$ wireguard-vanity-key --prefix=mac/
private public attempts duration attempts/s
Mtvsq5urRK/HRE1EfqTkZ9dtBNNBjSVPbqYBZ/BL4Qw= mac/t3wcAUhyZUti7OM4KsGQ7/V00HPRmzI3agaSplM= 37258118 1s 70119328
$ wireguard-vanity-key --prefix=ipad/
private public attempts duration attempts/s
hJXdv5FKyem2WqWzduSaEhEw1H4b+6BGTIqJeYu9H1c= ipad/s6w2nBEDhmuEl/xyLeohEbfc5MWUy5D8dJHgAs= 158299886 2s 69564916The best option is just to use tailscale, either on your router or on a device on the network that is always on, and set it as an exit node. It uses Wireguard under-the-hood, and it way easier to setup.
If you really must use Wireguard directly, get a router like a GL.iNet with OpenWRT that has a Wireguard server built-in. It'll handle creating certs for users, etc.
I set it up, and it worked, but regular Tailscale works so well out-of-the-box that I just used that instead of maintaining headscale.
Two cases I can think of are MTU misconfigurations and constrained CPU on either endpoint, where the node CPU can handle non-VPN network demands but can't handle the VPN demand.
Not recommended: https://www.gl-inet.com/products/gl-mt300n-v2/
This looks promising: https://www.gl-inet.com/products/gl-be3600/
I also really like using qr codes to transfer a configuration to a phone (mostly used by me once when I replaced my phone): https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-c...
I've set up Wireguard on a VPS once six years ago, and nothing needed adjustment since. It is as easy as you make it out to be, and depending on the use case the firewall rules can also be simple.
If I need to add a new device, which is probably a rarity for the average user, and once a year for me, it takes two minutes to edit two files and restart a service.
I can see reasons why one would want to use Tailscale, especially in an organization. But just uncritically recommending it for home-lab like setups seems as harmful as pushing people to Cloudflare for everything.
Raw Wireguard is fine for a road warrior or site-to-site VPN setup as is common, but when you want multipoint peer-to-peer connections without routing through what might be a geographically distant point, magic DNS, etc, Tailscale really shines through.
If you're paranoid, enable https://tailscale.com/kb/1226/tailnet-lock or run https://headscale.net/ on your own as a control server.
Although at that point I'm sure you, and any similar user, would not actually rely on ad-hoc advice like in this thread, and instead just evaluate what is needed.
As an aside, personally speaking, headscale solves basically none of my concerns associated with introducing more software, complexity and third parties (the maintainers) into my network setup. Less so because of paranoia towards the software/product itself, and more so because of the increased surface area to attack.
But I also think that anyone actually bothering to set headscale up probably falls into the aforementioned group of people that actually thinks about their requirements.
[0] https://developers.cloudflare.com/cloudflare-one/connections...
(In 2025, using Tailscale simplifies a lot of the configuration and reachability parts. This guide omits a lot of the hurdles one will run into with NAT traversal and the macOS section is a little dated.)
With that said, as another user (th0ma5) pointed out, "The only downside is that the Tailscale organization will be privy to your actions online as well."
While Tailscale and Wireguard serve the same purpose for most, it is not a direct replacements. To most users, this doesn't matter. To a few, it may be a breach of OpSec
With all this said, Tailscale reportedly cannot see anything. Per https://tailscale.com/blog/opensource
"By making the Tailscale clients open, you can see that we don’t collect your private keys. And by making Tailscale’s DERP servers open, you can see that we can’t capture your encrypted traffic. We don’t see your data and we don’t want to. We hope that keeping this code open increases trust and transparency in Tailscale because anyone can review the code and see that Tailscale really works the way we claim."
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.com`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
Then I signed up for Tailscale on a whim, installed it on my phone and my Home Assistant box and... that was it. After like 15 minutes of sign up and installation I could access my home network. MTU didn't matter. In the supermarket it uses TCP over a DERP server that's 5ms away. Keys are automatically setup. After years of people blabbing on about how great Tailscale is, I finally get it.
Setting up Wireguard is easy. THIS is the hard problem that needs solving. I’ve never had a good experience with dynamic DNS. I don’t see any way around this without relying on some sort of hosted/cloud service of some kind.
https://docs.cpanel.net/cpanel/domains/dynamic-dns/
My ISR only supports DynDNS and NOIP, so I just curl this URL every day.
Their instructions were fairly good; securing the web interface was the hardest part. AI should solve that for you!
The article contains this:
#replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
So, which one is right and why?
Setting up a home VPN server with WireGuard - https://news.ycombinator.com/item?id=21421365 - Nov 2019 (198 comments)
The iPhone and Mac official wireguard clients allow you to set “excluded” wireless SSIDs, so if you are out and about, and not on a SSID that matches one of your excluded SSIDs, you are automatically connected to wireguard.
I have it setup to dump me onto my home network (it doesn’t NAT me behind the wireguard server) so I’m just always on my home network. By default, I only route home network traffic through wireguard, but I’ve also routed everything when I need to.
The whole configuration is in a Nixos configuration file as well, which is nice.
One of these days I should write up something about my homelab…
Very neat, thanks for sharing. Hopefully the Android client is the same. A home WG server is next up on my homeland TODO. WG-easy looks to be a good spot to start.
billy99k•5mo ago