• The Complete Guide to Setting up a WireGuard® VPN Server at Home with pcWRT

    There are many situations where a home VPN server may be useful. First of all, it allows you to securely access your home network remotely. And if you have a network wide ad blocker at home, you can still use it while you are away, by tunneling your device back to the home network. You can also access geographically restricted material back home while you are abroad, or give friends and family from other geographical areas access to resources available in your home area.

    Do You Have a Public IP Address from Your ISP?

    Before you start, please check that you have a public IP address from your ISP. If you don’t have a public IP address, it’s not possible to connect back to your router from the Internet.

    Here’s how to check.

    1. Find your router’s IP address. On Windows, open a command line window by entering cmd.
    2. Enter ipconfig in the command line window. Find the IP address for Default Gateway.
    3. Open your browser and enter the IP address of your Default Gateway, for example: http://192.168.10.1. From there, you can log into your router’s management interface and find the IP addresses assigned by your ISP.

      If you are using the pcWRT router, you can find the IP address on the Status page.

      On ISP provided routers, you’ll usually need to click on a link labeled Broadband to find out the IP address.

    4. Search for “my ip address” using Google or duckduckgo.com. If IPv4 address is not reported in your search results, then open the web site https://whatismyipaddress.com. It will report your IPv4 address.

      Compare the IPv4 address reported in your search results with that from your router above. If the two are the same, then you have a public IP address. Proceed to the next steps.

      If the two are not the same, then you don’t have a public IP address. Talk to your ISP to get you out of the Carrier Grade NAT (CGNAT).

    Set up DDNS

    From this point on, the steps will be pcWRT specific. If you have another router, you’ll need to consult your router’s manual for the proper setup procedure.

    1. Log in the pcWRT router management console.
    2. Click the Settings link on the top right corner.
    3. Click on the System icon.
    4. Under the General section, check “Enable DDNS with pcwrt.net
    5. Enter the DDNS Name, which is the domain name you’ll use to reach your router from the Internet.
    6. Click Save under the General section.

    Enable the WireGuard Server and Create a Peer Connection

    1. Click the Apps link on the top right corner.
    2. Click the WireGuard icon to open the WireGuard configuration page.
    3. Click on the Server tab.
    4. The WireGuard server is disabled by default. Click the Enable button.
    5. Fields in the Server Settings section will be auto-filled. The External Address field will be filled with the DDNS Name from above.
    6. Click Add under the Peers section.
    7. Enter a name for the Peer, and click on the Generate Keys link to generate keys for the WireGuard peer.

      A WireGuard peer is a client that connects to the server. You can name the peer using the name of the device or the name of the user (as long as the name makes sense to you).
    8. Click OK to dismiss the Add WireGuard Peer dialog.
    9. Click Save at the bottom of the page.

    Test VPN Connectivity with a Client

    The WireGuard VPN server is ready to take connections after you save the changes above. You can test connecting to the VPN server either with a smartphone or a computer.

    Follow these steps if you are testing connectivity with a smartphone. I’m using an Android phone as example here. The process for an iPhone is very similar.

    1. Install the WireGuard app from Google Play Store.
    2. Open the WireGuard app. Tap the + button at the bottom right corner. Tap Create from QR code.
    3. Go back to the pcWRT router console WireGuard page. Click on the QR code icon to bring up the QR code dialog.
    4. Scan the QR code to set up the WireGuard client connection. Enter the Tunnel Name when prompted.
    5. If you are connected to the WiFi, turn off WiFi on the phone. Tap the toggle button next to the Tunnel Name to initiate connection to the VPN server. A key icon will appear on the top of the screen when the VPN connection is established successfully.
    6. You should be able to open the pcWRT router management console (e.g., http://192.168.10.1) from your smartphone.
    7. Toggle off the VPN connection. You should lose access to the pcWRT router management console.

    Caution: the client QR code contains both public and private keys for the client. Anyone with the QR code can connect to your WireGuard server. It is strongly advised that you don’t share the QR code by any means where it could be lost or stolen (e.g., email etc.).

    Follow the steps below if you are testing connectivity from a computer. I’m using Windows 10 as an example here.

    1. While you are still at the pcWRT router console, export the peer config file by clicking the Download icon.
    2. Leave the Encryption Password empty. Download and save the config file.
    3. Download and install WireGuard on your computer.
    4. Click the import button to import the WireGuard config file.
    5. To test VPN connectivity, you need to disconnect your computer from the pcWRT router. Then connect it to another network to imitate connection from the Internet. For example, you can connect your computer to a WiFi hotspot provided by your smartphone, using the smartphone’s mobile network connection (i.e., the smartphone should be off WiFi too).
    6. After you did the above steps, click Activate in the WireGuard window.
    7. You should see that the VPN connection is activated.

    Caution: the client config file contains both public and private keys for the client. Anyone with the config file can connect to your WireGuard server. It is strongly advised that you don’t share the config file by any means where it could be lost or stolen (e.g., email etc.).

    Connect Another pcWRT Router as a VPN Client

    You can connect another pcWRT router to the WireGuard VPN server created above, forming a router to router tunnel. Devices connected to the client router will be tunneled to the server router, hence appear to be connected to the server router directly. Furthermore, these devices can access the local network on the server router.

    Once you established a router to router VPN connection, there’s no need to start the VPN connection on your devices when they are connected to the client router.

    Following are the steps to create a WireGuard VPN connection on the client router:

    1. While in the server router console, export the peer config file by clicking the Download icon.
    2. Enter an Encryption Password if you’d like to encrypt the peer config file (encrypted peer config can be transported safely via email, but it only works when exported from one pcWRT router and imported by another pcWRT router).
    3. Download and save the peer config file.
    4. Log on the client pcWRT router, go to the Apps page and click on WireGuard.
    5. On the Client tab, check the network you want to enable the WireGuard VPN for (usually, LAN).
    6. Under the Connections section, click the Add button.
    7. In the popup dialog, click the Upload WireGuard Config link.
    8. Select the peer config file to upload and enter the password. Click OK to upload.
    9. Enter a name for the connection (e.g. Home Network). Click OK to dismiss the Add WireGuard Connection dialog.
    10. Check Auto-start if you want to automatically start the VPN connection when the client router boots up. Click Save at the bottom of the page to save the changes.

    After you perform the above steps, the client router is ready to connect to the server router. However, you need to move the client router to a different network (for example, to a friend’s house) in order to test connectivity between the routers.

    Click the Start icon to manually start the VPN connection
    Green dot indicates successful connection. In case of error, click the Logs icon to view logs.

    * WireGuard® is a registered trademark of Jason A. Donenfeld.

Leave a Reply