WireGuard – An Extremely Fast and Secure VPN

WireGuard is a fast, modern and secure VPN technology that you can install easily on your homelab. It provides a secure, encrypted point-to-point connections over the Internet, without compromising the connection speed. As compared to other VPN like IPsec and OpenVPN, it has a better performance, in terms of security and speed. Initially released for the Linux kernel, it is now available for almost every platform out there.

Features

• Simple and easy to use
• Uses state-of-the-art cryptography
• Minimal Attack Surface
• High Performance

Installation

Most, if not all, of the OS platforms have support for WireGuard, so installation is just a matter of installing the software from your package manage. However, the one method that we found the easiest to install and configure is via docker, using the wg-easy docker image.

Create a folder for wireguard:

mkdir wireguard
cd wireguard

Inside the folder, create a “docker-compose.yml” file

nano docker-compose.yml

and paste the following content:

services:
  wg-easy:
    environment:
      # Change Language:
      # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi)
      - LANG=en
      #  Required:
      # Change this to your host's public address
      - WG_HOST=your-ip-address
 
      # Optional:
      - PASSWORD_HASH=enter-your-password-hash-here
      # - PORT=51821
      # - WG_PORT=51820
      # - WG_CONFIG_PORT=92820
      # - WG_DEFAULT_ADDRESS=10.8.0.x
      # - WG_DEFAULT_DNS=1.1.1.1
      # - WG_MTU=1420
      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
      # - WG_PERSISTENT_KEEPALIVE=25
      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
      # - UI_TRAFFIC_STATS=true
      # - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
      # - WG_ENABLE_ONE_TIME_LINKS=true
      # - UI_ENABLE_SORT_CLIENTS=true
      # - WG_ENABLE_EXPIRES_TIME=true
      # - ENABLE_PROMETHEUS_METRICS=false
      # - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)

    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - etc_wireguard:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE 
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  etc_wireguard:

There are a few things you need to change in the docker-compose.yml file. The first thing is your IP address. Change the your-ip-address field with your server public IP address. You can locate your IP address by going to the site whatismyip.com

The second thing to change is the password hash. The password hash will provide a password login to the WireGuard admin UI. If you choose to ignore it, the admin UI page will be available to everyone.

Use the following command to generate the password hash:

 docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'your-password'

For example, for the password “ilovewireguard”, the hash will be:

$ docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'ilovewireguard'
PASSWORD_HASH='$2a$12$YtRmaKSf2NpwwPuww3UJYuXCh9MMYQTQ3sC39Ut4sJsLEYfp.CRYi'

What you need to do next is to add “$” to every existing $ in the password hash, so it becomes like this:

$$2a$$12$$YtRmaKSf2NpwwPuww3UJYuXCh9MMYQTQ3sC39Ut4sJsLEYfp.CRYi

This will be your final password hash which you copy and paste to the docker-compose.yml file.

Lastly, save and close the text editor, then run:

docker compose up -d

Next, go to the URL http://127.0.0.1:51821 and you will be able to access the admin UI.

Usage

With the installation of the WireGuard server, the next thing to do is to configure the client to connect to it.

WireGguard operates on a peer-to-peer basis, so you have to generate a keypair for every client.

In the WireGuard admin UI, click the “New Client” button.

Enter a name for the client, and click “Create”.

The new client will show up in the list. You can either click on the QR icon to display a QR code for you to scan, or download the config file to your client PC.

If you are planning to your WireGuard installation from your phone, download the WireGuard app from the Play Store or iOS store. Open it up, click the “+” button and select “Scan from QR code”.

For Linux PC, you can import the conf file using the command:

sudo nmcli connection import type wireguard file <conf-file>

Note: replace <conf-file> with the full file path to your WireGuard conf file.

You will then be able to connect from the Network Manager interface.

Potential Issues

The thing about WireGuard is that it requires a static IP address for it to connect to. This might be an issue for those ISPs that are issuing dynamic IP addresses to residential users. One solution is to use a Dynamic DNS (DDNS) hostname so WireGuard is always pointing to the same address, even though the IP address behind it is constantly changing.

For ISPs that are using CG-NAT, WireGuard won’t work at all, since there is no way for it to reach the server behind the NAT. One solution is to subscribe to a VPS with a static IP address.

Final Thoughts

As you can see, it is very easy to install and set up WireGuard on your homelab. It is very useful when I am overseas, and I need a secure network to do my work. I strongly recommend installing and using WireGuard, particularly when you need an easy way to access a secure network for free.