Wireguard tunnel from VPS to home network

Published on Apr 4, 2021

Inspiration from https://theorangeone.net/posts/wireguard-haproxy-gateway/.

Install wireguard on both the VPS and the internal server

sudo apt install wireguard

Generate keys for both VPS and internal server

wg genkey | tee privatekey | wg pubkey > publickey

Wireguard configurations

VPS configuration (wg0.conf)

[Interface]
Address = 10.1.10.1
PrivateKey = <Server private key>
ListenPort = 51820

[Peer]
PublicKey = <Client public key>
AllowedIPs = 10.1.10.2/32

Internal server configuration (wg0.conf)

[Interface]
Address = 10.1.10.2
PrivateKey = <Client private key>

[Peer]
PublicKey = <Server public key>
Endpoint = <hostname>:51820
AllowedIPs = 10.1.10.2/24

PersistentKeepalive = 25

Enable automatic connections:

systemctl enable wg-quick@wg0.service

Nginx configuration

VPS nginx config

server {
    listen 80;
    listen [::]:80;
    server_name subdomain.domain.tld;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /home/<user>/public/letsencrypt;
    }

    location / {
        proxy_pass http://10.1.10.2/;
        proxy_buffering off;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

Internal server nginx config

server {
    listen 80;
    server_name subdomain.domain.tld;

    location / {
        proxy_pass http://<internal-ip-to-point-at>:<port>;
        proxy_buffering off;
    }
}

Letsencrypt certificate on VPS

sudo certbot --nginx -d subdomain.domain.tld

Further reading: