· 6 min read
Wireguard and VPNs: How I Built a Private, Ad-Free, Remote Network for Home and Work
Even if you don’t think you need a VPN, you probably do — here’s how I learned that, and how I use Wireguard to stay connected and protected.
Wireguard and VPNs: The use case for personal and business use
Even if you don’t know it, you want a VPN set up, heres how I know.
After starting with 3D Printing I had a Raspberry Pi powered camera set up to film and watch my printer. I wanted a way to view my printer’s progress even while I was away from my home. This introduced me to a concept of Virtual Private Networks, or VPNs.
How I Discovered Wireguard
My initial research led me to believe that VPNs were only cloud-hosted ways to connect a singular client to appear to be in a different region (think ProtonVPN, Mullvad, or SurfShark). That notion was quickly dispelled after I stumbled across OpenVPN. I quickly found myself in the deep end, realizing there was a lot more to VPNs than I thought. But I also saw how useful they could be. I came across a software that sounded promising for what I wanted. It contained two keywords I now knew: Raspberry Pis from my 3D Printers, and VPN, the PiVPN project.
Why I chose PiVPN / Wireguard
The PiVPN project was a simple, streamlined, and secure way to set up my own Wireguard VPN that I felt comfortable doing despite my lack of thorough knowledge of networking. Its simplicity and speed perfectly matched my use case of wanting to check on my printers and stream my webcams.
Features
Wireguard is a UDP-based protocol, built for low-latency connections. It also has a simple command-line interface to add new devices, or edit old ones. A neat part is that “devices” can range from a single cellphone to an entire system of routers (thousands of devices). This flexibility later allowed me to set up Site-To-Site connections for a business, where I utilized [OPNsense firewall](backlink to OPNsense article) to allow traffic on either site to securely access anything at the other site. Wireguard is a VPN protocol that is fast, robust, and scales well as you gain more knowledge.
Implementations and Usage
The scary part about VPNs is that in order to connect into your local network, it means there has to be a port where the “internet” can get in. That allows potential bad actors access as well. Wireguard makes this safe when properly configured via special digital keys. My first implementation with PiVPN however did not go so well. Since I knew the dangers, I was smart enough to disconnect all other devices from the network, but at this point I did not know how to manage my DNS, or set up my firewall properly. This meant that I allowed all traffic, not just Wireguard, into my network. Diagnosing this took a lot of experimentation and a few complete resets. Thankfully, I was able to use some Linux networking tools and trace the issue I was having, and correct it. From there I had the firewall locked down to a single port open on my router, and it worked like a charm - only my device could connect, and the connection speed was flawless. After I moved to a different apartment I needed to set the Wireguard up again, but this time on a Mikrotik router. Without the aid of PiVPN, setup took longer despite my better knowledge. Mikrotik did not make it easy prior to RouterOSv7, but in an only mildly shamefully long period of time I figured it out, and once again I was able to connect from anywhere. I moved again soon after, and here is where the implementation truly changed for the better. I upgraded from my old Raspberry Pi (with PiVPN) to a more powerful Orange Pi computer. This became a proper server, where I started experimenting with Docker and Podman containers. I was able to join a Wireguard Docker container with all of my other containers to remove ads for all devices on my network via DNS sinkholes. Then for the final evolution of my personal Wireguard configuration, and the one I have stuck with for the longest, I set up my own complete firewall and router, with OPNsense. I was able to experience the bliss of a wonderful graphical user interface, the ability to set up Site-to-Site connections, and Site-to-Client connections with ease. Shared DNS and adblock made it so that I could seamlessly connect to any service across multiple different sites and never have to worry about ads, malicious actors, or accidentally exposing my data and services. Having Wireguard allows me to view my websites that are running on my Orange Pi, like my recipe website (Mealie), view all of my photos and media (Immich and TrueNAS), view my security cameras with Frigate, and access all of my code (Gitea). I can even remote into my other laptops and desktops with Rustdesk without fear.
Analysis
Wireguard has allowed me to safely share my work with friends and family, stay protected while traveling and keep connected wherever I go. I am able to quickly diagnose and solve problems for clients because I can directly access their network. Overall, it’s been incredibly stable and beneficial for me. If you also have a desire to have a more secure, and ad-free experience on the internet, I highly suggest checking out Wireguard with your custom DNS resolver. The easiest way to do this is to set up PiHole with PiVPN. In fact, it could be your homework assignment from this article.
In the future, I think I would like a slightly better way to onboard users. There is not a direct “sign up” method to be able to connect. Right now, users have to install an app on their phone, and I need to manually share a configuration file. Most users I work with do not understand that level of technical setup. Due to this, I have looked into solutions like Pangolin and Tailscale to allow a more auth-based approach where only an account is needed to view services in order to reach a wider audience.
Conclusion
Wireguard has been a lifesaving essential tool I have greatly benefitted from over the past five years of using it. I’ve come a long way in my own education, from needing everything defaulted and set up for me, to writing custom overrides, allow lists, subnets, and even split DNS configs. However I have the utmost respect for the maintainers of PiVPN, and what they do to enable people like me to learn and grow. Now? Being able to diagnose printer issues, remote into machines, and run my personal DNS resolver and adblocker anywhere I go gives me a better peace of mind for myself, my family, and my clients. There may be better ways to set it up for ad-hoc connections, but right now I am a huge fan of how Wireguard enables my workflow.
