Tech VPN

Building a VPN Bridge to A Home Server (Site-to-Site) with WireGuard

WireGuard came to the rescue after setting up a VPS thru Vultr (awesome service, awesome host). I found out very quickly that hosting large files was going to get expensive fast. Important things, I’d like to keep on the VPS but not everything needs or should go there immediately. I wanted a way to build a path to a home server that was secure, fast, and fairly easy to setup.

I went thru OpenVPN first but found the setup to be not exactly what was looking for.

Enter WireGuard

It’s super fast and very minimal to install. Especially for Ubuntu/Debian. It allows routing tables to be added straight into config so adding different subnets for access is simple a copy-paste and reload-a-way.

Step1: installing Wireguard

For Ubuntu 20.04, the installation couldn’t easier.
(If Ubuntu isn’t your thing, wireguard can be installed on many different OS’s)
This first part is to be done on your VPS/Originating server.

sudo apt-get update
sudo apt-get upgrade -y && sudo apt-get install wireguard -y

Step2: Creating Keys

First switch to your root user and then cd into the wireguard directory using:

sudo su
cd /etc/wiregaurd

Then create the private and public key using:

umask 077
wg genkey > privatekey
wg pubkey < privatekey > publickey

Step3: Creating VPS config file

Here is where the main course comes into play. Enter the below commands on your VPS. The client config will come later

touch wg0.conf
nano wg0.conf

Now, in that conf file add the following.

#VPS Server config where traffic is going to be originating from
#Can be set to anything as long as it ends with a 0
Address =
#Allows configs to be saved thru reboots
SaveConfig = true
#This sets connecting devices to pass all traffic thru the VPN
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
#Port that you'll open and connect thru
ListenPort = <Default is 51820>
PrivateKey = <Private Key>

PublicKey = <Clients Public Key>
#Here is where the magic happens
AllowedIPs =,
Endpoint = >This will populate upon first connect<

In the Private Key section, cat your private key from above and paste the key here. (respect the spaces)

Hold off on the public key as that will come next

Step4: Creating client config

Now on the connecting server, run thru steps 1-3. However, you’ll want to paste the below text into the config.

Address =
PrivateKey = <Private Key>
DNS = #any public dns can be specified

PublicKey = <VPS Public Key>
Endpoint = <VPS IP>:<WG Port> #x.x.x.x:51820
AllowedIPs =
PersistentKeepalive = 25

Step5: connecting everything together

In the [Peer] section of the VPS config, you’ll notice some routing labeled as “AllowedIPs”. This is where everything is linked together. Think of these IPs as the ranges your VPS is able to see. If your home network is running on, then you have to list these IP’s here. The first IP range is going to allow the connecting(Your home server) IP access to the VPS side. Both need to be in here. Start the VPN with:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Leave a Reply

Your email address will not be published. Required fields are marked *