1. Topology

Home LAN: 192.168.1.0/24
Home router: 192.168.1.1
Home WireGuard node: 192.168.1.2 on LAN, 10.10.0.2 on wg0
VPS public IP: YOUR_VPS_PUBLIC_IP, 10.10.0.1 on wg0
Remote client: 10.10.0.3 on wg0

Remote client
     |
     |  WireGuard
     v
Public VPS (hub)
  wg0 = 10.10.0.1/24
     |
     |  reverse tunnel
     v
Home node behind NAT
  wg0 = 10.10.0.2/24
  eth0 = 192.168.1.2/24
     |
     v
Home LAN 192.168.1.0/24
  - router          192.168.1.1
  - NAS             192.168.1.10
  - Home Assistant  192.168.1.20

2. Why this layout works

• No inbound port-forward needed at home.
• The VPS treats the home node as the route for 192.168.1.0/24.
• SSH sessions on the VPS remain stable because the VPS public IP is not routed into the tunnel.
• Easy to scale with additional clients and networks.

3. Address Plan

4. Generate Keys

umask 077
wg genkey | tee private.key | wg pubkey > public.key

5. VPS Configuration

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = VPS_PRIVATE_KEY

[Peer]
PublicKey = HOME_PUBLIC_KEY
AllowedIPs = 10.10.0.2/32, 192.168.1.0/24

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.10.0.3/32

6. Home Node Configuration

[Interface]
Address = 10.10.0.2/24
PrivateKey = HOME_PRIVATE_KEY

[Peer]
PublicKey = VPS_PUBLIC_KEY
Endpoint = YOUR_VPS_PUBLIC_IP:51820
AllowedIPs = 10.10.0.0/24
PersistentKeepalive = 25

7. Remote Client Configuration

[Interface]
Address = 10.10.0.3/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 192.168.1.1

[Peer]
PublicKey = VPS_PUBLIC_KEY
Endpoint = YOUR_VPS_PUBLIC_IP:51820
AllowedIPs = 10.10.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

8. Enable Forwarding on Home Node

sudo sysctl -w net.ipv4.ip_forward=1
printf 'nnet.ipv4.ip_forward=1n' | sudo tee -a /etc/sysctl.conf

9. Optional NAT (Simple Setup)

sudo nft add table ip nat
sudo nft 'add chain ip nat postrouting { type nat hook postrouting priority srcnat; }'
sudo nft add rule ip nat postrouting oifname "eth0" ip saddr 10.10.0.0/24 masquerade

10. Firewall Basics

• Allow UDP 51820 on the VPS.
• Allow forwarding between wg0 and LAN interface on the home node.

11. Bring the Tunnel Up

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

12. Connectivity Checks

ping 10.10.0.1
ping 10.10.0.2
ping 192.168.1.1
ping 192.168.1.10
ssh user@192.168.1.10

13. Self-Healing Tunnel

PersistentKeepalive = 25

You can also add a watchdog script that restarts the tunnel if the handshake becomes stale.

14. Split-DNS for Internal Domains

Use routing domains so only internal names resolve through the VPN DNS.

PostUp = resolvectl dns wg0 10.10.0.1
PostUp = resolvectl domain wg0 ~home.arpa
PostDown = resolvectl revert wg0

15. Example Internal Domains

• nas.home.arpa
• grafana.lab
• router.internal

16. Scaling the Setup

[Peer]
PublicKey = HOME_PUBLIC_KEY
AllowedIPs = 10.10.0.2/32, 192.168.1.0/24, 192.168.2.0/24

17. Common Problems

• SSH dropping when the tunnel starts.
• Client reaches VPS but not LAN.
• Missing forwarding or NAT on home node.
• DNS misconfiguration.

18. Troubleshooting Commands

sudo wg show
ip addr show wg0
ip route
sudo nft list ruleset
resolvectl status

19. Practical Summary

1. Use a VPS as the WireGuard hub.
2. Have the home node dial out with PersistentKeepalive.
3. Advertise the home LAN on the VPS peer.
4. Include the LAN subnet in client AllowedIPs.
5. Enable forwarding and NAT if necessary.
6. Use split-DNS for internal services.
7. Add monitoring or watchdog for reliability.

This architecture provides a clean, secure, and scalable solution for remote homelab access.