WireGuard VPN on Raspberry Pi — Secure Remote Access

Introduction

WireGuard is a modern VPN protocol that offers something OpenVPN never could: simplicity without sacrificing security. While OpenVPN requires complex configurations and heavy cryptographic overhead, WireGuard uses only ~4000 lines of code (compared to OpenVPN's ~100,000), making it perfect for resource-constrained environments like Raspberry Pi.

For homelabbers, this matters. A Pi running OpenVPN can struggle under moderate load, consuming precious CPU cycles and memory. WireGuard handles the same workload with a fraction of the resources, leaving your Pi free for other tasks—whether that's running Home Assistant, PiHole, or a media server.

In this guide, we'll set up a WireGuard VPN server on your Raspberry Pi to securely access your homelab from anywhere. You'll learn the manual installation method and a containerized Docker approach, plus how to configure phones, laptops, and handle dynamic DNS for changing home IPs.

Prerequisites

Before starting, you'll need:

• Raspberry Pi running Raspberry Pi OS (Bookworm or later recommended). Pi 4/5 strongly recommended; Pi Zero 2W is the minimum for reasonable performance.
• Static IP on your Pi on your local network (e.g., 192.168.1.50). Configure this in your router or /etc/dhcpcd.conf.
• Router access for port forwarding (typically ports 51820 UDP, but any port works).
• Basic CLI comfort with SSH and editing config files via nano or vim.
• Optional: Docker installed if you prefer the containerized approach.
• Internet connection from your Pi to the internet (your home connection).
• Client devices (phone, laptop) that will connect to the VPN.

All commands assume you're running as root or using sudo. The examples use Raspberry Pi OS (Debian-based), but WireGuard works on any Linux distribution.

How WireGuard Works

Understanding WireGuard's fundamentals helps with troubleshooting and configuration.

Key Pairs: Every peer (server, phone, laptop) has a private key (secret, never shared) and a public key (shared with others). WireGuard uses Curve25519 elliptic-curve cryptography for key exchange—simpler and faster than RSA.

Tunnels: A tunnel is a secure, encrypted connection between two peers. Unlike traditional VPN protocols that use certificate hierarchies, WireGuard simply lists which public keys are allowed to connect.

Peers: Any machine can be a peer. Your Pi is the "server" peer, and your phone/laptop are "client" peers. In WireGuard's model, this distinction is purely conceptual—it's just about who initiates the connection.

Allowed IPs: Each peer has an "allowed IPs" list. This specifies which traffic gets routed through the tunnel. A client might have 10.0.0.2/32, meaning only traffic to its VPN IP routes through WireGuard. The server has 10.0.0.1/24, meaning it handles all VPN subnet traffic.

The magic: WireGuard creates a simple, stateless tunnel. No connection state tracking like OpenVPN. No complex handshakes. Just packets encrypted with pre-shared keys.

Step 1 — Install WireGuard

SSH into your Raspberry Pi and update the system:

sudo apt update && sudo apt upgrade -y

Install WireGuard and related tools:

sudo apt install wireguard wireguard-tools -y

Verify installation:

wg --version

This command should print the WireGuard version. You're also now ready to use the wg command for managing interfaces and the wg-quick tool for bringing up/down VPN tunnels.

Step 2 — Generate Server Keys

WireGuard keys are generated using the wg genkey command, which outputs a random private key. The corresponding public key is derived from the private key.

First, create a secure directory for keys:

sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard

Generate the server's private and public keys:

sudo bash -c 'wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key'

Verify the keys exist:

sudo ls -la /etc/wireguard/

You should see server_private.key and server_public.key. Never share the private key. The public key is what clients need.

Display the public key (you'll need this for clients):

sudo cat /etc/wireguard/server_public.key

Save this output somewhere safe—you'll reference it when configuring client peers.

Step 3 — Configure the Server

Create the main WireGuard configuration file /etc/wireguard/wg0.conf:

sudo nano /etc/wireguard/wg0.conf

Paste the following complete configuration. Read the comments carefully—they explain every setting:

# /etc/wireguard/wg0.conf
# WireGuard VPN Server Configuration for Raspberry Pi
# This file defines the server's interface and allows specific client peers.

[Interface]
# The virtual IP address for this WireGuard interface on the Pi
# This is the "server" address on the VPN subnet
Address = 10.0.0.1/24

# The listening port for incoming VPN connections
# Clients will connect to your_home_ip:51820
# You can change this to any port (e.g., 12345), but 51820 is standard
ListenPort = 51820

# Path to the server's private key (generated in Step 2)
# This key is secret and never shared with clients
PrivateKey = [PASTE_YOUR_SERVER_PRIVATE_KEY_HERE]

# Post-up commands: executed when the interface comes online
# These enable IP forwarding and set up NAT/masquerading so clients can access your network
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Post-down commands: executed when the interface goes offline
# These clean up iptables rules to avoid conflicts
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Save the interface state (e.g., traffic statistics) in a file for monitoring
SaveCounter = true

# For each client that will connect, define a [Peer] section below
# Each peer needs a unique private/public key pair (generated separately)
# Clients only need the server's public key, not the private key

[Peer]
# Client name: Phone
# Public key of the client (client will generate their own key pair)
PublicKey = [PASTE_CLIENT1_PUBLIC_KEY_HERE]
# Allowed IPs: which IPs on the VPN subnet this peer is assigned
# Assign each client a unique /32 (single IP) address
AllowedIPs = 10.0.0.2/32

[Peer]
# Client name: Laptop
PublicKey = [PASTE_CLIENT2_PUBLIC_KEY_HERE]
AllowedIPs = 10.0.0.3/32

# To add more clients, add additional [Peer] sections with unique PublicKey and AllowedIPs

Now, replace the placeholder private key with your actual server private key:

sudo cat /etc/wireguard/server_private.key

Copy the output, then edit the config:

sudo nano /etc/wireguard/wg0.conf

Replace [PASTE_YOUR_SERVER_PRIVATE_KEY_HERE] with the actual key (the long base64 string). Keep the entire key on one line.

Important: The client public keys (placeholders like [PASTE_CLIENT1_PUBLIC_KEY_HERE]) will be filled in later after you generate client keys. For now, you can comment out the [Peer] sections or leave them empty.

Set proper permissions on the config file (only root can read the private key):

sudo chmod 600 /etc/wireguard/wg0.conf

Bring up the WireGuard interface:

sudo wg-quick up wg0

If successful, you'll see no errors. Verify the interface is active:

sudo wg show wg0

This displays the server's configuration and any connected peers. Initially, there will be no peers listed since no clients are connected yet.

Enable WireGuard to start automatically on boot:

sudo systemctl enable wg-quick@wg0

Verify the systemd service is enabled:

sudo systemctl status wg-quick@wg0

Step 4 — Configure IP Forwarding and Firewall

The PostUp and PostDown lines in your config file handle IP forwarding automatically. However, understanding these iptables rules is crucial for debugging and customization.

Check if IP forwarding is enabled:

cat /proc/sys/net/ipv4/ip_forward

If it outputs 0, enable it permanently:

sudo nano /etc/sysctl.conf

Uncomment (or add) this line:

net.ipv4.ip_forward=1

Apply the change immediately:

sudo sysctl -p

Understand the iptables rules in your wg0.conf:

# Forward traffic from WireGuard clients to other interfaces
# This allows clients (10.0.0.2, 10.0.0.3) to reach devices on your home network
iptables -A FORWARD -i wg0 -j ACCEPT

This rule says: "Accept all packets coming IN on the wg0 interface." The -i flag means "input interface." Without this, traffic from VPN clients gets dropped before leaving your Pi.

# Forward traffic going TO the WireGuard interface
# This allows your home devices to receive packets destined for VPN clients
iptables -A FORWARD -o wg0 -j ACCEPT

This rule says: "Accept all packets going OUT on the wg0 interface." The -o flag means "output interface." This ensures return traffic can flow back through the tunnel.

# Masquerade: translate the source IP of packets leaving your Pi
# Makes packets from VPN clients appear as if they originate from your Pi
# This is crucial so home devices respond to the VPN clients, not the VPN subnet
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This rule operates in the NAT (Network Address Translation) table. When a VPN client (10.0.0.2) sends a packet to a home device, this rule rewrites the source IP from 10.0.0.2 to your Pi's local IP (e.g., 192.168.1.50). The home device responds to your Pi, and the return packet is translated back.

-o eth0 specifies the output interface (your Pi's network interface). If your Pi uses a different interface (e.g., wlan0), adjust accordingly.

The corresponding PostDown rules simply reverse these (using -D to delete) when the interface goes down.

Optional: Restrict VPN traffic to specific ports

If you want to be more restrictive, replace the broad FORWARD rules with:

# Only allow VPN clients to connect to your home network on specific ports
iptables -A FORWARD -i wg0 -d 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i wg0 -d 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i wg0 -d 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT

This restricts VPN clients to SSH (22), HTTP (80), and HTTPS (443) only. Adjust the ports and IP range to your network.

Step 5 — Generate Client Keys and Config

For each client (phone, laptop), generate a unique key pair. Let's create the phone client first:

sudo bash -c 'wg genkey | tee /etc/wireguard/phone_private.key | wg pubkey > /etc/wireguard/phone_public.key'

Display the keys:

sudo cat /etc/wireguard/phone_private.key
sudo cat /etc/wireguard/phone_public.key

Update the server config to recognize this client:

sudo nano /etc/wireguard/wg0.conf

Replace the [Peer] section for the phone with:

[Peer]
# Client name: Phone
PublicKey = [PASTE_PHONE_PUBLIC_KEY_HERE]
AllowedIPs = 10.0.0.2/32

Paste the actual phone public key. Reload the WireGuard interface:

sudo wg-quick down wg0
sudo wg-quick up wg0

Or use wg set for a live update:

sudo wg set wg0 peer [PHONE_PUBLIC_KEY] allowed-ips 10.0.0.2/32

Create the phone client config file:

Create a new file for the phone's configuration:

cat << 'EOF' > /tmp/phone.conf
# /etc/wireguard/phone.conf
# Client configuration for connecting phone to WireGuard VPN
# This file should be imported into the WireGuard app on your phone

[Interface]
# The VPN IP address assigned to this client
Address = 10.0.0.2/32

# The private key for this client (generated above)
PrivateKey = [PASTE_PHONE_PRIVATE_KEY_HERE]

# DNS servers to use while connected (optional but recommended)
# These resolve domain names while on the VPN
DNS = 1.1.1.1, 1.0.0.1

# The port to use for outbound connections (optional)
ListenPort = 51821

[Peer]
# The server's public key (obtained from Step 2)
PublicKey = [PASTE_SERVER_PUBLIC_KEY_HERE]

# Endpoint: your home IP address and the listening port
# This is where the phone connects TO
# Replace YOUR_HOME_IP with your actual public IP (found via curl ifconfig.me)
Endpoint = YOUR_HOME_IP:51820

# Allowed IPs: which traffic gets routed through the VPN
# 0.0.0.0/0 means ALL traffic (both IPv4 and IPv6)
# Use this to route all internet through your VPN
# Alternatively, use 192.168.1.0/24 to only access your home network
AllowedIPs = 0.0.0.0/0, ::/0

# Keep the connection alive by sending a keepalive packet every 25 seconds
# Useful for connections behind NAT or firewalls that drop idle connections
PersistentKeepalive = 25
EOF

Replace the placeholders with your actual keys:

sudo cat /etc/wireguard/server_public.key
sudo cat /etc/wireguard/phone_private.key

The Endpoint is your home's public IP address. If you don't know it, find it with:

curl ifconfig.me

Save the completed config:

nano /tmp/phone.conf

Generate a QR code for easy phone import:

Install qrencode if needed:

sudo apt install qrencode -y

Generate the QR code:

sudo wg-quick strip /tmp/phone.conf | qrencode -t ansiutf8

This displays an ASCII QR code in your terminal. Alternatively, generate an image:

sudo wg-quick strip /tmp/phone.conf | qrencode -t png -o /tmp/phone.png

Display the PNG:

file /tmp/phone.png

Repeat for laptop: Generate a laptop key pair and config following the same steps. Use 10.0.0.3/32 for the laptop's AllowedIPs.

Step 6 — Connect from Phone

Install the WireGuard app for your platform:

• iPhone: WireGuard on the App Store
• Android: WireGuard on Google Play

Using QR Code (easiest):

1. Open the WireGuard app.
2. Tap "+" or "Add VPN" to create a new configuration.
3. Select "Create from QR code" or "Scan QR code."
4. Point your phone's camera at the QR code from Step 5.
5. The app imports the configuration automatically.
6. Tap "Connect" to activate the VPN.

Manual import:

1. Open the WireGuard app.
2. Tap "+" or "Add VPN."
3. Select "Create from file" or paste the configuration text.
4. Confirm the settings, then tap "Connect."

Testing on phone:

Once connected, open a browser and visit:

https://whatismyipaddress.com

If the VPN is working, this shows your home public IP, not your phone's ISP IP. Your phone is now routing all traffic through your Raspberry Pi.

To access services on your home network (e.g., Home Assistant at http://192.168.1.40:8123), simply navigate to the local IP in your phone's browser. The VPN tunnel handles routing transparently.

Step 7 — Connect from Laptop

macOS:

1. Install WireGuard from the Mac App Store or Homebrew: brew install wireguard-tools
2. Create the client config file (e.g., laptop.conf) using the format from Step 5.
3. Import into the WireGuard app or use wg-quick:

sudo wg-quick up ./laptop.conf

To bring down the tunnel:

sudo wg-quick down laptop

Linux:

1. Install WireGuard: sudo apt install wireguard-tools
2. Copy the client config to /etc/wireguard/laptop.conf
3. Bring up the tunnel:

sudo wg-quick up laptop

Verify the connection:

sudo wg show laptop
wg-quick status

Windows:

1. Download WireGuard from wireguard.com.
2. Install and open the application.
3. Click "Add Tunnel" → "Import tunnel(s) from file."
4. Select your laptop.conf file.
5. Click "Activate" to connect.

Alternatively, if you have WSL2:

wg-quick up ./laptop.conf

Testing on laptop:

# Check your public IP (should be your home IP)
curl ifconfig.me

# Ping a device on your home network
ping 192.168.1.40

# SSH into your Pi
ssh pi@192.168.1.50

# Access a service (e.g., Home Assistant)
curl http://192.168.1.40:8123

All traffic is now encrypted and routed through your Pi's VPN tunnel.

Docker Alternative

If you prefer containerized deployment, use the linuxserver/wireguard Docker image. This simplifies updates and isolation.

Install Docker (if not already installed):

sudo apt install docker.io docker-compose -y
sudo usermod -aG docker pi

Create a docker-compose.yml:

mkdir -p ~/wireguard-docker
cd ~/wireguard-docker
nano docker-compose.yml

Paste the complete configuration:

version: '3.8'

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard-vpn
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      # SERVERURL: your home public IP or domain
      - SERVERURL=YOUR_HOME_IP
      - SERVERPORT=51820
      # PEERS: number of client configurations to generate
      - PEERS=3
      # PEERDNS: DNS servers clients use
      - PEERDNS=1.1.1.1,1.0.0.1
      # ALLOWEDIPS: IP ranges clients can access
      - ALLOWEDIPS=10.0.0.1/24,192.168.1.0/24
    volumes:
      - ./config:/config
      # Mount kernel modules if needed for nf_tables
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
    sysctls:
      # Enable IP forwarding inside the container
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      - wireguard-net

  # Optional: DNS server (Adguard, PiHole) to resolve local hostnames
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    environment:
      - TZ=UTC
      - WEBPASSWORD=changeme
    volumes:
      - ./pihole/etc-pihole:/etc/pihole
      - ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "8080:80/tcp"
    restart: unless-stopped
    networks:
      - wireguard-net

networks:
  wireguard-net:
    driver: bridge

Replace YOUR_HOME_IP with your actual home public IP address (from curl ifconfig.me).

Start the services:

cd ~/wireguard-docker
docker-compose up -d

Monitor logs:

docker-compose logs -f wireguard

Access client configs:

The linuxserver image auto-generates peer configs in the config/ directory:

ls -la ~/wireguard-docker/config/peer*/
cat ~/wireguard-docker/config/peer1/peer1.conf

Each peer config is ready to import into WireGuard clients. The image also generates QR codes:

cat ~/wireguard-docker/config/peer1/peer1.txt

Advantages of Docker:

• No manual key generation.
• Automatic configuration management.
• Easy updates (just pull the latest image).
• Isolated from the host system.

Disadvantages:

• Slightly more overhead than native WireGuard.
• Less hands-on learning of the protocol.

Port Forwarding

To connect from outside your home network, you must forward traffic from your router to your Pi.

In your router's admin interface (typically accessed at 192.168.1.1 or 192.168.0.1):

1. Find the "Port Forwarding" section (may be under "NAT," "Virtual Server," or "Advanced").
2. Create a port forwarding rule:
   • External Port: 51820 (or any port you chose in your config)
   • Internal Port: 51820
   • Internal IP: Your Pi's local IP (e.g., 192.168.1.50)
   • Protocol: UDP
3. Save and apply.

Verify port forwarding:

From outside your home network, use a port checker:

# Install nmap
sudo apt install nmap -y

# Scan from another network (use your home public IP)
nmap -p 51820 YOUR_HOME_PUBLIC_IP

If port forwarding is working, you'll see:

PORT      STATE  SERVICE
51820/udp open   unknown

Router restart: Some routers require a restart after changing port forwarding rules. If clients can't connect, try rebooting your router.

Behind a double NAT?: If you're behind a carrier-grade NAT (CGNAT) or your ISP blocks port 51820, contact your ISP or switch to a different port (e.g., 12345). Just ensure your port forwarding rule and WireGuard ListenPort match.

Dynamic DNS

If your home IP address changes (common with residential ISPs), your clients lose connectivity. Dynamic DNS (DDNS) solves this by mapping a domain name to your changing IP.

Using ddclient:

Install ddclient:

sudo apt install ddclient -y

Configure ddclient for your DDNS provider. Example for Namecheap:

sudo nano /etc/ddclient/ddclient.conf

# Update interval in seconds
daemon=600

# SSL (recommended)
ssl=yes

# Namecheap example
use=web
web=https://checkip.amazonaws.com/
server=dynamicdns.park-your-domain.com
protocol=namecheap
wildcard=yes
login=your_domain.com
password=ddns_password_from_namecheap
yoursubdomain

Replace with your DDNS provider's credentials. Start the service:

sudo systemctl restart ddclient
sudo systemctl enable ddclient

Check the status:

sudo systemctl status ddclient

Update your VPN client:

Once you have a DDNS domain (e.g., myhomelab.ddns.net), update the Endpoint in your client configs:

Endpoint = myhomelab.ddns.net:51820

Now, even if your home IP changes, clients resolve myhomelab.ddns.net to the new address automatically.

Alternative DDNS providers:

• duckdns.org: Free, no-fuss, simple curl-based updates.
• freedns.afraid.org: Free subdomains with multiple update methods.
• noip.com: Paid plans, very reliable.
• zonomi.com: Simple, free.

For duckdns, create a cron job:

crontab -e

Add:

*/5 * * * * curl "https://www.duckdns.org/update?domains=yourdomain&token=yourtoken&ip="

This updates your DDNS every 5 minutes.

Troubleshooting

Handshake Fails

Symptom: WireGuard connects but immediately disconnects. sudo wg show shows last handshake: never.

Causes and fixes:

1. Wrong public key on client: Verify the server's public key in the client config matches sudo cat /etc/wireguard/server_public.key.
2. Port forwarding not working: Test with nmap -p 51820 YOUR_IP. If closed, reconfigure port forwarding.
3. Router blocking UDP: Some routers block non-standard UDP traffic. Try forwarding a common port (53, 123, 500) instead.
4. Firewall on Pi: Check sudo iptables -L for blocking rules. Ensure the FORWARD rules are in place.
5. Client firewall: Disable the client's firewall temporarily to test.

# On the client, test UDP connectivity
nc -u YOUR_HOME_IP 51820

No Internet Through Tunnel

Symptom: Connected to VPN but no internet access or can't reach home services.

Causes and fixes:

1. IP forwarding disabled on Pi: Check cat /proc/sys/net/ipv4/ip_forward. If 0, enable it in /etc/sysctl.conf.
2. Missing FORWARD iptables rules: Run sudo iptables -L FORWARD and verify the wg0 rules exist. If not, manually re-add them or restart WireGuard.
3. Wrong Allowed IPs on server: Ensure the client's AllowedIPs in the server config matches the client's assigned VPN IP (e.g., 10.0.0.2/32).
4. Wrong Allowed IPs on client: If clients have AllowedIPs = 0.0.0.0/0, all traffic routes through the VPN. If they have only 192.168.1.0/24, only home network traffic routes through. Check the client config matches your intent.
5. Default gateway issue: Verify the client's default route points to the VPN. On Linux: ip route. On macOS: netstat -rn. Look for 10.0.0.1 as the gateway for relevant routes.

# On server, check if packets reach wg0
sudo tcpdump -i wg0 -n

Transmit traffic from the client and watch for packets in tcpdump. If nothing appears, the VPN isn't passing traffic.

DNS Leaks

Symptom: Connected to VPN, but DNS queries leak to your ISP (exposing browsing history).

Causes and fixes:

1. DNS not configured on client: Add DNS lines to the client config:

[Interface]
DNS = 1.1.1.1, 1.0.0.1

2. Local DNS on home network: If you run PiHole or Adguard, use the Pi's local IP as the DNS server:

DNS = 192.168.1.50

3. Test for leaks: Visit https://dnsleaktest.com while connected. If you see your ISP's DNS servers, your config is missing the DNS line or the client isn't honoring it.

Latency or Slow Speeds

Symptom: VPN is slow, or latency is high (>200ms).

Causes and fixes:

1. Pi CPU throttling: WireGuard is lightweight, but a Pi Zero might struggle. Check CPU temp and usage:

vcgencmd measure_temp
top

If CPU is at 100%, reduce clients or offload to hardware (e.g., a Pi 4).

2. Congested home internet: If your home connection is slow, the VPN is limited to that speed. Run a speedtest:

sudo apt install speedtest-cli
speedtest

3. Suboptimal routing: Your ISP might route traffic inefficiently. Try a different DDNS provider or endpoint. Also, test with mtr (My Traceroute):

sudo apt install mtr
mtr -c 10 YOUR_DESTINATION

4. Network congestion: If many devices use the VPN simultaneously, bandwidth suffers. Consider QoS (Quality of Service) rules on your router or per-peer traffic limits in WireGuard.

Client Can't Connect Externally

Symptom: Client can reach home devices (192.168.1.x) but can't access the internet.

Likely cause: Client config has AllowedIPs = 192.168.1.0/24, 10.0.0.1/24 (home network only), not 0.0.0.0/0 (all traffic).

Fix: Modify the client config:

AllowedIPs = 0.0.0.0/0, ::/0

Then reload:

wg-quick down laptop
wg-quick up laptop

Summary

WireGuard on Raspberry Pi is the modern solution for secure remote access to your homelab. Its lightweight design, simple configuration, and strong cryptography make it superior to OpenVPN for resource-constrained environments.

Key takeaways:

1. Install WireGuard with apt install wireguard wireguard-tools.
2. Generate unique key pairs for the server and each client.
3. Configure the server's /etc/wireguard/wg0.conf with peers and IP forwarding rules.
4. Generate client configs and import via QR code or file.
5. Use Docker for simpler setup and maintenance.
6. Configure port forwarding on your router and dynamic DNS for a stable endpoint.
7. Troubleshoot by checking keys, port forwarding, IP forwarding, iptables rules, and DNS settings.

You now have a fully encrypted tunnel to your homelab, accessible from anywhere. Whether you're checking on Home Assistant from vacation or accessing your media server remotely, WireGuard provides the speed, simplicity, and security that modern homelab demands.

For further reading, explore WireGuard's official documentation at https://www.wireguard.com, and consider securing your setup with additional measures like two-factor authentication on your home services.

Happy tunneling!