The Tech Pulse

The Tech Pulse

Ubuntu Server - WireGuard

WireGuard VPN Setup for the $0 Home Server

WireGuard is a lightweight, secure VPN that allows you to access your home server and network from anywhere in the world. Below is a detailed breakdown of how to set up WireGuard on your home server using PiVPN, along with tips for port forwarding, dynamic DNS, and configuration.

Why Use WireGuard?

  • Access your home network remotely: Access files, media (e.g., Jellyfin), or network devices as if you were connected locally.
  • Secure connection: Encrypt all your data between your remote device and home network.
  • Fast and lightweight: WireGuard is known for being more efficient than older VPN solutions (like OpenVPN or IPsec).
  • Open-source and free: No need for paid VPN services or subscriptions.

Step-by-Step Guide to Set Up WireGuard on Your Home Server

1. Set Up Dynamic DNS with DuckDNS

Since most ISPs don’t provide static IPs, you’ll need a dynamic DNS (DDNS) service. DuckDNS creates a domain that always points to your current public IP.

  1. Go to DuckDNS and sign up (you can use Google or other accounts).
  2. Create a domain (e.g., myhomeserver.duckdns.org).
  3. Go to the Install section on DuckDNS and select Linux cron for installation.
  4. Follow the instructions to add the DuckDNS update command to your server's crontab: 
    crontab -e
    Add the following line: 
    */5 * * * * curl -k "https://www.duckdns.org/update/[yourdomain]/[yourtoken]" >/dev/null 2>&1
    • This command updates your DuckDNS IP every 5 minutes.

2. Port Forwarding on Your Router

To allow remote devices to connect to your WireGuard server, you need to forward port 51820 (default for WireGuard).

  1. Log in to your router’s admin panel (usually at 192.168.1.1 or 192.168.0.1).
  2. Find the Port Forwarding section (sometimes called NAT or Virtual Server).
  3. Create a rule to forward UDP traffic on port 51820 to your home server’s local IP (the one you reserved earlier).
    • Example:
      Port: 51820
      Protocol: UDP
      Internal IP: 192.168.x.x

3. Install WireGuard via PiVPN

The PiVPN utility simplifies WireGuard installation, even though it’s designed for Raspberry Pi. It works perfectly on Ubuntu Server.

  1. SSH into your server and run the following command to install PiVPN:

    curl -L https://install.pivpn.io | bash

  2. Follow the installation steps:

    • Select WireGuard as the VPN type.
    • Use default port 51820 (the one you forwarded).
    • Choose Cloudflare or another DNS provider.
    • When asked for IP or DNS entry, input your DuckDNS domain (e.g., myhomeserver.duckdns.org).
    • Enable unattended upgrades for security updates.

  3. After installation, reboot your server:

    sudo reboot

4. Create WireGuard Client Configuration

You need to create a client configuration for every device (e.g., phone, laptop) that will connect to your VPN.

  1. SSH into your server and run:

    pivpn add
    • Give the client a name (e.g., phone or laptop).

  2. Generate a QR code for easy setup:

    pivpn -qr

  3. Open the WireGuard app (available for Android, iOS, Windows, macOS) on the device you want to connect.

    • Use the “Add by QR code” option to scan the QR code displayed on your terminal.

5. Connect to Your Home Server via WireGuard

  1. Open the WireGuard app on your device.
  2. Toggle the VPN connection on.
  3. If successful, you’ll see both data sent and received counters increase.

This confirms that your VPN is working, and you are connected to your home network remotely.

6. Optimize the VPN Configuration (Optional)

If you want to route only local traffic (like accessing Jellyfin or Samba shares) through the VPN while keeping your internet traffic on your regular network, you can create a split-tunnel configuration.

  1. Duplicate the WireGuard profile on your device and name it something like Local Only.

  2. Edit the AllowedIPs section:

    • Change the value to your local network’s range (e.g., 192.168.1.0/24).

  3. On iOS, go to On-demand activation settings:

    • Enable both Cellular and Wi-Fi.
    • Exclude your home network’s SSID to prevent unnecessary VPN activation while at home.

This configuration ensures that only local network requests go through the VPN, while all other traffic flows through your regular connection.

7. Test Remote Access

  1. Turn off Wi-Fi on your phone to simulate being outside your home network.
  2. Enable WireGuard VPN on your phone.
  3. Open a browser and try accessing: 
    http://192.168.x.x:8096
    (Your Jellyfin media server should load.)

8. Security Tips for WireGuard

  • Use strong passwords for your server’s SSH and PiVPN configurations.
  • Enable a firewall on your server: 
    sudo ufw allow 51820/udp
sudo ufw enable
  • Monitor connections: You can view active VPN connections by running: 
    wg show

Summary

With WireGuard set up, your home server is now accessible from anywhere in the world. You can:

  • Stream media using Jellyfin remotely.
  • Access files via Samba shares securely.
  • Wake up devices remotely with Wake-on-LAN.
  • Use a split-tunnel VPN to route only local traffic through the VPN while maintaining normal internet speed.

WireGuard is lightweight, fast, and perfect for secure remote access. Combined with DuckDNS and port forwarding, you now have a fully functional home server VPN that costs $0 to set up.

© 2025 The Tech Pulse. All rights reserved.