If you’ve ever wanted to host your own sites on a Raspberry Pi in your house, but ran into complications with port forwarding, CG-NAT, blocked public ports, or other ISP nonsense, Wireguard Backhaul can fix this for you quickly and easily.
Wireguard Backhaul is my chosen strategy to host things on the public internet from my CG-NAT home internet connection. These tips will allow you to host things like websites, game servers, and anything else from your home, but still make them internet-accessible. Additionally, if you’d like to make your services accessible only to select people with the proper VPN profile*,* I’ll show you how.
Since this project is really just a list of instructions and some configuration files, there isn’t a central GitLab repo for it, just this post and this script: Tom’s Easy Wireguard Setup Script. Feel free to use and share this! All written content is under CC-BY-4.0. This is all open-source goodness.
First, you’ll need something to host from your home network. This can be as simple or as complex as you’d like. For this example, I’ll be using nginx on a Debian virtual machine to host a site. I’ll start by showing how to host this site completely privately to those with a corresponding Wireguard profile, then I’ll show you how we can publish this to the public internet.
Next, you’ll need a cheap VPS. The Wireguard service and traffic-backhaul won’t take much CPU or RAM, but (maybe obviously?) will require bandwidth. If you pay by the gig for bandwidth on your VPS host and stream 24/7 8k 240FPS video streams, this will get expensive quickly. For websites and game servers, it’ll be cheap. I use Digital Ocean for my personal VPS needs and have been using their ~$5/month VPS with no issues.
I chose the cheapest Digital Ocean VPS running the latest stable Debian image. After you get it launched, configure your VPS firewall and allow the following ports:
22/TCP - Open to your IP address only
(you can remove this rule once Wireguard is running)
51820/UDP - Allow All
80/TCP - Allow All (optional, for public website hosting)
443/TCP - Allow All (optional, for public website hosting)
Then ssh to it, install Vim, Git, Caddy, and Wireguard: apt install caddy wireguard git vim. I wrote a very simple script to help automate the creation of Wireguard profiles for game servers, its available here: ‣. Follow these commands to clone the script and set it up for convenient use in our Wireguard config folder:
cd /etc/wireguard
git clone <https://github.com/samurailink3/TomsEasyWireguardSetupScript>
ln -s TomsEasyWireguardSetupScript/install-wireguard.bash ./
Then, just run the script and follow the prompts: ./install-wireguard.bash
What is the public IP address of your server? <-- This is the public IP of your VPS
How many people need a VPN profile (including you)? <-- 2 (one for the server, one for your test client)
Restart the Wireguard service to pick up the new keys: systemctl restart wg-quick@wg0
Take a look at the files we generated: ls -l /etc/wireguard/wg0/
client_1.conf <-- Your home server wireguard config file.
client_1.priv <-- Ignore this. Your home server private key.
client_1.pub <-- Ignore this. Your home server public key.
client_2.conf <-- Your test client wireguard config file.
client_2.priv <-- Ignore this. Your test client private key.
client_2.pub <-- Ignore this. Your test client public key.
server.priv <-- Ignore this. Your VPS private key.
server.pub <-- Ignore this. Your VPS public key.