The Problem#
I needed to access my home server via SSH from my mobile phone without exposing it directly to the internet. The obvious options were bad: opening port 22 to the world is suicidal, and trusting third-party apps with root access didn’t convince me. The solution that worked: WireGuard + Termius.
Why This Combination#
WireGuard is lightweight, fast, and consumes little battery on mobile devices. Termius is a polished SSH client that handles private keys well. Together, you have secure access without complications.
Step 1: WireGuard Installation and Configuration on the Server#
I installed WireGuard on my server (Debian 12):
sudo apt update
sudo apt install wireguard wireguard-toolsI generated the server’s public and private keys:
cd /etc/wireguard
sudo wg genkey | tee privatekey | wg pubkey > publickeyI created the /etc/wireguard/wg0.conf configuration file:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [CONTENIDO DE privatekey]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = [CLAVE PÚBLICA DEL MÓVIL - GENERARLA DESPUÉS]
AllowedIPs = 10.0.0.2/32I activated the service:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0I opened UDP port 51820 in the firewall (in my case, the router):
sudo ufw allow 51820/udpStep 2: Client Configuration on Mobile#
I installed WireGuard from the Play Store (Android) or App Store (iOS).
I generated the mobile’s keys on the server:
wg genkey | tee mobile_privatekey | wg pubkey > mobile_publickeyI created the configuration file for the mobile:
[Interface]
Address = 10.0.0.2/24
PrivateKey = [CONTENIDO DE mobile_privatekey]
DNS = 8.8.8.8
[Peer]
PublicKey = [CLAVE PÚBLICA DEL SERVIDOR]
Endpoint = [IP_PÚBLICA_SERVIDOR]:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25I exported this file as a QR code or transferred it via USB to the mobile. WireGuard imports it directly.
I activated the connection in WireGuard on the mobile and verified connectivity:
wg showStep 3: SSH Configuration in Termius#
In Termius I created a new connection:
- Host: 10.0.0.1 (the server’s internal IP in WireGuard)
- Port: 22 (standard SSH, doesn’t need to be open to the outside)
- User: my regular username
- Authentication: SSH private key
I imported my SSH private key from the mobile’s files. Termius handles it without exposing files.
Step 4: Testing and Adjustments#
I connected to WireGuard from the mobile. I opened Termius and connected to the server. It worked on the first try.
The latency is imperceptible. WireGuard’s battery consumption is minimal (barely 2-3% in 8 hours standby).
Security Details That Matter#
- The SSH server is never exposed to the internet
- WireGuard uses modern cryptography (Noise protocol)
- Private keys never travel over the network
- SSH traffic within the tunnel is doubly encrypted
What I Would Change#
Nothing. This setup has been running flawlessly for months. The only improvement would be using dynamic DNS addresses if my public IP changes, but that’s another article.
Update: This same method works for connecting other devices (laptop, tablet). Just generate new keys and add more peers in WireGuard.
Recommended Equipment#
- TECLAST T65 Tablet 13.4" Android 16 with Keyboard and Stylus — Tablet with 4G LTE as a portable SSH/VPN client from anywhere
- GL.iNet MT3000 Router — Router with integrated WireGuard to set up the VPN tunnel in minutes
- Foldable Aluminum Laptop Stand with Adjustable Angle — Essential ergonomics if you use a tablet or laptop to manage your server
Affiliate links. No extra cost to you.