Self-Hosting WireGuard: Secure Remote Access to Your Server

Why WireGuard?

WireGuard is the modern VPN protocol:

Use Case: Secure App Access

Instead of exposing every app to the internet:

1. Only expose WireGuard (one UDP port)

2. All apps are only accessible via VPN

3. Connect from anywhere with WireGuard client

4. Access apps as if you're on the local network

How It Works

WireGuard creates encrypted tunnels between your devices and server. Once connected, your device can access services on the server's private network.

Your Phone ← (encrypted tunnel) → WireGuard on Server → Nextcloud, Grafana, etc.

Setup

Server Configuration

[Interface]

Address = 10.0.0.1/24

ListenPort = 51820

PrivateKey = <server_private_key>

[Peer]

PublicKey = <client_public_key>

AllowedIPs = 10.0.0.2/32

Client Configuration

[Interface]

Address = 10.0.0.2/24

PrivateKey = <client_private_key>

DNS = 10.0.0.1

[Peer]

PublicKey = <server_public_key>

Endpoint = your-server-ip:51820

AllowedIPs = 10.0.0.0/24

WireGuard UI

Managing WireGuard configuration files manually is tedious. Use a web UI:

wg-easy

Simplest WireGuard management UI. Add/remove clients with a click. QR codes for mobile setup.

Firezone

Full-featured WireGuard management platform. User management, SSO integration, audit logs.

Split Tunneling

AllowedIPs = 10.0.0.0/24 routes only server traffic through the VPN. Regular internet traffic goes directly. This is "split tunneling" — only server access uses the VPN.

AllowedIPs = 0.0.0.0/0 routes ALL traffic through the VPN. Use this for privacy or when on untrusted networks.

Mobile Access

WireGuard has native apps for iOS and Android:

1. Generate a client config

2. Display as QR code

3. Scan with mobile app

4. Connected in seconds

On TinyPod

Deploy wg-easy on TinyPod for the simplest WireGuard setup. One container, web UI, and instant VPN access to all your self-hosted apps.