Originally published November 5, 2020 by SelfHostedPro
Updated & maintained by SelfHostedPro + WickedYoda (as of 2022–2025)
🧠 Introduction
If your ISP blocks ports (especially common ones like 80/443), you may feel locked out of self-hosting services. This guide shows you how to bypass ISP restrictions using WireGuard and a VPS. By setting up a lightweight, encrypted tunnel between a home server and a VPS, you can expose services securely.
This guide assumes basic Linux and networking familiarity and access to a VM on platforms like DigitalOcean, AWS Lightsail, or others.
⚙️ VPS Setup Overview
You can use any VPS provider. Examples:
Once your VPS is deployed and your home server is ready, SSH into both and proceed.
🔄 Updates (Optional but Recommended)
On both VPS and home server:
# Create an update script
nano update.sh
Paste this inside:
sudo apt update
sudo apt full-upgrade -y
sudo apt autoremove -y
sudo apt clean -y
Then:
chmod +x update.sh
sudo ./update.sh
This script helps keep systems secure and current.
🔐 WireGuard Installation
Install WireGuard on both systems:
sudo apt install wireguard -y
(Adding a PPA is no longer required on most modern Ubuntu/Debian systems.)
🔑 WireGuard Configuration
Generate private/public keys:
wg genkey | tee privatekey | wg pubkey > publickey
Use these to create /etc/wireguard/wg0.conf
on both systems.
Example VPS config:
[Interface]
PrivateKey = <VPS private key>
ListenPort = 55107
Address = 192.168.4.1
[Peer]
PublicKey = <Home server public key>
AllowedIPs = 192.168.4.2/32
Example Home Server config:
[Interface]
PrivateKey = <Home server private key>
Address = 192.168.4.2
[Peer]
PublicKey = <VPS public key>
Endpoint = <VPS IP>:55107
AllowedIPs = 192.168.4.1/32
PersistentKeepalive = 25
📡 Enable IP Forwarding (VPS)
Edit /etc/sysctl.conf
:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Then apply:
sudo sysctl -p
sudo sysctl --system
🚀 Bring Up WireGuard Interface
On both systems:
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
Test with:
ping 192.168.4.1 # From home server
ping 192.168.4.2 # From VPS
🔄 IPTables Setup (VPS)
Replace eth0
with your VPS’s actual interface:
# Default DROP policy
sudo iptables -P FORWARD DROP
# Allow incoming ports
sudo iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# Allow return traffic
sudo iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Port forwarding (DNAT)
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.4.2
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.4.2
# SNAT
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
💾 Persisting IPTables
Install persistence packages:
sudo apt install netfilter-persistent iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
✅ Summary
Your VPS is now securely tunneling traffic to your home network:
- Ports 80/443 reach your home server via the VPS
- WireGuard keeps all traffic encrypted
- IPTables manages port redirection cleanly
You can replicate these rules for other ports/services by modifying the IPTables lines with the new port and protocol.
Last reviewed & updated: June 2025