FRESH

Hacker News

Setting up a home VPN server with WireGuard (2019)

82 points by kayaroberts

by age123456gpg

0 subcomment

You can create prefixed keys (aka vanity key) for each peer using https://github.com/AlexanderYastrebov/wireguard-vanity-key

    $ wireguard-vanity-key --prefix=mac/
    private                                      public                                       attempts   duration   attempts/s
    Mtvsq5urRK/HRE1EfqTkZ9dtBNNBjSVPbqYBZ/BL4Qw= mac/t3wcAUhyZUti7OM4KsGQ7/V00HPRmzI3agaSplM= 37258118   1s         70119328

    $ wireguard-vanity-key --prefix=ipad/
    private                                      public                                       attempts   duration   attempts/s
    hJXdv5FKyem2WqWzduSaEhEw1H4b+6BGTIqJeYu9H1c= ipad/s6w2nBEDhmuEl/xyLeohEbfc5MWUy5D8dJHgAs= 158299886  2s         69564916

by cyphax

2 subcomments

I've had wireguard in a container for a few years, and it's never failed me. I will say it took me a long time to get the firewall part of the configuration right but the configuration is otherwise simple. When I'm on the road I can access all the things I self host, which I don't have to expose anything of to the outside world.
I also really like using qr codes to transfer a configuration to a phone (mostly used by me once when I replaced my phone): https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-c...

by dang

0 subcomment

Discussed at the time:
Setting up a home VPN server with WireGuard - https://news.ycombinator.com/item?id=21421365 - Nov 2019 (198 comments)

by paulgerhardt

1 subcomments

[2019]
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)

by torium

2 subcomments

I am also one of those people who "don’t usually do a lot of networking stuff", so here's a question.

The article contains this:

    #replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

However, I use mullvad and the .conf files that they provide contains none of this, and works just fine. It contains just: interface, private key, address, dns and peer public key, allowed ips, entrypoint.

So, which one is right and why?

by spott

1 subcomments

I have a wireguard server at home, and it is great.
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…

by pseudosavant

3 subcomments

I love Wireguard, but if you want to do this, I think there are only two ways that make sense for most users.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.

by billy99k

1 subcomments

I love WireGuard and use it when I'm traveling. I bought a cheap Lenovo mini-pc, installed Debian, and use it as a dedicated VPN server.

by Apreche

5 subcomments

> If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.

by baq

3 subcomments

+1 to ’just use tailscale’ crowd. I used to run my own WireGuard server and it’s painful compared to tailscale. Note it isn’t bulletproof, but it’s work in most cases, whereas I’ve had trouble with WireGuard being blocked in places I needed it the most.

0 subcomment

by mcoliver

0 subcomment

Good writeup. Love wireguard. PiVPN is also worth checking out and supports wireguard. Bundle with PiHole and you never have to see ads again. Even when out and about.

by guluarte

1 subcomments

https://github.com/wg-easy/wg-easy

by webstrand

2 subcomments

This works wonderfully so long as both clients are not behind a NAT. Then you need something like Tailscale, Netmaker, Innernet, etc.

by westondeboer

0 subcomment

Using mine on an oracle free tier.

by throwaway29812

0 subcomment

[dead]