WireGuard has displaced OpenVPN as the VPN of choice for home server access. It's faster, simpler, and uses modern cryptography. The configuration that takes OpenVPN pages of dense text reduces to a handful of clear lines in WireGuard. Here's how to set it up properly.
Server Configuration
Generate key pairs for the server:
wg genkey > server_private.key
wg pubkey < server_private.key > server_public.keyThe server configuration file (/etc/wireguard/wg0.conf):
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32The PostUp/PostDown rules enable IP forwarding and NAT for clients to access the internet through the VPN. Adjust eth0 to match your network interface name.
Client Configuration
Generate keys for each client using the same commands. The client configuration mirrors the server with the keys reversed:
[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server_public_key>
Endpoint = yourhome.dyndns.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25The AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN (full tunnel). For split tunneling (only access home network), use AllowedIPs = 10.0.0.0/24.
IP Forwarding and NAT
Enable IP forwarding on the server:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -pThis allows the server to forward packets between the VPN interface and the LAN. Without it, connected clients can reach the VPN but can't access devices on your home network.
Mobile Clients
WireGuard apps exist for iOS and Android. The configuration transfers via QR code. Generate the config file, then in the WireGuard app, tap "Create from QR code" and scan. The mobile experience is native and fast—the VPN connects automatically when you enable it.
The PersistentKeepalive value (25 seconds) keeps NAT mappings alive on mobile networks. Without it, NAT sessions time out and the tunnel appears dead when you resume use after idle. The value is low enough to not cause data issues but frequent enough to maintain connection state.
Managing Multiple Peers
Add peers by appending [Peer] blocks to the server config and restarting. For larger deployments, a configuration management tool helps. Tailscale builds on WireGuard with automatic key exchange and management—a mesh VPN that handles peer discovery without manual configuration. For teams or families with changing devices, Tailscale reduces maintenance overhead significantly.
The trade-off: Tailscale's control plane is a hosted service (with a free tier). Self-hosted enthusiasts stick with raw WireGuard; convenience-first users often prefer Tailscale's managed approach.