[[https://www.wireguard.com/|WireGuard]]® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [[https://www.wireguard.com/protocol/|cryptography]]. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
===== Prerequisites =====
If you want to use your services at home, wherever you are, the following steps are required.
==== Dynamic DNS ====
If you do not have a static IP from your Internet Service Provider (ISP), a Dynamic DNS (DDNS) is required.
So you need to create an account with one of the providers listed below:
* https://freedns.afraid.org/
* https://www.duckdns.org/
* https://www.noip.com/
<alert type="info" icon="fa fa-info-circle">Also check your router for these providers. Sometimes you can enter your credentials there.</alert>
=== DDClient ===
Install ''ddclient'' and search for your chosen provider and enter your credentials there.
<code>
pacman -S ddclient
nano /etc/ddclient/ddclient.conf
</code>
<code>
systemctl enable --now ddclient.service
</code>
<alert type="info" icon="fa fa-info-circle">See also https://wiki.archlinux.org/title/Dynamic_DNS#ddclient. Some examples can be found in the table.</alert>
==== Port forwarding ====
[[https://en.wikipedia.org/wiki/Port_forwarding|What is it?]]
We will use Wireguard to access your server over the Internet. To do this, you must open a port in your router and forward it to your server.
The wireguard port listens on ''51820'' by default. If you want to change this, you need to redirect the port to your chosen number and adjust the tutorial accordingly.
The example below is based on [[https://opnsense.org/|OPNsense]], but it is basically the same for other devices as well.\\
The example below also has a different destination port (1212). If you want to change this as well, you have to change ''Endpoint = <server public IP or domain>:1212'' under [[#keys1|clients]] as well:
- add [[firewalld#masquerade|masquerade]] to your //**home zone**//
- and create a [[firewalld#new_policy|new policy]] for internet and services access
===== Checks =====
You can check your clients connections via the command ''wg'' on your wireguard server. You should see:
<code>
latest handshake: 1 minute, 52 seconds ago
transfer: 1.22 MiB received, 3.80 MiB sent
</code>
Also check the IP address of your clients, for example with https://dnsleaktest.com, which should be the IP address of your home, and click the **//Extended test//** button for the DNS server you are using which can be different on your Android device if DNS isn't set on [[#clients|clients]] side.