Posted inHomeLab

Ditch Port Forwarding: Build a Professional WireGuard VPN Gateway on OpenWrt

HomeLab tutorial - IT technology blog
HomeLab tutorial - IT technology blog

The Risks of an Exposed HomeLab

After setting up services like Jellyfin for movies and Home Assistant for my smart lights, I wanted access while on the go. Like many beginners, I took the easy route and opened a dozen ports on my router. The result? Within 48 hours, my logs showed over 1,200 failed SSH login attempts from IPs across the globe. It was a wake-up call.

Exposing individual services via port forwarding is an invitation for disaster. Every open port is a potential hole in your defense. If a new exploit hits Jellyfin tomorrow, your entire internal network is vulnerable. I realized I needed a single, hardened entry point. I wanted to drop into my home network as if I were sitting at my desk, but without the public exposure. This is why you need a VPN Gateway.

Why OpenWrt and WireGuard?

I spent months testing different setups. I tried OpenVPN on a dedicated Ubuntu VM and messed around with the basic VPN features found on stock consumer routers. Eventually, I landed on OpenWrt running on a Linksys WRT3200ACM using WireGuard. It is the perfect balance of performance and control.

WireGuard beats the competition for three reasons: speed, simplicity, and efficiency. Unlike OpenVPN, which is a massive codebase running in user space, WireGuard lives inside the Linux kernel. On my hardware, OpenVPN struggled to hit 40 Mbps. WireGuard easily saturated my 300 Mbps upload link. It turns a hobbyist setup into something that feels professional.

Core Concepts: Split Tunneling vs. Full Tunneling

Before you start the configuration, you must choose how your data flows:

  • Full Tunneling: Every bit of your internet traffic goes through your home router. This is perfect for staying safe on coffee shop Wi-Fi, but it relies heavily on your home’s upload speed.
  • Split Tunneling: Only traffic meant for your home servers (like 192.168.1.0/24) goes through the VPN. Your Netflix streaming continues to use your local connection. This is my daily choice for the best performance.

Setting Up the WireGuard Gateway on OpenWrt

We will use a mix of the LuCI web interface and the command line. I prefer the CLI for the initial setup because it is faster and less prone to clicking the wrong button.

# Update package list and install WireGuard
opkg update
opkg install luci-proto-wireguard wireguard-tools kmod-wireguard

1. Generate Your Keys

WireGuard uses asymmetric encryption. You need a private and public key pair for both the router and every device you plan to connect.

# Create a secure directory for keys
mkdir -p /etc/config/wireguard_keys
cd /etc/config/wireguard_keys

# Generate server keys with restricted permissions
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

2. Configure the VPN Interface

Head to Network -> Interfaces in LuCI and create a new interface called vpn0. Choose WireGuard VPN as the protocol. Use these settings:

  • Private Key: The string from your server_private.key file.
  • Listen Port: 51820.
  • IP Addresses: 10.0.0.1/24 (This creates a dedicated subnet for your VPN clients).

3. The Firewall: Connecting the Dots

Configuration errors usually happen here. You must allow encrypted traffic to enter the router and then permit that traffic to reach your LAN. First, create a rule to open the UDP port:

# Allow WireGuard traffic through the WAN
config rule
    option name 'Allow-WireGuard-Inbound'
    option src 'wan'
    option dest_port '51820'
    option proto 'udp'
    option target 'ACCEPT'

Next, assign vpn0 to a new firewall zone named VPN. Set the forwarding rules so the VPN zone can reach the LAN zone. This simple bridge allows your phone to talk to your NAS or your Proxmox nodes.

4. Adding Your First Device

On your phone or laptop, generate a new key pair. In the OpenWrt WireGuard settings, add a “Peer” with these details:

  • Public Key: Your device’s public key.
  • Allowed IPs: 10.0.0.2/32 (The static IP for this specific device).
  • Route Allowed IPs: Make sure this is checked.

6 Months in Production: The Reality Check

I have used this exact setup for half a year now. It has fundamentally changed how I manage my lab. Here is what I have noticed during long-term use.

Reliability and Speed

WireGuard is incredibly stable. When my phone switches from my home Wi-Fi to a 5G cell tower, the connection doesn’t drop or hang. It re-establishes the handshake in milliseconds. I have successfully streamed 60GB 4K Blu-ray remuxes from my server while sitting in a hotel three states away. My router’s CPU usage rarely climbs above 12% during these transfers.

Battery Life

I used to worry that a 24/7 VPN would drain my phone. WireGuard is different because it is “quiet.” If you aren’t sending data, it doesn’t send keep-alive pings that wake up your phone’s radio. On my Android device, WireGuard uses less than 1% of my battery over a full day.

Solving the DNS Headache

Typing IP addresses like 192.168.1.50 on a touchscreen is frustrating. To fix this, I pointed my VPN DNS settings to AdGuard Home running on the router. Now, I just type nas.home in my mobile browser. It works perfectly, and I get the added benefit of network-wide ad blocking while on cellular data.

The Bottom Line

Setting up a VPN Gateway is the most important upgrade you can give your HomeLab. It shifts your security from a reactive “hope nobody finds this port” strategy to a proactive zero-trust model. Only your authenticated devices can even see that your services exist.

Start with WireGuard. The code is cleaner, it has fewer bugs than older protocols, and the performance on cheap hardware is unbeatable. Once your secure tunnel is live, you can build and experiment with total peace of mind.

Share:
Tags: