🛡️ Network & identity defence
WireGuard
Modern, fast, simple VPN — replaces OpenVPN and IPsec for most use cases.
Why use it
WireGuard is the modern VPN — built into the Linux kernel since 5.6, faster than OpenVPN, simpler to configure, and audited as cryptographically sound. Use it for remote access to your homelab and secure connectivity between sites.
What you get
- Kernel-level VPN with minimal overhead
- Public-key based authentication (no certs)
- Roaming support — clients reconnect seamlessly
- Mobile clients for iOS, Android
- Simple text-based configuration
System requirements
| Cpu | minimal |
|---|---|
| Ram | 128 MB |
| Disk | 50 MB |
| Os | Linux, macOS, Windows, iOS, Android |
| Docker | Yes |
Installation
On Ubuntu: sudo apt install wireguard. Generate keys: wg genkey | tee privatekey | wg pubkey > publickey. Configure /etc/wireguard/wg0.conf with peer entries. Bring up: sudo wg-quick up wg0. For easier management, install wg-easy in Docker for a web UI.
Suggested configuration
Use wg-easy for any homelab — the GUI generates QR codes for mobile clients. Restrict allowed IPs per peer to enforce least privilege. Pair with Pi-hole as the DNS resolver inside the tunnel for ad blocking on the road.
Integration ideas
- Use Pi-hole as DNS for tunnel clients
- Route specific traffic through the tunnel via AllowedIPs
- Combine with CrowdSec to block scanners on the public endpoint
Alternatives
- Tailscale — WireGuard with managed key exchange; free for 100 devices.
- OpenVPN — Older; slower; more permissive firewalls accept it.
Cyentrix verdict
The modern default. Tailscale is the easiest WireGuard you can run; raw WireGuard is the right choice when you want full control.