Simple Wireguard Setup

21 November 2023

Overview

So you want to setup a VPN between roaming laptops/smartphones to a home network. And you want all data to be routed over the home network and DNS lookups to be done using a DNS server on the home network (optional). This is pretty straight-forward but can be a bit confusing at times. I've gone through this recently trying various configurations but here's what I found that worked.

Basically what I wanted was something that looks like this:

There are multiple "roaming" devices (laptop, smartphone, etc.) that connect to a VPN endpoint behind my firewall/router. The home network is NAT'd so the firewall forwards the UDP port for wireguard to my VPN endpoint server. This server then routes data to the local network or through the local gateway back out to the internet.

From a VPN point-of-view it looks something like this:

The laptop/smartphone is configured to route all traffic to the VPN network. The VPN Endpoint acts as a gateway into the home network. It will also route requests for non-home network addresses to its local gateway (i.e. to the internet).

Configuration

Here's the /etc/wireguard/wg0.conf configuration for the VPN Endpoint in this scenario:

[Interface]
#
# The address the VPN Endpoint will use within the VPN.
#
Address = 10.0.0.1

#
# My VPN server port 
#
ListenPort = 41193

#
# VPN server's private key
#
PrivateKey = dfasdflasdfjlsdfjlasdjfldsfjlskdjflsdjfldls=

#
# Configure routing for clients who connect. 
#
PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT;

#
# Smart phone, laptop, etc.
#
[Peer]
# 
# Only route things to this peer that have the IP address this peer is using.
#
AllowedIPs = 10.100.0.2/32

# 
# The public key that identifies this peer.
#
PublicKey = rqwieruoeiruoqweirowieruiweurowieroqwieruwu=

Note the AllowedIps configuration here. This is the configuration for the Endpoint so it is going to be setup to route data to this specific peer over the VPN network.

The laptop/smartphone configuration looks like this:

[Interface]
# 
# The IP address the laptop/smartphone will use on the VPN
#
Address = 10.100.0.2

#
# The laptop/smartphone's private key.
#
PrivateKey = vzxWcvnWcmnvzWxvnAmnvXmxvcmcvnxXmcvxcnmxcEx=

#
# OPTIONAL: Will configure the local system (laptop or smartphone) to do DNS lookups on these IP addresses on the home 
# network on the other side of the VPN.
#
DNS = 192.168.1.3, 192.168.1.4

# In this case "peer" is the VPN Endpoint.
[Peer]
#
# Public key of the VPN Endpoint
#
PublicKey = ueyrquweyriqueyriuweyiuwyroweuyriweyioiowww=

#
# Domain name / IP address of the remote network. In this case to the router/gateway of my home network
# which will forward port 41193 to the VPN Endpoint within my network.
#
Endpoint = vpn.mydomain.com:41193

#
# IPs which should be routed over the VPN. 
#
AllowedIPs = 0.0.0.0/0,::0/0