Secure remote access to the homelab is handled by WireGuard running on a headless Raspberry Pi 4B. This page documents the configuration, NAT rules, client setup, and best practices.
| Device | Value |
|---|---|
| Model | Raspberry Pi 4B (2GB RAM) |
| OS | Raspberry Pi OS (Debian Bookworm, Headless) |
| IP Address | 192.168.1.204 (DHCP reserved) |
| Network Interface | eth0 |
| VPN Subnet | 10.9.0.0/24 |
| Port | 65142/UDP (forwarded from WAN) |
| DNS (via VPN) | 192.168.1.204 (Pi-hole) |
The main config file is located at:
/etc/wireguard/wg0.conf
Example wg0.conf:
[Interface]
Address = 10.9.0.1/24
ListenPort = 65142
PrivateKey = <ServerPrivateKey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = false 🔒 SaveConfig = false ensures manual edits aren't overwritten when the service restarts.
Each client gets its own [Peer] block on the Pi, and a separate .conf file.
Example mobile config (wg-client.conf):
[Interface]
PrivateKey = <ClientPrivateKey>
Address = 10.9.0.2/32
DNS = 192.168.1.204
[Peer]
PublicKey = <ServerPublicKey>
Endpoint = <your-public-ip>:65142
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 Generate QR code for mobile devices:
qrencode -t ansiutf8 < wg-client.conf
Enable WireGuard to start on boot:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
To check status:
sudo systemctl status wg-quick@wg0
On your router/firewall:
65142 to 192.168.1.204eth0| Task | Command |
|---|---|
| Start VPN | sudo wg-quick up wg0 |
| Stop VPN | sudo wg-quick down wg0 |
| Show active peers | sudo wg show |
| Show config | sudo cat /etc/wireguard/wg0.conf |
| Reload after edit | sudo systemctl restart wg-quick@wg0 |
10.9.0.2, 10.9.0.3) to ease firewall rulesSaveConfig to keep clean manual control of wg0.conf192.168.1.204)