One of the most valuable tools in my homelab is a VPN that allows me to securely access internal services from anywhere. After testing multiple solutions, I chose WireGuard—a modern VPN that’s simple to configure, extremely fast, and highly secure.
In this article, I’ll share my full experience setting up WireGuard on Ubuntu Server (running as a VM in Proxmox), including installation, configuration, mobile access, and best practices.
Why I Chose WireGuard
WireGuard is a next-gen VPN protocol that offers several advantages:
• 🔒 State-of-the-art cryptography (Curve25519, ChaCha20, etc.)
• ⚡ Blazing-fast performance — better than OpenVPN or IPSec
• 🧩 Simplicity — configuration with just a few lines
• 💡 Cross-platform support — Linux, Windows, macOS, iOS, Android
• 🌐 Ideal for site-to-site, road warrior, or internal mesh setups
1. Installing WireGuard on Ubuntu Server
My WireGuard server runs inside a Proxmox VM with static IP, Ubuntu 22.04, and UFW enabled.
Step 1: Update System
sudo apt update && sudo apt upgrade -yStep 2: Install WireGuard
sudo apt install wireguard -yOr from backports if using older Ubuntu:
sudo apt install linux-headers-$(uname -r) wireguard2. Generate Key Pairs
Each WireGuard peer needs a public/private key pair.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeySave these files somewhere secure. On server, store them under /etc/wireguard/.
3. Server Configuration
Create a configuration file:
sudo nano /etc/wireguard/wg0.confExample configuration:
[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true# Optional: NAT for access to LAN
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Enable packet forwarding:
sudo nano /etc/sysctl.confUncomment:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Apply:
sudo sysctl -p
Start the interface:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
4. Configure Firewall (UFW)
Allow VPN traffic:
sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
Enable routing through UFW:
sudo nano /etc/ufw/before.rules
Above the *filter line, add:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
Enable UFW if it’s not already:
sudo ufw enable
5. Client Configuration
Generate keys on your client (phone, laptop, etc.) or copy from the server.
Example mobile client config:
[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <server-public-key>
Endpoint = your.domain.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Install the WireGuard app on iOS or Android and scan a generated QR code, or paste manually.
6. Add Client to Server
In /etc/wireguard/wg0.conf:
[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32
Then reload:
sudo systemctl restart wg-quick@wg0
Check connection:
sudo wg
7. Optional Enhancements
• 🔐 Use DNS names with Dynamic DNS (DuckDNS, Cloudflare, etc.)
• 📱 Use QR codes for mobile client config
• 🔄 Automate startup using systemd
• 📶 Monitor uptime with uptime-kuma or ping services
• 🌍 Site-to-site VPN: Add multiple peers and route between LANs
Conclusion
Setting up WireGuard in my homelab was one of the best decisions for secure remote access. It’s incredibly lightweight, fast, and easy to manage compared to older VPN solutions. I now access my internal services (Proxmox, Nextcloud, SSH, etc.) securely from anywhere, without relying on third-party platforms.
Whether you’re a homelab enthusiast or a small business owner, WireGuard is the perfect VPN solution for privacy, simplicity, and speed.
