Wireguard can provide secure connectivity to a home-server no matter where one is in the world. It is fine to run protocols like SMB and NFS over this tunnel because the channel is encrypted! Finally because Wireguard can run on a number of devices this can be used to network a phone, laptop, or even a remote workstation to a home-server, making network drives and services available.

I use Wireguard to access a single machine, not my entire LAN. I expose a handful of VMs on the subnet to remote peers which are given addresses on the subnet. This means I can isolate my filestorage VM from my IPFS node and other networked software I may not trust to run on the same machine.

The server that runs Wireguard also handles the packet forwarding with this file:

# [root@home-server /]# cat /etc/systemd/network/30-wired.network



Make sure to set net.ipv4.ip_forward=1 in sysctl otherwise packets will not be forwarded to anything in the subnet.

Server Setup

On the server where I run Wireguard and on each remote device I wish to network to that server I generate Wireguard private key like this:

wesl-ee@air2earth ~ > (umask 077; wg genkey > out.key)
wesl-ee@air2earth ~ > wg pubkey < out.key > out.pub

On the server I copy the private key just generated and use it to complete the Wireguard config file which I store in /etc/wireguard/wg0.conf. Notice that each peer I plan to allow to access the server gets its own [Peer] section which details its public key and its static IP.

# [root@home-server /]# cat /etc/wireguard/wg0.conf
Address =
ListenPort = 51871

# air2earth
PublicKey = 4TtXu4l8gXyF4MrwlT/PjUBudzt/rvby0IPgtQrgpzw=
AllowedIPs =

# win10 (divinity)
PublicKey = bEYTG4o7aCtFFck+2OG6979Iiv069eoo9tUZlR1eXxs=
AllowedIPs =

# dry-your-eyes
PublicKey =  nHcvdFsRSg3SuktoJBMbtyHgOKkWI7iB+Wktc/zNHWk=
AllowedIPs =

# particle-arts (Macbook)
PublicKey = jTDK8OT53HbefiDSO+L/rs3HxK23sjNEwrAmwHHLi1I=
AllowedIPs =

# nixos (divinity)
PublicKey = GQc4uVjH72axOP3DAjt/Z1bpoUkgOFd5113WgyM1UTw=
AllowedIPs =

Remote Hosts Setup

On the client things look similar except only one [Peer], the server configured above, is used. Generate a private key for each machine in the same way one was generated on the server.

# [root@air2earth:/]# cat /etc/wireguard/wg0.conf
Address =

PublicKey = 5xodOxP3JGfj9bqysb+/lg0UUSK7ig27flLlT5+1dRI=
AllowedIPs =,
Endpoint = <HOME SERVER PUBLIC IP>:51871


With Wireguard configured and hopefully running, one should be able to ping the home-server IP on the Wireguard subnet, ie Additionally should be reachable if packet forwarding has been activated through sysctl.

As mentioned above I use this as a secure way to access SMB + NFS shares remotely. This is an NFSv4 configuration while only allows Wireguard hosts to access shares:

# [root@home-server ~]$ cat /etc/exports

Because I am the only one using these shares I squash the UIDs + GIDs of new files to simply be nobody:nobody.