Site icon Wicked Yoda's

Secure Self-Hosting with WireGuard and a VPS (Updated Guide)

Originally published November 5, 2020 by SelfHostedPro
Updated & maintained by SelfHostedPro + WickedYoda (as of 2022–2025)

🧠 Introduction

If your ISP blocks ports (especially common ones like 80/443), you may feel locked out of self-hosting services. This guide shows you how to bypass ISP restrictions using WireGuard and a VPS. By setting up a lightweight, encrypted tunnel between a home server and a VPS, you can expose services securely.

This guide assumes basic Linux and networking familiarity and access to a VM on platforms like DigitalOcean, AWS Lightsail, or others.


⚙️ VPS Setup Overview

You can use any VPS provider. Examples:

Once your VPS is deployed and your home server is ready, SSH into both and proceed.


🔄 Updates (Optional but Recommended)

On both VPS and home server:

# Create an update script
nano update.sh

Paste this inside:

sudo apt update
sudo apt full-upgrade -y
sudo apt autoremove -y
sudo apt clean -y

Then:

chmod +x update.sh
sudo ./update.sh

This script helps keep systems secure and current.


🔐 WireGuard Installation

Install WireGuard on both systems:

sudo apt install wireguard -y

(Adding a PPA is no longer required on most modern Ubuntu/Debian systems.)


🔑 WireGuard Configuration

Generate private/public keys:

wg genkey | tee privatekey | wg pubkey > publickey

Use these to create /etc/wireguard/wg0.conf on both systems.

Example VPS config:

[Interface]
PrivateKey = <VPS private key>
ListenPort = 55107
Address = 192.168.4.1

[Peer]
PublicKey = <Home server public key>
AllowedIPs = 192.168.4.2/32

Example Home Server config:

[Interface]
PrivateKey = <Home server private key>
Address = 192.168.4.2

[Peer]
PublicKey = <VPS public key>
Endpoint = <VPS IP>:55107
AllowedIPs = 192.168.4.1/32
PersistentKeepalive = 25

📡 Enable IP Forwarding (VPS)

Edit /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Then apply:

sudo sysctl -p
sudo sysctl --system

🚀 Bring Up WireGuard Interface

On both systems:

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Test with:

ping 192.168.4.1  # From home server
ping 192.168.4.2  # From VPS

🔄 IPTables Setup (VPS)

Replace eth0 with your VPS’s actual interface:

# Default DROP policy
sudo iptables -P FORWARD DROP

# Allow incoming ports
sudo iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT

# Allow return traffic
sudo iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Port forwarding (DNAT)
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.4.2
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.4.2

# SNAT
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1

💾 Persisting IPTables

Install persistence packages:

sudo apt install netfilter-persistent iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent

✅ Summary

Your VPS is now securely tunneling traffic to your home network:

You can replicate these rules for other ports/services by modifying the IPTables lines with the new port and protocol.


Last reviewed & updated: June 2025

Exit mobile version