WireGuard [1] implements a virtual private network (VPN) using state-of-the-art cryptography, emphasizing speed and simplicity. It enables you to run an encrypted tunnel over the Internet, securing your network traffic over an untrusted network. WireGuard has been part of the Linux kernel since Linux 5.6 (March 2020), but it also supports various other operating systems, including FreeBSD, OpenBSD, Windows, macOS, Android, and iOS. Installation instructions [2] for all these operating systems are available on the WireGuard website (Figure 1).

Figure 1: WireGuard implements a fast, modern, and secure VPN tunnel.

Although WireGuard is considerably easier to configure than alternative VPN solutions such as OpenVPN and IPsec, it still requires running some commands on the command line and manually editing configuration files. WireGuard Easy [3] allows easy management of WireGuard connections through a web interface. In this article, I'll guide you through installing WireGuard Easy to manage a VPN server and show how to manage clients.

Requirements

WireGuard Easy is implemented as a Docker container that incorporates both WireGuard and a web interface for managing VPN connections. You will need a Linux machine with a kernel that supports WireGuard (all modern kernels) and Docker installed. On Ubuntu 24.04 LTS, install Docker and Docker Compose with

$ sudo apt install docker.io docker-compose-v2

Then, add your user to the docker group:

$ sudo usermod -aG docker $USER

Log out and log in again to apply the group membership.

There are two primary use cases for setting up a WireGuard VPN. In the first use case, you want a secure way to go online via an unsafe network. This can be accomplished by running the WireGuard VPN server on a virtual private server (VPS) that you rent. The VPS has a fixed IP address, making it easy to direct your VPN clients to it. Optionally, you can buy a domain name from a domain registrar and point it to the IP address. This way, your VPN clients can access the Internet over an encrypted tunnel from the unsafe network to your VPS.

In the second use case, you want a secure way to access services running on your home network when you're away from home. This setup is more elaborate. You can run the WireGuard server on any computer within your network, as long as it's always on and has a fixed IP address. A fixed IP address can be achieved by assigning a static IP address or setting an IP reservation in your DHCP server. Additionally, you need to forward WireGuard's port (UDP port 51820) from your modem to the WireGuard server. Without a fixed IP address for the server, you wouldn't be able to ensure that the port is forwarded to the correct server.

A final challenge for a VPN server at home is that many residential Internet connections don't have a fixed public IP address. So how do the VPN clients know where to connect to? The solution is to use a dynamic DNS (DynDNS) service. You have to run software on your local network (on your router or a server) that continuously checks your Internet connection's public IP address. After a change, the software sends your new IP address to the DynDNS service. This service assigns you a subdomain of its domain, which is always updated to point to your new IP address. This way, your VPN clients can always refer to your home VPN server by your DynDNS domain name.

In this article, I'll run WireGuard Easy and a DynDNS updater as Docker containers on an Ubuntu 24.04 LTS server at home (Figure 2). However, you can run both containers on any other Linux distribution, and you don't even need Docker. If a firewall is active on your server, ensure the correct ports are allowed.

Figure 2: Remote access to your home network with a DynDNS updater, port forwarding, and a WireGuard server.

DynDNS Updater

First, you need to create an account with a DynDNS service. Many offer a free account suitable for this purpose. Some examples include No-IP [4], FreeDNS [5], and Duck DNS [6]. After creating an account, register a domain with the service. The next task is to continuously update this domain so it always points to your home's public IP address.

One solution, ddclient [7], updates DNS entries for accounts on a wide range of DynDNS services. The project doesn't maintain an official Docker image, but the LinuxServer [8] team has created a ddclient Docker image on Docker Hub [9], available for x86-64 and Arm64 architectures.

First, create a configuration file for ddclient and replace koan in /home/koan/containers/ddclient/ddclient.conf with $USER. Listing 1 provides an example for Duck DNS.

01 # General
02 ssl=yes
03
04 # Router
05 use=web
06 web=freedns
07
08 # Protocol
09 protocol=duckdns
10 password=87b46fd5-df3d-420b-90f6-c7004f873e1e
11 example.duckdns.org

The configuration file consists of three parts: general configuration, router configuration, and protocol configuration. Line 2 of Listing 1, ssl=yes, ensures updates to the DynDNS service occur over an encrypted SSL connection. This communication is unencrypted by default, because only a few DynDNS providers support encryption.

The next part of the configuration file is called the router configuration, because ddclient supports fetching your public IP address from various router models. However, the easiest way, independent of your router model, is to set the mechanism to fetch your public IP address to use=web. With web=freedns, ddclient visits the FreeDNS web page to check your current IP address, which is returned in the body of a simple HTML page. Because the general configuration includes ssl=yes, this interaction happens over HTTPS.

The final part of the configuration file specifies the protocol that ddclient uses to update your DynDNS service when your public IP address changes. This depends on your DynDNS provider, so have a look at the ddclient protocols documentation [10]. For Duck DNS, use protocol=duckdns, followed by the token you registered with the service (in the form 87b46fd5-df3d-420b-90f6-c7004f873e1e), and finally the domain registered with the service.

Running the ddclient Container

Next, create the docker-compose.yml file shown in Listing 2. Adjust the TZ environment variable to your time zone, and adapt the volume to the directory where you placed the ddclient.conf file.

01 version: '3.7'
02
03 services:
04   ddclient:
05     image: lscr.io/linuxserver/ddclient: latest
06     container_name: ddclient
07     environment:
08       - PUID=1000
09       - PGID=1000
10       - TZ=Europe/Brussels
11     volumes:
12       - /home/koan/containers/ddclient: /config
13     restart: always

Then, create and start the container with Docker Compose:

$ docker compose up -d

Wait a moment for the container to start and then check the logs:

$ docker logs -f ddclient

The last line should show SUCCESS and a message that your DynDNS service is linked to your IP address. From now on, the ddclient Docker container will periodically check for IP address changes and update your DynDNS accordingly.