I've had wireguard in a container for a few years, and it's never failed me. I will say it took me a long time to get the firewall part of the configuration right but the configuration is otherwise simple. When I'm on the road I can access all the things I self host, which I don't have to expose anything of to the outside world.
The amount of people here just exposing their network to Tailscale, and recommending others to do the same, is surprising, to say the least.
I've set up Wireguard on a VPS once six years ago, and nothing needed adjustment since. It is as easy as you make it out to be, and depending on the use case the firewall rules can also be simple.
If I need to add a new device, which is probably a rarity for the average user, and once a year for me, it takes two minutes to edit two files and restart a service.
I can see reasons why one would want to use Tailscale, especially in an organization. But just uncritically recommending it for home-lab like setups seems as harmful as pushing people to Cloudflare for everything.
Inter-node mesh with raw Wireguard is an exercise in patience to say the least; I have a few different colo sites, my house, my phone, LTE/5G hotspots, raspberry pi projects in the field, etc that I want to fully connect together.
Raw Wireguard is fine for a road warrior or site-to-site VPN setup as is common, but when you want multipoint peer-to-peer connections without routing through what might be a geographically distant point, magic DNS, etc, Tailscale really shines through.
Although at that point I'm sure you, and any similar user, would not actually rely on ad-hoc advice like in this thread, and instead just evaluate what is needed.
As an aside, personally speaking, headscale solves basically none of my concerns associated with introducing more software, complexity and third parties (the maintainers) into my network setup.
Less so because of paranoia towards the software/product itself, and more so because of the increased surface area to attack.
But I also think that anyone actually bothering to set headscale up probably falls into the aforementioned group of people that actually thinks about their requirements.
whoa that's super useful. I've been trying to figure out what I'm going to do to let my family access my server. What client do you recommend on the phone end? Or does the phone support connecting to wireguard out of the box?
The best client is from WireGuard. It’s super efficient in my experience. It even supports on demand VPN where you can define network it should activate or deactivate the VPN.
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
I am a huge proponent of Tailscale, and I've moved my entire stack into my tailnet. Even my steam deck.
With that said, as another user (th0ma5) pointed out, "The only downside is that the Tailscale organization will be privy to your actions online as well."
While Tailscale and Wireguard serve the same purpose for most, it is not a direct replacements. To most users, this doesn't matter. To a few, it may be a breach of OpSec
"By making the Tailscale clients open, you can see that we don’t collect your private keys. And by making Tailscale’s DERP servers open, you can see that we can’t capture your encrypted traffic. We don’t see your data and we don’t want to. We hope that keeping this code open increases trust and transparency in Tailscale because anyone can review the code and see that Tailscale really works the way we claim."
I am also one of those people who "don’t usually do a lot of networking stuff", so here's a question.
The article contains this:
#replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
However, I use mullvad and the .conf files that they provide contains none of this, and works just fine. It contains just: interface, private key, address, dns and peer public key, allowed ips, entrypoint.
I have a wireguard server at home, and it is great.
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…
>official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
Very neat, thanks for sharing. Hopefully the Android client is the same. A home WG server is next up on my homeland TODO. WG-easy looks to be a good spot to start.
I love Wireguard, but if you want to do this, I think there are only two ways that make sense for most users.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
I used a GL.Inet yellow hockey puck device 8 hours a day for about 6 months in the exact configuration mentioned. Interface and form factor, all are great, but your internet speed will be limited by the CPU. It was woefully under powered for VPN crypto.
Tailscale has some fundamental security assumptions that some people may not like for it to be so reflexively suggested all the time, but also, the last mile of user interface issues plague the whole of cryptography systems.
As someone who previously led development of a commercial VPN system, I assure you, there are about 100 ways for a VPN to go slower than the network hosting it. Unfortunately.
Two cases I can think of are MTU misconfigurations and constrained CPU on either endpoint, where the node CPU can handle non-VPN network demands but can't handle the VPN demand.
> If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
I wrote a script that runs periodically on my home server to update DNS (Cloudflare) if my IP changes. In practice, it almost never changes and my ISP's general flakiness is far more of a problem.
I used to use a chronjob + script that queried my external IP and then if it is different from the dns record make an API call to my dns hoster (name.com at the time). For a homelab, run it every 5 or 10 minutes and you'll always have an up to date record that you manage.
+1 to ’just use tailscale’ crowd. I used to run my own WireGuard server and it’s painful compared to tailscale. Note it isn’t bulletproof, but it’s work in most cases, whereas I’ve had trouble with WireGuard being blocked in places I needed it the most.
+2. I did exactly what's in this article since before Tailscale existed. Then there was this Tailscale thing, but I never moved over because why bother? I've already got my setup. I was creating keys and schlepping them to all the devices in my family. I was fixing broken tunnels on vacation, trying to copy keys from my phone because that was the only device that could connect at the moment. I was manually setting packet MTU sizes because my home network uses PPPOE (yes, those are all things I know now that I wish I didn't). I was disabling the Wifi in my local supermarket because they block UDP and that broke my access.
Then I signed up for Tailscale on a whim, installed it on my phone and my Home Assistant box and... that was it. After like 15 minutes of sign up and installation I could access my home network. MTU didn't matter. In the supermarket it uses TCP over a DERP server that's 5ms away. Keys are automatically setup. After years of people blabbing on about how great Tailscale is, I finally get it.
If you're looking for a low pain way to run a Wireguard server, an Asus router with Merlin installed is as simple as it gets. UI generates QR codes for clients, & there's even an app.
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.com`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
Good writeup. Love wireguard. PiVPN is also worth checking out and supports wireguard. Bundle with PiHole and you never have to see ads again. Even when out and about.
Do you have any advice about this? Or places to start reading. I think I may have to find someone to help with this for an organization in the near future. I don't deal with this kind of thing very much at all and worry about knowing enough to get into trouble when looking for someone.
That's what I said? So long as one of the machines isn't behind a NAT, wireguard by itself works great. It just doesn't do hole-punching, you have to use another tool for hole-punching.
You can create prefixed keys (aka vanity key) for each peer using https://github.com/AlexanderYastrebov/wireguard-vanity-key
I've had wireguard in a container for a few years, and it's never failed me. I will say it took me a long time to get the firewall part of the configuration right but the configuration is otherwise simple. When I'm on the road I can access all the things I self host, which I don't have to expose anything of to the outside world.
I also really like using qr codes to transfer a configuration to a phone (mostly used by me once when I replaced my phone): https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-c...
The amount of people here just exposing their network to Tailscale, and recommending others to do the same, is surprising, to say the least.
I've set up Wireguard on a VPS once six years ago, and nothing needed adjustment since. It is as easy as you make it out to be, and depending on the use case the firewall rules can also be simple.
If I need to add a new device, which is probably a rarity for the average user, and once a year for me, it takes two minutes to edit two files and restart a service.
I can see reasons why one would want to use Tailscale, especially in an organization. But just uncritically recommending it for home-lab like setups seems as harmful as pushing people to Cloudflare for everything.
Inter-node mesh with raw Wireguard is an exercise in patience to say the least; I have a few different colo sites, my house, my phone, LTE/5G hotspots, raspberry pi projects in the field, etc that I want to fully connect together.
Raw Wireguard is fine for a road warrior or site-to-site VPN setup as is common, but when you want multipoint peer-to-peer connections without routing through what might be a geographically distant point, magic DNS, etc, Tailscale really shines through.
If you're paranoid, enable https://tailscale.com/kb/1226/tailnet-lock or run https://headscale.net/ on your own as a control server.
For P2P I can totally see the advantage.
Although at that point I'm sure you, and any similar user, would not actually rely on ad-hoc advice like in this thread, and instead just evaluate what is needed.
As an aside, personally speaking, headscale solves basically none of my concerns associated with introducing more software, complexity and third parties (the maintainers) into my network setup. Less so because of paranoia towards the software/product itself, and more so because of the increased surface area to attack.
But I also think that anyone actually bothering to set headscale up probably falls into the aforementioned group of people that actually thinks about their requirements.
Speaking of Cloudflare - they do have a similar product[0] :)
[0] https://developers.cloudflare.com/cloudflare-one/connections...
Ironic, I wasn't aware.
whoa that's super useful. I've been trying to figure out what I'm going to do to let my family access my server. What client do you recommend on the phone end? Or does the phone support connecting to wireguard out of the box?
The best client is from WireGuard. It’s super efficient in my experience. It even supports on demand VPN where you can define network it should activate or deactivate the VPN.
I use the Android app from Wireguard: https://play.google.com/store/apps/details?id=com.wireguard.... It's pretty basic, but it lets me scan the generated qr codes, and it has an icon in the drawer which makes it easy to access.
[2019]
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
I am a huge proponent of Tailscale, and I've moved my entire stack into my tailnet. Even my steam deck.
With that said, as another user (th0ma5) pointed out, "The only downside is that the Tailscale organization will be privy to your actions online as well."
While Tailscale and Wireguard serve the same purpose for most, it is not a direct replacements. To most users, this doesn't matter. To a few, it may be a breach of OpSec
With all this said, Tailscale reportedly cannot see anything. Per https://tailscale.com/blog/opensource
"By making the Tailscale clients open, you can see that we don’t collect your private keys. And by making Tailscale’s DERP servers open, you can see that we can’t capture your encrypted traffic. We don’t see your data and we don’t want to. We hope that keeping this code open increases trust and transparency in Tailscale because anyone can review the code and see that Tailscale really works the way we claim."
That's a total red herring. They see the metadata (data about data) of every connection you make. They don't need to capture any encrypted data to tell a whole heck of a lot about you: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
Exactly, also, as long as there is no way of verifying that the source they opened up is the one they are running, it’s still a trust thing.
I am also one of those people who "don’t usually do a lot of networking stuff", so here's a question.
The article contains this:
However, I use mullvad and the .conf files that they provide contains none of this, and works just fine. It contains just: interface, private key, address, dns and peer public key, allowed ips, entrypoint.So, which one is right and why?
I have to double check, but I believe this is server-side/exit node configuration. In case of mulvad, something similar might be on their servers.
Those lines are only needed on the VPN server, not the client(s).
Discussed at the time:
Setting up a home VPN server with WireGuard - https://news.ycombinator.com/item?id=21421365 - Nov 2019 (198 comments)
I have a wireguard server at home, and it is great.
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…
>official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
Very neat, thanks for sharing. Hopefully the Android client is the same. A home WG server is next up on my homeland TODO. WG-easy looks to be a good spot to start.
I love Wireguard, but if you want to do this, I think there are only two ways that make sense for most users.
The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
I used a GL.Inet yellow hockey puck device 8 hours a day for about 6 months in the exact configuration mentioned. Interface and form factor, all are great, but your internet speed will be limited by the CPU. It was woefully under powered for VPN crypto.
Not recommended: https://www.gl-inet.com/products/gl-mt300n-v2/
This looks promising: https://www.gl-inet.com/products/gl-be3600/
Tailscale has some fundamental security assumptions that some people may not like for it to be so reflexively suggested all the time, but also, the last mile of user interface issues plague the whole of cryptography systems.
Tailscale is slloowwww and I'm not a big fan of someone else controlling my network. Yeah, tailnet lock at all that, I know, but still...
Tailscale in most cases establishes direct links between the nodes so it can't be any slower than the speed of the network you're already using.
And when it doesn't (which is often the case behind NAT), you're at the mercy of their relays which are not particularly fast.
As someone who previously led development of a commercial VPN system, I assure you, there are about 100 ways for a VPN to go slower than the network hosting it. Unfortunately.
Two cases I can think of are MTU misconfigurations and constrained CPU on either endpoint, where the node CPU can handle non-VPN network demands but can't handle the VPN demand.
You can use headscale [1] (open source) as the mothership, and all the published clients (AFAIK) support pointing them to an alternative mothership.
I set it up, and it worked, but regular Tailscale works so well out-of-the-box that I just used that instead of maintaining headscale.
[1] https://github.com/juanfont/headscale
I love WireGuard and use it when I'm traveling. I bought a cheap Lenovo mini-pc, installed Debian, and use it as a dedicated VPN server.
> If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
I wrote a script that runs periodically on my home server to update DNS (Cloudflare) if my IP changes. In practice, it almost never changes and my ISP's general flakiness is far more of a problem.
I used to use a chronjob + script that queried my external IP and then if it is different from the dns record make an API call to my dns hoster (name.com at the time). For a homelab, run it every 5 or 10 minutes and you'll always have an up to date record that you manage.
I just run a dynamic dns client on OpenWRT. I’ve never had an issue reaching the joke server.
I got an Asus router & installed Merlin. Comes with a Wireguard server & Dyndns support built in, all via a very simple user friendly UI.
if you own a domain you can likely update a dynamic DNS record through the registrar's API
e.g. my cheap hosting on cPanel lets me do this through a simple HTTP req
https://docs.cpanel.net/cpanel/domains/dynamic-dns/
My ISR only supports DynDNS and NOIP, so I just curl this URL every day.
+1 to ’just use tailscale’ crowd. I used to run my own WireGuard server and it’s painful compared to tailscale. Note it isn’t bulletproof, but it’s work in most cases, whereas I’ve had trouble with WireGuard being blocked in places I needed it the most.
+2. I did exactly what's in this article since before Tailscale existed. Then there was this Tailscale thing, but I never moved over because why bother? I've already got my setup. I was creating keys and schlepping them to all the devices in my family. I was fixing broken tunnels on vacation, trying to copy keys from my phone because that was the only device that could connect at the moment. I was manually setting packet MTU sizes because my home network uses PPPOE (yes, those are all things I know now that I wish I didn't). I was disabling the Wifi in my local supermarket because they block UDP and that broke my access.
Then I signed up for Tailscale on a whim, installed it on my phone and my Home Assistant box and... that was it. After like 15 minutes of sign up and installation I could access my home network. MTU didn't matter. In the supermarket it uses TCP over a DERP server that's 5ms away. Keys are automatically setup. After years of people blabbing on about how great Tailscale is, I finally get it.
If you're looking for a low pain way to run a Wireguard server, an Asus router with Merlin installed is as simple as it gets. UI generates QR codes for clients, & there's even an app.
FWIW you can do this on stock ASUS firmware too.
The only downside is that the Tailscale organization will be privy to your actions online as well.
Context: https://tailscale.com/kb/1011/log-mesh-traffic
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.com`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
Use headscale, and problem solved.
Good writeup. Love wireguard. PiVPN is also worth checking out and supports wireguard. Bundle with PiHole and you never have to see ads again. Even when out and about.
https://github.com/wg-easy/wg-easy
wg-easy is a great package and tool, and I've used it to spin up VPN servers for small organisations.
Do you have any advice about this? Or places to start reading. I think I may have to find someone to help with this for an organization in the near future. I don't deal with this kind of thing very much at all and worry about knowing enough to get into trouble when looking for someone.
This works wonderfully so long as both clients are not behind a NAT. Then you need something like Tailscale, Netmaker, Innernet, etc.
All my home kit is behind a nat on ipv4. I simply poke a hole through to my WireGuard VMs on different UDP ports.
Or put a wireguard server on your own machine that's not behind a NAT, cloud VPS etc
That's what I said? So long as one of the machines isn't behind a NAT, wireguard by itself works great. It just doesn't do hole-punching, you have to use another tool for hole-punching.
Using mine on an oracle free tier.
[dead]