Home VPN with WireGuard

Monday, April 1, 2024
guidesecurityvpndocker

Are you connected to a public Wi-Fi network? If so, your online activities may be exposed to prying eyes. Public Wi-Fi networks, found in cafes, airports, and hotels, are notorious for their security vulnerabilities, making them a hotspot for cyber threats.

To protect your privacy and security, setting up a home VPN with WireGuard is a smart move. In this blog post, we'll guide you through the process of creating a home VPN using WireGuard, ensuring your online activities remain private and secure even on public Wi-Fi.

However, why is a smart move to have a VPN at home? By setting up a home VPN, you can encrypt your internet connection, safeguarding your data from potential threats. All your online activities will be routed through a secure tunnel and go through your ISP (let assume that your ISP is not spying on you). This way, you can browse the web, access sensitive information, and communicate securely without worrying about prying eyes.

Additionally, a home VPN allows you to access your home network remotely, providing a secure connection to your devices and files. Bonus points if you have setup an network wide adblocker, you can access the internet without ads from anywhere.

Why choose wireguard for your home VPN

WireGuard is a modern VPN protocol that stands out for its simplicity, speed, and state-of-the-art cryptography. It's designed to be much more efficient than older protocols, making it an excellent choice for securing your internet connection. With WireGuard, you can create a private network that encrypts your online activities, keeping you safe from prying eyes.

WireGuard's is super easy to set up and manage in linux based systems. It's lightweight and fast, ensuring minimal impact on your network performance. Moreover, WireGuard's security features are top-notch, providing robust encryption to protect your data from potential threats.

What we will use

There several ways to set up a home VPN. This guide is more or less how I did it. I like to reuse old hardware, so I used an old desktop computer, stripped it down to the essentials and installed debian on it. This is my home server.

My router is a new one, but even old routers can do the job. You will need to have access to the router to configure port forwarding. This is necessary to allow external VPN connections to your home server.

Due to the simplicity of managing services in docker, I decided to run WireGuard in a docker container. This way, I can easily manage the VPN service and keep it isolated from the rest of the system. It introduces a bit of overhead, but it's worth it.

Finally we will need a public domain name. This is optional, but it makes it easier to connect to your VPN from anywhere. You can use a dynamic DNS service if you don't have a static IP address like ddclient (also in a docker container).

We will test the VPN connection from a laptop, but you can use any device that supports WireGuard. I have personally tested it on my android and it works like a charm.

Step 1: Preparing the Server

First, I setup a fresh debian and install docker, which simplifies running applications by packaging them into containers. I used the following command to install docker:

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

With Docker installed, you can now set up WireGuard. Create a Docker container for WireGuard, which will handle the VPN connections. I use compose to manage the containers, so I created a docker-compose.yml file with the following content:

services:
  wireguard:

    # Name of the container for easy reference
    container_name: wireguard 
    
    # Docker image for WireGuard. LinuxServer is a trusted source for good quality images.
    image: linuxserver/wireguard 
    
    # Restart the container automatically unless explicitly stopped
    restart: unless-stopped 
    
    # Give the container necessary permissions
    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    environment:
      # User and group IDs for the container
      - PUID=1000
      - PGID=1000

      # Timezone for the container. I live in Athens, so I set it to Europe/Athens
      - TZ=Europe/Athens

      # Server url and port for the VPN.
      # Those will be used by the clients to connect to the VPN
      # You can use a static IP address if you have one
      - SERVERURL=homeserver.mydomain.com
      - SERVERPORT=51820

      # List of the allowed peers. I add 2 peers, one for me and one for my wife
      - PEERS=p1,p2

      # Auto DNS means that the container will use the DNS server of the host
      - PEERDNS=auto

      # Allowed IPs for the peers. This will ensure that the peers drive all their traffic through the VPN and can access the internet.
      - ALLOWEDIPS=0.0.0.0/0

      # Enable logging for the container
      - LOG_CONFS=true

    # Ports to expose for the container. WireGuard uses UDP port 51820.
    ports:
      - "51820:51820/udp"

    sysctls:

      # Enable IP forwarding. This is necessary for the VPN to work.
      # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
      - net.ipv4.conf.all.src_valid_mark=1
    
    volumes:
      # Mount the necessary directories for the container
      - "/lib/modules:/lib/modules"
      - "/usr/src:/usr/src"

      # Mount the configuration directory for WireGuard. I have a directory called config in my home directory. This is where I store the configuration files for the clients. WireGuard will also generate a QR code as an image for easy client setup.
      - "./config:/config"

Step 2: Configuring Router

For your VPN to be accessible from outside your home network, configure your router to forward incoming connections on port 51820 to your home server. This process varies by router, so consult your router's manual for instructions.

For example, if your home server's local IP address is 192.168.1.100, you would set up port forwarding to forward UDP traffic on port 51820 to 192.168.1.100

If you have a dynamic IP address, consider using a dynamic DNS service to assign a domain name to your home server. This way, you can connect to your VPN using a domain name instead of an IP address.

If your ISP have set you behind a NAT, you will need to ask them to open the port for you or disable the NAT (by giving you a public IP address). Otherwise, you won't be able to connect to your VPN from outside your home network.

Step 3: Connecting to the VPN from a Client

On your client device (laptop, smartphone, etc.), install the WireGuard application. For my debian laptop, I used the NetworkManager WireGuard plugin. https://github.com/max-moser/network-manager-wireguard

Once installed, import the configuration file generated by the WireGuard container on your home server. This file contains the necessary settings to connect to your VPN, including the server URL, port, and encryption keys. If you followed the configuration above, you should have a a file called p1.conf and p2.conf in the config directory.

After importing the configuration file, you can connect to your home VPN by enabling the WireGuard connection on your client device. You should now have a secure connection to your home network, encrypting your online activities and protecting your privacy.

You can try to access the internet and see if the connection is working. You can also check the WireGuard container logs to troubleshoot any issues. Try to get find your IP from a website like https://whatismyipaddress.com/ and see if it matches your home IP address.

If you are at home and want to test the VPN connection, you can use your phone's data connection to connect to the VPN. This way, you can verify that the VPN is working correctly and protecting your online activities. With disabled VPN you should see your phone's IP address, with enabled VPN you should see your home IP address.

Conclusion

Setting up a home VPN with WireGuard offers a robust solution to secure your internet connection, particularly when using public Wi-Fi. By following the steps outlined in this guide, you can enjoy enhanced privacy and security, safeguarding your online activities from threats. WireGuard's simplicity and efficiency make it an excellent choice for anyone looking to protect their digital footprint.

Remember, in the realm of cybersecurity, taking proactive steps is key. By setting up your home VPN, you're not just protecting your data; you're ensuring peace of mind in an increasingly connected world.

This article was generated with the assistance of AI and refined using proofing tools. While AI technologies were used, the content and ideas expressed in this article are the result of human curation and authorship.

Read more about this topic at: Importance is All You Need