If you have set up a small tech setup at home with a NAS, a Linux server, or a recycled computer full of servicesI'm sure you've encountered the same problem: everything works perfectly while you're on your Wi-Fi, but as soon as you leave home, forget about it. You can't access your apps, files, or IP cameras without getting bogged down in port configuration issues, DDNS problems, and security risks, or resorting to... Recommended VPNs for Android.
The easiest and safest way to solve this is to create a VPN with WireGuard and connect from Android (and from any other device). This way you can use your home network as if you were physically there, even if your ISP uses CGNAT or you have a somewhat tricky network topology. Let's look at it step by step: from what WireGuard is, how to set it up on Linux (or with Docker and panels like EasyPanel/WireGuard Easy) and how to fine-tune it to access your LAN and Activate VPN on Android and browse safely from your mobile device.
What is WireGuard and why is it ideal for a home VPN?
WireGuard is a modern, minimalist, and very fast VPN protocol. which has completely changed the way virtual private networks are set up. Unlike dinosaurs like OpenVPN or IPsec, it was designed from the ground up to be simple to configure, easy to audit, and extremely efficient.
Its codebase is very small (on the order of a few thousand linesThis makes it easier to find vulnerabilities and keep it up to date. For encryption, it uses only modern and well-regarded algorithms such as Curve25519, ChaCha20, Poly1305, BLAKE2s and company. No endless lists of obsolete ciphers that nobody should be using anymore.
Furthermore, it works exclusively on UDP and can be integrated into the Linux kernelSo latency is low, performance is very good, and CPU usage is negligible. This is especially noticeable when connecting from Android over 4G/5G or regular Wi-Fi: reconnections are fast, and the tunnel handles network changes quite well.
The setup is also much more user-friendly: each device has a public/private key pairIt is assigned an internal VPN IP address and the traffic sent through the tunnel is defined with the policy Allowed IPsWith that, a UDP port and four more settings, you've got it up and running, without dozens of cryptic parameters or endless files.
Another big advantage is that WireGuard is cross-platform: there is Official clients for AndroidIt's compatible with iOS, Windows, macOS, and Linux, and can also run on routers, Docker containers, or embedded devices. On mobile, you can import a .conf file or simply scan a QR code generated on the server and ready.
Basic requirements before setting up your WireGuard server
Before pasting commands like there's no tomorrow, it's a good idea to check that you meet certain requirements. Minimum requirements for a WireGuard server accessible from AndroidThis will save you a lot of headaches.
The most common practice is to use a linux serverThis could be a cloud-based VPS (Ubuntu 22.04 is a very convenient option) or a home machine (Raspberry Pi, miniPC, NAS with support, etc.). Any modern distribution with WireGuard support will work, but Ubuntu/Debian offer more documentation and examples.
You need a user with administration permissions (root or a user with sudo privileges) because you'll be installing packages, tweaking network settings, enabling IP forwarding, and possibly modifying firewall rules. Having SSH access to the server and knowing how to connect from your machine is also crucial.
On the client side, you'll primarily use your Android smartphone with the official WireGuard appAlthough the same configuration scheme works for Windows, macOS, Linux, or iOS. The configuration file changes little between platforms, so what you learn here will be useful for all of them.
The big enemy: CGNAT and how it affects your home VPN
One of the most important points, especially if the server is at home, is knowing if your provider puts you behind a network. CGNAT (Carrier-Grade NAT)Under CGNAT, you share a public IP address with other clients and You cannot open ports to your home network.which makes exposing a VPN server on your home connection extremely difficult.
Detecting it is simple: first, write down your Public IP From a website like “whatismyip.” in your browser. Then access your router's control panel (usually at 192.168.1.1 or 192.168.0.1) and look in the WAN or Internet section for the IP address that the router thinks it has. If that IP address starts with 10.xxx or is in the range 100.64.0.0 – 100.127.255.255 And if it doesn't match the information on the websites, you're under CGNAT. Another direct option is to call the operator and ask.
With CGNAT, your router doesn't receive a direct public IP address, so You can't do classic port forwardingSome companies let you opt out of CGNAT by paying extra or activating an option, others require you to change your plan, and sometimes the price skyrockets. If you don't want to go through all that, the smart solution is to switch to a... VPS as a bridgeYour home server creates a WireGuard tunnel to the VPS, and you connect to the VPS from Android to reach your home LAN.
Preparing the Linux server: WireGuard update and installation
On a server with Ubuntu 22.04 (or similar), the first thing to do is update packages to avoid carrying over vulnerabilities or old versions:
apt update && apt upgrade -y
Then install WireGuard from the official repositories with:
apt install -y wireguard
This package includes the tools wg and wg-quick and loads the necessary kernel module. If you want to force manual loading in a somewhat unusual environment, you can use:
modprobe wireguard
Key generation and server configuration structure
The core of WireGuard is the system of public and private keysNormally, work is done in the standard directory. /etc/wireguard/where you will store keys and configuration files.
Change to that directory and harden the default permissions before creating anything:
cd /etc/wireguard/
umask 077
This ensures that the new files may not be readable by other usersThis is critical when generating private keys. Generate the server key pair, for example:
wg genkey > privatekey
wg pubkey < privatekey > publickey
La private key It must always remain on the server and never leave it; the public key Yes, you can share it with clients. Also, avoid third-party applications that could compromise secrets; review articles on [topic missing]. insecure VPN applications If you have any doubts about clients.
chmod 600 privatekey
If you want to see the keys on screen to copy them later, you can use:
tail privatekey publickey
Create and edit the server's wg0.conf file
WireGuard organizes its tunnels in virtual interfaces Calls by convention wg0, wg1, etc. Each interface has its own configuration file in /etc/wireguard/We are going to create wg0.conf as the main interface.
If you like Nano and don't have it installed, you can add it with:
apt install -y nano
Open the configuration file:
nano /etc/wireguard/wg0.conf
Before writing anything, identify the name of the network interface that connects to the internet (the one with the public IP address or the IP address you use to connect via SSH). You can find this using:
ip a
In many VPSs it is called eth0, ens3, enp0s3 or something like that. You'll need it for NAT rules. An example of a complete block might be:
Address = 10.30.0.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Here you are giving the server the IP address 10.30.0.1 within the VPN network, you tell it to listen on UDP port 51820, and you define the iptables rules that apply when the wg0 interface comes up (PostUp) and are removed when you go down (PostDown). Be careful when replacing eth0 by the actual name of your output interface.
In Nano, you save with Ctrl + A and you close with Ctrl + XThis wg0.conf will be the core on which you will add the different clients (peers).
Enable IP forwarding and start the WireGuard service
For your clients to access the Internet or the LAN behind the VPN server, the system must allow the IPv4 and IPv6 packet forwardingThis is controlled with sysctl.
A quick way is to add the corresponding lines to /etc/sysctl.conf or to a file in /etc/sysctl.d/ and recharge:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
If those lines already existed but were commented out (with #), it is enough to remove the #save and relaunch sysctl -pWithout this step, you will have the tunnel up but you will lose access to the LAN or the Internet from the clients.
You can now lift WireGuard with the help of wg-quick and systemd:
systemctl start wg-quick@wg0
To make it start automatically with the system:
systemctl enable wg-quick@wg0
Check that everything is green with:
systemctl status wg-quick@wg0
And to see real-time details of the interface, keys, peers, and traffic, use:
wg
Add clients: PC, Android mobile and other devices
Each device that connects to your VPN is defined as a peer with their own key and tunnel IPYou can generate the keys on the server itself (more convenient) or on each client (more secure, because the private key never leaves it).
For a desktop computer you could do, for example, in /etc/wireguard/:
wg genkey > mypc_privatekey
wg pubkey < mypc_privatekey > mypc_publickey
And for your Android mobile:
wg genkey > myphone_privatekey
wg pubkey < myphone_privatekey > myphone_publickey
Check the files with:
ls
And it shows the public keys:
tail mypc_publickey myphone_publickey
Those public keys are the ones you'll enter into wg0.conf within blocks Open the server file again:
nano /etc/wireguard/wg0.conf
And he adds, for example:
PublicKey = <clave_publica_mypc>
AllowedIPs = 10.30.0.2/32
PublicKey =
AllowedIPs = 10.30.0.3/32
By doing this you are reserving the IP address 10.30.0.2 for PC and 10.30.0.3 for Android mobileThe /32 indicates that it is an individual IP address. Each peer uses its own unique IP address within the VPN subnet.
Save and reload the service to apply the changes:
systemctl restart wg-quick@wg0
Create client configuration files
Now it's time to prepare the .conf files that clients will useThey include your private key, internal IP, DNS and server data (public key, IP/Domain and port).
For the PC you can create mypc.conf in /etc/wireguard/ (or wherever you prefer):
nano mypc.conf
Content type:
PrivateKey = <clave_privada_mypc>
Address = 10.30.0.2/24
DNS = 1.1.1.1
PublicKey =
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20
In the first block, you define the client's local "face": its private key, its VPN IP address, and which DNS it will use. In the second block, you describe the server: its public key, address, and port. The line AllowedIPs = 0.0.0.0/0 makes All customer traffic passes through the VPN (full tunnel). If you only want access to your remote LAN, you can limit it to 10.30.0.0/24 and/or 192.168.x.0/24, depending on your network.
PersistentKeepalive Every 20-25 seconds is highly recommended for clients behind NAT or mobile networks, as it prevents the tunnel from appearing inactive and the firewall from closing the session.
Android client-specific configuration
On Android, the process is the same. The phone needs its private key, your tunnel IP and the server data. You can reuse the keys you generated on the server or generate them directly in the app.
Following the example, you created myphone_privatekey and myphone_publickeyYou are missing the myphone.conf file for your phone:
nano myphone.conf
Something like this:
PrivateKey = <clave_privada_myphone>
Address = 10.30.0.3/24
DNS = 1.1.1.1
PublicKey =
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20
The tricky part here is How to securely send that file to the mobile phoneIn a lab environment, you could upload it to a web server and download it, but in production, it's best to avoid sending it by email or storing it on unencrypted services.
The cleanest way is usually to use qrencode to generate a QR code that the WireGuard app on Android can scan:
apt install -y qrencode
qrencode -t ansiutf8 -r myphone.conf
You will see a QR code in ASCII characters on the terminal. On your mobile device, open the WireGuard app, select “Scan from QR code"(Scan from QR code) and point at the screen. This way you don't need to share the .conf file through dubious channels."
Access to the home LAN, DNS, and local names
Beyond building the tunnel, what's interesting about a VPN with WireGuard on Android for a secure home connection It's about being able to access all your home devices as if you were there: NAS, IP cameras, routers, media servers, etc., ideally using local domain names instead of IPs.
Many routers that integrate a WireGuard server or internal DNS have a section like NETWORK → DNS → Edit Hosts where you can create entries like 192.168.1.50 nas-casa.localIf you point the DNS of your VPN clients to the router or server that resolves these names, you will be able to access your devices by hostname.
Some router firmwares with WireGuard include checkboxes like “Allow Remote Access to LAN”"Remote Access LAN Subnet" or similar. You must enable these so that remote clients can reach the local subnet (192.168.xx) beyond the router itself.
In scenarios where the WireGuard server runs embedded in the router, it often allows export pre-prepared .conf profiles for mobile devices or other client routers. These profiles usually include the tunnel IP, the correct DNS (normally the router's own IP on the VPN network), and a properly configured AllowedIPs.
Verification, troubleshooting, and security
Once the configuration has been imported into Android and the tunnel has been activated, the first thing to do is check that The handshake occurs correctly.The WireGuard app itself displays the status, bytes sent/received, and the last handshake timestamp.
On the server, run:
wg
There you'll see, for each peer, its public key, the remote IP address it's connecting from, the last handshake, and the traffic exchanged. If the "Last Handshake" field is empty or very old, the client isn't connecting or something is blocking it.
If there is no connection, check that the UDP port (51820 or whichever one you use) is open on the server's firewall (UFW, iptables, nftables) and on any intermediate routers. If the server is behind a home router, configure the UDP port forwarding from that port to the server's internal IP addressThe problem may affect specific apps; see our guide on What to do if apps fail with VPN enabled.
If the tunnel opens but you don't have mobile internet, check that packet forwarding (net.ipv4.ip_forward and optionally net.ipv6.conf.all.forwarding) is active and that the NAT rules point to the correct outgoing interface (eth0, ens3, etc.).
DNS problems are usually detected when you can ping a specific IP address (for example, 1.1.1.1) but can't resolve domains. In that case, check the line DNS = In the client's .conf file: you can use a public DNS (8.8.8.8, 1.1.1.1) or the server's tunnel IP address if it acts as an internal resolver.
In terms of security, beyond WireGuard's cryptography, there are a number of essential good practices:
- Protect your private keysDo not copy them to unsafe sites or share them with anyone.
- Restricts AllowedIPs per peer: gives each client only access to the networks they need, no free rein.
- Use non-trivial UDP portsReplacing the 51820 with a higher value reduces noise from automatic scans.
- Keep your system and WireGuard up to date: patches every day.
- Filters access to the WireGuard port in the firewall to limit who can try to connect (by source IP when it makes sense).
When you have CGNAT or want something more advanced: tunnel through a VPS
If your operator has you under CGNAT or you simply want to separate the public access layer of your home, you can set up a somewhat more elaborate but very powerful solution: Use a VPS as the central point and your home server as the client.Then you connect to the VPS from Android and, through it, you access your LAN.
The basic scheme is this: in the cloud you set up a WireGuard “server” (for example with Docker and a stack like linuxserver/wireguard or a pre-built repository), you enable forwarding and NAT, and at home you have a Raspberry Pi or PC always on which connects to that VPS as a peer. The VPS has a public IP and is not affected by CGNAT, so you can open ports there without any problem.
A typical workflow with Docker might be:
- On the VPS you install Docker and Docker Compose, clone a WireGuard configuration repository and You lift the container with `docker-compose up -d`.
- The container automatically generates the server keys and those of several peers (peer1, peer2…), saving their .conf files in a config folder.
- You adjust the server file to include your home subnet (for example 192.168.1.0/24) in AllowedIPs of the peer that your Raspberry will use, and configure iptables or equivalent rules on the host to route traffic between the VPN and your home network.
- On the Raspberry Pi, clone the same repository (or a prepared one), create a wg0.conf file with the data generated for peer1, enable local NAT (to be able to send traffic back to the LAN), and start the WireGuard client in Docker or natively.
From there, any other device (including your) Android with the WireGuard appYou can use one of the VPS's additional peers (peer2, peer3…) to connect. In practice, you always connect to the VPS's IP address, but you end up reaching your home network services, even through CGNAT.
WireGuard with web panels: WireGuard Easy, EasyPanel and company
If all this sounds like too much of a console to you, there are very convenient solutions that set up a Web panel to manage WireGuard in 1 clickFor example, on a server with EasyPanel you can deploy an app like WireGuard Easy via template and forget about writing files by hand.
The workflow with these panels is usually:
- You access the panel (EasyPanel or other) with your user.
- You install the template WireGuard Easy, defining parameters such as domain/public IP (WG_HOST), UDP port, VPN subnet and DNS.
- The system starts a container that exposes a password-protected web interface where you see the peer list, statistics, and configuration options.
- To add a client, you simply fill out a form with their name; the panel generates the keys, assigns them an IP address, and displays the QR code ready to scan with Android, in addition to allowing you to download the .conf file.
This is extremely convenient in environments where more people are using the VPN (family, work team, etc.), because you can Activate or revoke access in seconds without having to explain anything technical. Furthermore, if you deploy WireGuard Easy on a VPS, you centralize all remote access to your home network and other locations.
WireGuard on other systems: Windows, macOS, Linux, iOS
Although we focus on Android here, WireGuard works equally well with desktops and other mobilesIn Windows, for example, you download the official client, install it, and press “Add Tunnel”, you choose “Add empty tunnel” or “Import from file”, and the program itself can generate the key pair for you.
The configuration format is the same: block with your PrivateKey, Address and DNS, and block with the PublicKey of the server, Endpoint and AllowedIPsOnce saved, simply press "Activate" to launch the interface and start traffic flow.
On iOS the process is very similar to Android: you install the WireGuard app from the App Store, create a new tunnel, and you can Import the .conf file or scan the QR code which you generated with qrencode or from a panel like WireGuard Easy. Then you activate the tunnel with a switch and you're already inside your home network.
On desktop Linux you can use the command-line tool itself (wg-quick up wg0or integrate it with NetworkManager by importing the .conf file from the graphical interface. There is also an official macOS client with an experience very similar to the Windows version.
In the end, have the same protocol and configuration scheme across all platforms It simplifies life a lot: you replicate the logic from one client to another by only changing the keys and the tunnel IP.
With this combination—a well-configured Linux or Docker server, possible VPS support if you have CGNAT, web panels to simplify management, and the WireGuard app on Android—you can set up a Robust, fast, and secure home VPN that allows you to access your home network, your files and services, and browse securely on public WiFi without depending on third parties or opaque commercial solutions. Share this information so others know about the new feature.