_PUBLIC_KEY_HERE yet—we'll generate client keys next. The PostUp and PostDown rules are critical: they enable NAT so clients can reach your homelab devices. Replace eth0 with your VPS's primary network interface (check with ip route | grep default).

Enable and start the WireGuard interface:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

You should see output listing wg0 with your private key (redacted) and listen port 51820. If there are errors, check dmesg: dmesg | tail -20.

Generating Client Configurations

For each client (laptop, phone, etc.), generate a keypair:

cd ~/wg-clients
umask 077
mkdir -p ~/wg-clients
wg genkey | tee client1_privatekey | wg pubkey > client1_publickey
cat client1_publickey

Now add the client to the server config. SSH back into your VPS:

sudo tee -a /etc/wireguard/wg0.conf > /dev/null <

Replace CLIENT1_PUBLIC_KEY_HERE with the output of cat client1_publickey from your local machine.

Reload the server to pick up the new peer:

sudo systemctl restart wg-quick@wg0
sudo wg show

Now create the client configuration on your local machine (let's say your VPS's public IP is 203.0.113.45):

cat > ~/wg-clients/client1.conf <

Replace VPS_PUBLIC_KEY_HERE with the server's public key from earlier and 203.0.113.45 with your actual VPS IP. The PersistentKeepalive line keeps the connection alive through NAT—critical for stable tunnels.

Watch out: If you want to route all traffic through the VPN (not just to your homelab), change AllowedIPs to 0.0.0.0/0. This is slower but more private. For homelab access only, stick with 10.0.0.0/24.

Connecting Your Homelab Devices

The beauty of WireGuard is you're now inside the VPN network. Your homelab devices don't need to know about WireGuard; they just need to route 10.0.0.0/24 traffic back to your VPS. On your homelab's gateway (usually your router or a Linux box), add a static route:

# On your homelab gateway/router
ip route add 10.0.0.0/24 via YOUR_VPS_IP

If you're using a standard home router (ASUS, Ubiquiti, etc.), add this via the web UI under Static Routes or Advanced Routing. If your homelab is entirely containerized on one Docker host, you can skip this—just connect that machine to WireGuard and use docker bridge networks.

Once clients connect, they'll get an IP in 10.0.0.0/24 and can ping homelab devices (assuming your homelab's firewall allows it). Test from your client:

sudo wg-quick up ~/wg-clients/client1.conf
ping 10.0.0.1  # Should get a response from the VPS
ping 192.168.1.100  # Replace with actual homelab device IP

Using WireGuard with Docker (Optional but Recommended)

If you prefer not to touch your VPS's host system directly, run WireGuard in a container. Here's a Docker Compose setup using linuxserver/wireguard:

cat > docker-compose.yml <

The container auto-generates configs for your peers in ./wireguard/peers. This is cleaner if you're already running Docker on your VPS.

Security Hardening

A few final touches:

  • Firewall rules: Only expose 51820/UDP. Block everything else. On your VPS, install UFW: sudo ufw allow 22/tcp && sudo ufw allow 51820/udp && sudo ufw enable
  • Rotate keys regularly: Once a year, regenerate server and client keys and redistribute configs.
  • Monitor connections: Run sudo wg show weekly to see active peers and last handshake times. If a peer hasn't handshaken in days, it's likely offline.
  • Use strong DNS: I set clients to use Quad9 (9.9.9.9) or Cloudflare (1.1.1.1) instead of ISP DNS. This prevents DNS leaks if the VPN drops.

Connecting on Mobile and Desktop

For Android and iOS, download the official WireGuard app from the Play Store or App Store. Generate a QR code for your client config:

qrencode -t ansiutf8 < ~/wg-clients/client1.conf

Open the WireGuard app, tap the + icon, and scan. Done. For desktop (macOS, Linux, Windows), download the official WireGuard client, import the config file, and toggle the connection.

What's Next?

You now have a private tunnel to your homelab that's faster and more secure than any port-forwarding hack. From here, I'd recommend:

  • Set up a reverse proxy (Caddy or Traefik) behind the VPN to access multiple services with a single domain.
  • Add Tailscale on top for even easier peer-to-peer access between personal devices (it doesn't replace WireGuard; it complements it).
  • Use this VPN connection as your "trusted network" for stricter authentication rules on sensitive services like Vaultwarden or Nextcloud.

WireGuard is one of the few infrastructure decisions I've made that I've never regretted. It's simple, it works, and it gets out of your way.

Discussion