WireGuard Home VPN: Secure Remote Access for Your Homelab

06/12/2026 Last updated : 06/10/2026 Tech Guru

A home VPN is one of those homelab projects that feels small until it changes how you operate everything else. Suddenly you can reach the NAS without exposing it, check a Proxmox host from a hotel, pull a config backup, or help a family member without punching random holes through the firewall. Done right, WireGuard becomes the quiet management path for the whole lab.

WireGuard is a lean VPN protocol with a simple peer model, modern cryptography, and a configuration style that is much easier to reason about than older VPN stacks. The official WireGuard quick start is intentionally minimal, and Ubiquiti also documents WireGuard VPN server setup on UniFi gateways for people running a UniFi edge. The trick is that a VPN tunnel is only transport. Security comes from how you route, name, firewall, log, and test it.

Design principle: Do not make VPN users honorary LAN users. Give the VPN its own subnet, give every peer its own identity, and allow only the services that remote users actually need.

Reference diagram
WireGuard Home VPN Flow
Remote devices get a small routed VPN subnet. Firewall rules decide what the VPN can actually reach.
Phone / Laptop WireGuard peer Travel Router Optional peer WAN Edge UniFi gatewayor Linux VM VPN Subnet 10.44.0.0/24 DNS Pi-hole / AD Servers NAS / Proxmox Management UniFi / IPMI Default deny to LAN. Allow only named destinations and ports.UDP tunnel, then firewall policy
Peer identity
Every phone, laptop, and travel router gets its own key and allowed IP.
Least privilege
VPN access is not the same as LAN access. Permit named paths.
DNS matters
Give peers internal DNS so private names work offsite.

What We Are Building

The clean pattern is a dedicated WireGuard subnet, such as 10.44.0.0/24, routed by your gateway or a small Linux VM. Each remote device gets one address inside that subnet. The firewall then decides whether that peer can reach DNS, management, servers, cameras, or nothing at all.

ComponentRecommended BaselineWhy It Matters
VPN subnetA dedicated RFC1918 range such as 10.44.0.0/24Keeps remote access visible in logs and easy to target with firewall policy.
PeersOne peer per device, never shared configsYou can revoke a lost phone without breaking every other user.
DNSInternal resolver pushed to VPN clientsPrivate names work offsite and you avoid hardcoding IP addresses.
RoutingSplit tunnel for normal admin use, full tunnel only when neededReduces unnecessary traffic and makes failures easier to diagnose.
FirewallDefault deny from VPN to LAN, then explicit allowsThe VPN is a door, not permission to wander.

UniFi Gateway Setup Path

  1. Create a WireGuard VPN server on the UniFi gateway and choose a dedicated VPN subnet that does not overlap with LAN, guest, IoT, or remote-site networks.
  2. Create one client/peer per device. Name peers clearly, such as dan-laptop, dan-phone, travel-router, or emergency-admin.
  3. Set allowed IPs intentionally. For split tunnel, only route your homelab subnets through the VPN. For full tunnel, include 0.0.0.0/0 only when you mean to backhaul all traffic.
  4. Push internal DNS servers to the peer profile so names like nas.home.arpa resolve over the tunnel.
  5. Add firewall rules that permit the VPN subnet to specific destinations and ports, then deny everything else to internal networks.
  6. Export or scan each client configuration directly on the device that owns it. Do not store a pile of reusable VPN configs in a shared folder.
  7. Test from cellular or a different internet connection, not from inside the same LAN.

Firewall Rules I Would Start With

RuleSourceDestinationPortsAction
Allow VPN to DNSVPN subnetInternal DNS servers53 TCP/UDP, optionally 853Allow
Allow VPN to management jump hostAdmin peer or VPN subnetJump host22 or 3389 only if requiredAllow
Allow VPN to server web UIsAdmin peer groupNAS/Proxmox/app admin IPsSpecific HTTPS portsAllow
Deny VPN to IoT and guestVPN subnetIoT/guest VLANsAnyDeny and log
Deny VPN to management except explicit rulesVPN subnetNetwork management VLANAnyDeny and log

Client Example

The exact profile will vary by platform, but the mental model stays the same: one private key, one address, one DNS view, and allowed IPs that describe what should cross the tunnel.

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.44.0.10/32
DNS = 10.10.20.10

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 10.10.0.0/16
PersistentKeepalive = 25

Full tunnel caution: AllowedIPs = 0.0.0.0/0 is useful on untrusted Wi-Fi, but it changes the traffic path, DNS behavior, bandwidth use, and privacy expectations. Use it intentionally.

Validation Checklist

  • From cellular, connect the VPN and confirm the peer handshake updates.
  • Confirm the client receives the intended VPN address and DNS server.
  • Resolve an internal name, then ping or browse only an allowed internal service.
  • Attempt a blocked path, such as IoT or guest, and confirm the firewall denies it.
  • Revoke one test peer and confirm only that device loses access.
  • Export a fresh gateway backup after the design is stable.

Useful Gear And Buyer Notes

Affiliate disclosure: As an Amazon Associate, TechGeeks may earn from qualifying purchases. The product links below are buying references, not a requirement to buy a specific brand or seller. Verify compatibility, seller quality, warranty, and current specs before ordering.

NeedGood ChoiceWhy It FitsAffiliate Link
UniFi edge gatewayUCG Ultra or UCG MaxGood fit when you want WireGuard built into a UniFi-managed home network.Amazon: UCG Ultra
Amazon: UCG Max No Storage
Travel VPN routerGL.iNet Beryl AXUseful for hotel or family support scenarios where several devices ride one WireGuard client.Amazon: GL.iNet Beryl AX GL-MT3000
Power protectionAPC or CyberPower sine-wave UPSKeeps the gateway and DNS online long enough for graceful recovery.Amazon: CyberPower CP1500PFCLCD
Amazon: APC BR1500MS2
Patch cablingKnown-good Cat6 patch leadsA VPN troubleshooting session should not be hiding a bad cable at the edge.Amazon: Cable Matters Cat6 10-pack

Common Mistakes

  • Reusing one peer config for multiple phones or laptops.
  • Letting the VPN subnet reach every VLAN because it was convenient on day one.
  • Forgetting that DNS is part of the remote-access experience.
  • Using a subnet that overlaps with hotels, offices, or family networks.
  • Not documenting the revoke process before a device is lost.

References

Final Thought

The best home VPN is boring in exactly the right way. It connects quickly, gives each device a clear identity, resolves private names, reaches only the intended services, and disappears from your attention until you need it. That is the target: not a flat LAN over the internet, but a controlled remote management path for the homelab you actually trust.

This article is part of the TechGeeks homelab foundation series. The series is designed to build practical home infrastructure in the right order: remote access, segmentation, exposure control, DNS, IoT isolation, and recoverable backups.

Need help applying this?

Bring TechGeeks into the real environment.

If you are working through this on a live network, WordPress site, Linux server, AI workflow, or PisoWiFi deployment, send the context and we can help turn it into a practical plan.

Request helpGet field notesRecommended gear

Categories
Homelab, Network Security, Networking, Security, and Tutorials
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous article
Cisco Multicloud Fabric: The Network-as-a-Service PushNew!!
06/12/2026