DIY VPN Setup: How I Secured My Home Network with WireGuard

Created at 2024-10-29 Updated at 2025-02-07 - 4 min. read Tag vpn, wireguard, networking

Setting Up a Personal VPN with WireGuard

Introduction

Managing multiple devices on a home network can be challenging, especially when ensuring they remain inaccessible from public networks. Instead of opting for a paid VPN, I decided to set up my own. After researching, I narrowed my options down to three VPN solutions:

OpenVPN: Feature-rich but complex and more suited for corporate environments.
Tinc: Decentralized but has poor documentation and lacks online support.
WireGuard: Lightweight, easy to configure, and widely recommended.

I chose WireGuard due to its simplicity and strong security.

VPN Architecture

I opted for a star topology, where a single server handles multiple clients connecting to it.

Setting Up WireGuard on Ubuntu (Server)

Step 1: Install WireGuard

1 2	sudo apt update sudo apt install wireguard

This installs two key binaries:

wg - Manages WireGuard interfaces.
wg-quick - A helper script to start/stop WireGuard interfaces.

Step 2: Generate Keys

sudo -s
umask 077
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

Step 3: Configure the Server

Create the configuration file /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <replace_with_privatekey>

PostUp = wg set %i private-key /etc/wireguard/privatekey
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Step 4: Start the VPN

1
2
3

wg-quick up wg0
wg  # Check WireGuard status
systemctl enable wg-quick@wg0  # Enable at boot

Step 5: Enable IP Forwarding

Edit /etc/sysctl.conf:

1	net.ipv4.ip_forward=1

Then apply the changes:

sysctl -p

Setting Up WireGuard on Ubuntu (Client)

Step 1: Install and Generate Keys

Follow steps 1-3 as above.

Step 2: Configure the Client

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.2/32
PrivateKey = <replace_with_privatekey>

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

Step 3: Update Server Configuration

On the server, add the client details to /etc/wireguard/wg0.conf:

1
2
3

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Restart the WireGuard interface:

1	wg-quick down wg0 && wg-quick up wg0

To reload without downtime:

1	wg syncconf wg0 <(wg-quick strip wg0)

Step 4: Start WireGuard on Client

1 2	wg-quick up wg0 wg # Verify connection

Setting Up WireGuard on Android

Step 1: Generate Client Configuration

On the server:

1
2
3

sudo apt install qrencode
sudo mkdir -p /etc/wireguard/clients
wg genkey | sudo tee /etc/wireguard/clients/mobilekey | wg pubkey | sudo tee /etc/wireguard/clients/mobilekey.pub

Create the file /etc/wireguard/clients/mobile.conf:

[Interface]
PrivateKey = <replace_with_mobilekey>
Address = <your_vpn_private_ip>/24

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.0.0.0/32
Endpoint = <server_wan_ip>:51820

Generate a QR code for easy setup:

1	qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf

Step 2: Configure on Android

Install the WireGuard app.
Scan the generated QR code.
Save and activate the connection.

Conclusion

With WireGuard, setting up a personal VPN is simple, efficient, and cost-effective. This setup ensures secure remote access to your home network without exposing devices to the public internet.

Enjoy your secure, private VPN!