Why you need this#
A few months ago I faced a common problem: I wanted to access my internal services (Jellyfin, Home Assistant, etc.) from outside my home, but I didn’t want to expose them directly on the internet. Opening ports is an unnecessary risk. The solution was to set up a VPN with Wireguard in Docker. It was the best decision I made for my home infrastructure.
Advantages of Wireguard#
- Lightweight: consumes fewer resources than OpenVPN
- Fast: modern and efficient protocol
- Easy to configure: compared to other alternatives
- Secure: state-of-the-art cryptography
- Docker-friendly: there are excellent official images
Preparation#
You need:
- A server with Docker installed
- The
docker-compose.ymlfile - A domain or public IP (to connect from outside)
- Wireguard clients on your devices
Step-by-step installation#
1. Create the configuration directory#
mkdir -p ~/wireguard/config
cd ~/wireguard2. Docker Compose#
Create the docker-compose.yml file:
version: '3.8'
services:
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Madrid
- SERVERURL=tu-dominio-o-ip-publica.com
- SERVERPORT=51820
- PEERS=telefono,laptop,tablet
- PEERDNS=auto
ports:
- "51820:51820/udp"
volumes:
- ./config:/config
- /lib/modules:/lib/modules:ro
networks:
- mi-red
restart: unless-stopped
networks:
mi-red:
driver: bridge
ipam:
config:
- subnet: 10.0.0.0/24Replace:
tu-dominio-o-ip-publica.comwith your actual address- The PEERS with the names of your devices
- The timezone according to your location
3. Start the container#
docker-compose up -dConfiguration files will be automatically generated in ./config. Wait a few seconds and verify:
ls -la config/peer_*/4. Get the QR codes#
To connect your devices:
docker exec wireguard cat /config/peer_telefono/peer_telefono.confOr directly the QR codes:
docker exec wireguard qrencode -t ansiutf8 < /config/peer_telefono/peer_telefono.confScan with your Wireguard client on each device.
Connecting internal services#
This is the important part. I want to access services on my internal network. To do this, I modify the docker-compose.yml and add routes:
environment:
- ALLOWEDIPS=10.0.0.0/24,192.168.1.0/24This allows you to access the 192.168.1.0/24 network (your local network) from the VPN.
On the server, enable forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pAccess from clients#
Once connected to the VPN, you access your services using their internal IPs:
http://192.168.1.100:8096for Jellyfinhttp://192.168.1.50:8123for Home Assistant- Whatever you need on your network
Maintenance#
Renew certificates (approximately every 6 months):
docker exec wireguard /app/wireguard-tools/show-peer peer_nombreAdd a new device:
docker-compose down
# Edita PEERS en docker-compose.yml
docker-compose up -dFinal notes#
- Open only port 51820/UDP on your router
- Use firewall on the server to block unnecessary access
- Verify that IP forwarding is active
- Monitor VPN traffic regularly
I’ve been running this setup for several months and it’s completely stable. I access my services from anywhere without security concerns. I definitely recommend this setup to anyone who wants to keep their home infrastructure private but accessible.
Recommended equipment#
- Raspberry Pi 3 B+ — Lightweight, low-power server to start your homelab
- Raspberry Pi 4 (4GB) — The perfect foundation for homelab, Docker and monitoring
- TECLAST T65 Tablet 13.4" Android 16 with keyboard and stylus — Portable WireGuard client: manage your services from anywhere
Affiliate links. No extra cost for you.