Wireguard for home networks

I have recently bought a new router which has Wireguard as a feature. Since I run some services on my home network, it would be nice to be able to access them whenever I am away.

In order to setup the a vpn, you need to have a good representation of what a network is and how it functions.

You should also be aware that most Internet Service Providers don’t allow opening random ports from your network.

While setting up your vpn, you might find yourself needing to check if a certain port is open. In Windows, you can test if a port is open with a command similar to:

  • telnet checked-host.duckdns.org 12345
  • Test-NetConnection -Port 12345 -ComputerName checked-host.duckdns.org -InformationLevel Detailed

Read more about Wireguard:

Hostname

If you don’t have a static ip address, the first thing you will need is some way to assign a hostname to your ip. Modern routers offer some sort of service related to this, either from the manufacturer itself (e.g. I used to have an Asus device which had this) or third party solutions.

However, for more control and more privacy, you can opt for a more involved solution, like DuckDNS and hosting an update solution somewhere in your network. This was my choice, in combination with docker:

services:
  duckdns:
    container_name: duckdns
    image: lscr.io/linuxserver/duckdns:latest
    restart: unless-stopped
    network_mode: host
    environment:
      - PUID=1000 #optional
      - PGID=1000 #optional
      - TZ=Etc/UTC #optional
      - SUBDOMAINS=subdomain1,subdomain2
      - TOKEN=token
      - UPDATE_IP=ipv4 #optional
      - LOG_FILE=false #optional
    volumes:
      - ./config:/config #optionalCode language: PHP (php)

Note the network_mode which needs to stay host.

More info:

Public/private key

It’s important to make a distinction between the operating system’s SSH keys and the keys exchanged by wireguard. To get the wireguard needed keys, you must install the wireguard client on your device. Access the official website to download the application:

The basic idea is that you will set the public key of your device inside the router and the public key of the router inside your device.

MikroTik

The router we will make the setup for is MikroTik. On the router, open the administration tool and follow these steps:

  1. From the side menu, open Wireguard;
  2. Create a new wireguard interface. You should set a name for your interface. It’s recommended that you change the default listening port (e.g. 11020). You also need to pay attention at the public key, which will be needed later on;
  3. From the side menu, open IP > Addresses;
  4. Create a new address. This address will be used for the wireguard connections and it should be in the format 192.168.8.1/24. Remember to select your wireguard interface from the interfaces dropdown;
  5. Go back to the Wireguard tab and create a new peer, with the public key of your first client. You need to set an IP address for the client from matching your address format defined earlier (e.g. 192.168.8.23/32) and it’s recommended to set a comment with the name of your device, so that you easily remember which client is which. Also, set a persistent keepalive of 00:00:25 (which is 25 seconds). You will need to provide the public key generated on your client device;
  6. From the side menu, open IP > Firewall and add 2 new rules:
    • An input rule for the addresses of your firewall (192.168.8.0/24) which should be moved on position 1;
    • An input rule for the protocol udp for dst-port 11020 which should be moved to position 2.

The configuration on each client device, will vary. An example configuration for the Windows client is:

[Interface]
PrivateKey = <private key of device>
Address = 192.168.8.23/24
DNS = 192.168.8.1

[Peer]
PublicKey = <router public key>
AllowedIPs = 0.0.0.0/0
Endpoint = checked-address.duckdns.org:13231
PersistentKeepalive = 25
Code language: HTML, XML (xml)

More info:

Security

Nowadays, we need to pay extra attention to the security aspect in everything we do online. Thus, thinking about the security of your home network is not something to neglect.

More info: