Nick Peers – Writer, Editor, Translator

Nick Peers

Writer, Editor, Translator

The WireGuard VPN server provides you with a secure way of dialing into your own network to access your services without having to expose them to public access using a subdomain and proxy manager. Instructions for setting it up are provided at its wiki, but after updating Podman beyond 5.0 I discovered I couldn’t get it to run rootless. If you’re happy to run it rootful, try adapting the following script:

sudo podman run -d \
--replace \
--name=wg-easy \
-p=51820:51820/udp \
-p=51821:51821/tcp \
-e WG_HOST= subdomain or home network's public IP address - see 'Set up domain forwarding' below \
-e PASSWORD_HASH='generate this yourself' \
-e WG_MTU=1420 \
-e WG_ALLOWED_IPS=192.168.0.0/24 \
-e WG_PERSISTENT_KEEPALIVE=25 \
-e WG_DEFAULT_DNS=192.168.0.0 (eg, router's IP address or IP address of your Pi-hole instance) \
-v ~/container-data/.wg-easy:/etc/wireguard \
--cap-add=NET_ADMIN,NET_RAW,SYS_MODULE \
--cap-drop=MKNOD,AUDIT_WRITE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
ghcr.io/wg-easy/wg-easy:latest

To create a service that automatically starts WireGuard with your server:

sudo podman generate systemd --new --name wg-easy -f
sudo mv -v container-wg-easy.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable container-wg-easy

Set up domain forwarding

The simplest way to ensure you can always reach your home VPN server is to connect through a domain that’s permanently redirecting to your home network’s WAN IP address. This requires two elements: the domain itself, of course, but also a dynamic DNS client that can detect when your WAN IP address changes and inform your domain provider of the new address, so people are seamlessly redirected to the correct location.

If you already have a domain name and DDNS client set up to direct traffic to your server – such as Vaultwarden, Motion, Jellyfin or one of the other many server projects we’ve covered in recent years – then all the hard work is done. Just enter that domain into the Endpoint field in Wg Server for Windows or use it for the WG_HOST variable in the WireGuard Easy container. As soon as you set up your router to forward port 51820 to the server running WireGuard everything is in place for your VPN server to work seamlessly.

If you don’t have anything pointing to your WAN IP, you have a choice: if you own a domain, simply set up a subdomain within your domain provider’s web interface to point to it; if not, take advantage of a free hostname from the likes of No-IP (www.no-ip.com). In both cases, setting up the subdomain or hostname is only half the story – you also need to install and configure a dynamic DNS client on any device on your network to ensure that when your WAN IP address changes, your hostname or subdomain is updated to point to the new address.

You have several choices here – we use LinuxServer’s ddclient container (https://docs.linuxserver.io/images/docker-ddclient/), but check with your domain provider.

Set up connections

After the container is up and running, access the web interface through your web browser at http://192.168.x.y:51821 – enter the admin password you added to the Podman script to log into the main web interface.

You’ll be shown a basic screen inviting you to set up your clients – click ‘+ New Client’ to do so. The client configuration process is even easier than WS4W’s – just give it a suitably descriptive name and you’re good to go. It’ll be assigned an IP address and all you need to do is set up your client using the links to either view a QR code or download the configuration file.

The web interface also shows when a client is connected and shows the amount of data being uploaded and downloaded. There are fewer configuration options than those offered by Wg Server – these should be defined in the Podman script when creating the container. You can also tweak settings like the DNS server from the WireGuard client if you need to.