WireGuard VPN + Traefik Reverse Proxy Setup

Architecture

Internet → VPS → WireGuard tunnel → Home Server → Traefik → Containers

Files Structure

wireguard/
├── vps/
│   ├── wg0.conf          # WireGuard config for VPS
│   ├── setup.sh          # Setup script for VPS
│   └── ports.sh          # Iptables update script for new ports
├── home/
│   ├── docker-compose.yml
│   ├── wireguard-config/
│   │   └── wg0.conf      # WireGuard config for home
│   ├── traefik/
│   │   ├── traefik.yml   # Traefik static config
│   │   └── dynamic.yml   # Traefik dynamic config
└── README.md

---

Step 1: Setup VPS (Debian)

1. Copy the vps/ folder to your VPS

2. Run the setup script:

   chmod +x setup.sh
   sudo ./setup.sh
   

3. The script will output your VPS keys. Save them:

   • VPS Private Key → put in vps/wg0.conf
   • VPS Public Key → put in home/wireguard-config/wg0.conf

4. Copy the updated wg0.conf to /etc/wireguard/wg0.conf

5. Wait for Step 2 to get the home public key before starting WireGuard

---

Step 2: Setup Home Server (Arch)

1. Copy the home/ folder to your home server

2. Generate WireGuard keys:

   wg genkey | tee privatekey | wg pubkey > publickey
   cat privatekey  # → put in home/wireguard-config/wg0.conf
   cat publickey   # → put in vps/wg0.conf on VPS
   

3. Edit home/wireguard-config/wg0.conf:

   • Replace HOME_PRIVATE_KEY with your private key
   • Replace VPS_PUBLIC_KEY with the VPS public key from Step 1

4. Start the containers:

   docker compose up -d
   

---

Step 3: Finish VPS Setup

1. On VPS, edit /etc/wireguard/wg0.conf:

   • Replace HOME_PUBLIC_KEY with your home server's public key

2. Start WireGuard:

   sudo systemctl start wg-quick@wg0
   

3. Test the tunnel:

   ping 10.0.0.2
   

---

Step 4: Point Your Domain to VPS

Create DNS A records pointing to your VPS IP:

exampledomain.com      → VPS_IP
*.exampledomain.com    → VPS_IP   (wildcard for subdomains)

---

Step 5: Configure connections to your Containers

Add Traefik configurations to dynamic.yml, the file comes with a simple example:

routers:
    example-app: #Define service name
        # Rules define the domain and/or subdomain you want to use
        rule: "Host(`exampledomain.com`) || Host(`subdomain.exampledomain.com`)"
        entryPoints:
            - web # use HTTP
            - websecure # use HTTPS
        example-app: blog

services:
    example-app: #Service name
        loadBalancer:
            servers:
                - url: "http://example-docker:80" #Docker IP/name and port to have DNS redirect to

See dynamic.yml for a complete example and use it for configuration.

---

Useful Commands

VPS

# Check WireGuard status
sudo wg show

# View iptables rules
sudo iptables -t nat -L -n -v

# Restart WireGuard
sudo systemctl restart wg-quick@wg0

Home Server

# View logs
docker compose logs -f

# Restart services
docker compose restart

# Check WireGuard status inside container
docker exec wireguard wg show

---

Troubleshooting

Tunnel not connecting

• Check both public keys are correct
• Ensure VPS firewall allows UDP 51820
• Check PersistentKeepalive is set (for NAT traversal)

Traefik not getting certificates

• Ensure port 80 is forwarded through VPS
• Check DNS is pointing to VPS IP
• View Traefik logs: docker compose logs traefik

Traffic not reaching home server

• Test tunnel: ping 10.0.0.2 from VPS
• Check iptables: sudo iptables -t nat -L PREROUTING -n -v
• Ensure ip_forward is enabled: cat /proc/sys/net/ipv4/ip_forward