+++ title = "Using WireGuard to host services at home" author = ["Sergio Durigan Junior"] date = 2023-05-23T00:56:00-04:00 tags = ["english", "howto", "selfhost", "wireguard", "debian"] draft = false +++ It's been a while since I had this idea to leverage the power of [WireGuard](https://wireguard.org) to self-host stuff at home. Even though I pay for a proper server somewhere in the world, there are some services that I don't consider critical to put there, or that I consider **too** critical to host outside my home. ## It's only NATural {#it-s-only-natural} With today's ISP packages for end users, I find it very annoying the amount of trouble they create when you try to host anything at home. Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few examples of methods or limitations that prevent users from making local services reachable in a reliable way from outside. ## WireGuard comes to help {#wireguard-comes-to-help} If you already pay for a VPS or a dedicated server somewhere, why not use its existing infrastructure (and public availability) in your favour? That's what I thought when I started this journey. My initial idea was to use a reverse proxy to redirect external requests to the service running at my home. But how could I make sure that these requests reach my dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a tunnel! WireGuard is the perfect tool for that because of many things: it's stateless, very performant, secure, and requires very little configuration. ## Setting up on the server {#setting-up-on-the-server} On the server side (i.e., VPS or dedicated server), you will create the first endpoint. Something like the following should do: ```ini [Interface] PrivateKey = PRIVATE_KEY_HERE Address = 10.0.0.1/32 ListenPort = 51821 [Peer] PublicKey = PUBLIC_KEY_HERE AllowedIps = 10.0.0.2/32 PersistentKeepalive = 10 ``` A few interesting points to note: - The `Peer` section contains information about the home service that will be configured below. - I'm using `PersistentKeepalive` because I have a dynamic IP at my home. If you have a static IP, you could get rid of `PersistentKeepalive` and specify an `Endpoint` here (don't forget to set a `ListenPort` **below**, in the `Interface` section). - Now you have an IP where you can forward requests to. If we're talking about HTTP traffic, Apache and nginx are absolutely capable of doing it. If we're talking about other kind of traffic, you might want to look into other utilities, like [HAProxy](https://www.haproxy.org/), [Traefik](https://traefik.io/traefik/) and others. ## Setting up at your home {#setting-up-at-your-home} At your home, you will configure the peer: ```ini [Interface] PrivateKey = PRIVATE_KEY_HERE Address = 10.0.0.2/32 [Peer] PublicKey = PUBLIC_KEY_HERE AllowedIps = 10.0.0.1/32 Endpoint = YOUR_SERVER:51821 PersistentKeepalive = 10 ``` ## A few notes about security {#a-few-notes-about-security} I would be remiss if I didn't say anything about security, especially because we're talking about hosting services at home. So, here are a few recommendations: - Make sure to put your services in a separate local network. Using VLANs is also a good option. - Don't run services on your personal (or work!) computer, even if they'll be running inside a VM. - Run a firewall on the WireGuard interface and make sure that you only allow traffic over the required ports. Have fun!