Posts

With all of the cool stuff I’ve been setting up on my home server lately (Jellyfin, Navidrome, Paperless, etc…), I wanted to find a safe way to access all those services when I am outside of my home / away from my LAN. After looking around, I found the perfect solution: Wireguard. It’s an open-source and totally free (as in beer) VPN application you can install pretty much anywhere and then connect to from anywhere. There are other options available, such as Tailscale and Caddy, but I wanted the simplest option I cound find and this is it.

Reading up on their documentation, I was immediately struck by how difficult setting this up was going to be. Fortunately, there are a number of other projects out there which make that process simpler for home users like me. You’ll see below that I am cheating and using a bash script to simplify the setup a lot.

Next, I want to have Wireguard running all the time on my home server, behind my router / NAT and I want to be able to connect to it from my phone mostly, but maybe also eventually from my work PC. My biggest challenge with getting this setup is that Wireguard wants an IP the clients will connect to (when you set it up), but my ISP changes my external IP address all the time. I solved that with a 3rd party service (DuckDNS.org) which provides a domain name to the world while redirecting any traffic to your router’s external IP. There are other options for doing the same thing too, such as dyno, so you should research them all before choosing one for your use.

Read on to see how I got this all working. Just know that I won’t explain everything here. I am assuming you know some basics of networking, for instance, already.

• Download an installer script from this github repo and save it into a folder on the Wireguard PC you’re setting up: https://github.com/angristan/wireguard-install

• Visit duckdns.org and create an account there (or use the one you have already, if appropriate).

• Setup a domain name there, whatever you want to use. It just has to be unique for their registration system. I will use ABC123 as my example here.

• Download and install the script they provide for your PC’s OS. Save that into a folder somewhere and set it up to run on a regular basis.

  • The purpose of that script is to figure out what your router’s external IP address is, and then to send that to DuckDNS. They need to know that so they can redirect the traffic pointed at your domain name to that IP. (otherwise, you’d have to update the Wireguard settings all the time and nobody has time for that)

• Run the wireguard-install.sh script. It asks you which option you want, choose the full install option, since this is all new for you.

• When asked for the Public IP (first question, I think), give it your Duckdsn domain, e.g.: ABC123.duckdns.org

• When asked for a port #, use the default (which is random every time you run the script) or choose a known number. This is the port number you need to enter into your Router so it knows to forward the port’s traffic into your PC.

• When asked about which IPs the server should listen for requests from, I left it as the default, “0.0.0.0/0” which means ANY IP can connect but you might not want to do that.

• Continue answering questions, mostly with the default values until it’s done.

• When the script finishes, it will display a HUGE QR Code on the screen. Leave that there for now.

• Grab your phone, or connect to whatever you want to use as the client PC (the one which will connect to the Wireguard PC when making the VPN connection).

• If it’s a phone, install the Wireguard app. I have an Android phone, so I installed that from the F-Droid app. I believe there’s an IOS option too.

• Run the Wireguard app and click the “+” to add a connection.

• Select the “Via QR Code” option and point your phone at the QR Code displayed on the server’s screen still. Voila! The connection is defined on that phone now.

  • If you’re not using a phone as the client, you will need to manually enter the client details to define the connection to the server.

• Set up your router (or in my case, routers)

  • There are WAYYYY too many routers out there for me to provide specifics here, so I will just describe what I had to do. You can look up the Help pages for your router to make this work in your case, hopefully.
  • Mainly, what you’re doing is telling the router to forward all UDP traffic which comes at it from the internet on a single specific port to your Wireguard PC’s address. This is known as “port forwarding” on most routers.
  • I have both a ISP-provided modem/router and also my own internal router, so I had to do this twice.
    • I went into the modem’s admin screens and forwarded all traffic on my chosen port # to the other router’s IP.
    • Then I went into the internal router’s admin screens and told it to forward all UDP traffic coming in on the same port to the Wireguard PC’s internal IP (192.168.x.x).

• That’s all the set up. You should now be able to test the connection!

  • For that, since I made my phone the client, I just turned off its wifi, leaving it connected to the 5G phone network only, and then enabled the Wireguard connection.
  • If you did evertyhing above correctly, it will “just work”.
  • You’re probably thinking, wow, no. That was a lot of steps.
  • If your connection doesn’t work, just know you can remove Wireguard on the server with the same install.sh script and just start over, as many times as you need.
    • I found this web page really helpful when troubleshooting my issues at first: https://www.rpiathome.com/2020/05/13/the-unofficial-non-definitive-wireguard-troubleshooting-page/
    • It took me about 4 tries to get all of the above working just right for me.

I think this all totally worth the time and effort, to have a secure option available for accessing my home PC services while I am out and about. What’s great is that I can access multiple internal IPs and services on various ports, with just one port opened on my router, and only secure connections allowed in through it. And, the system adjusts automatically whenever my ISP changes my IP address. Sweet!

Good luck! Have fun.