Wireguard VPS homeserver-bridge

Short reference documentation for setting up a VPS-homeserver bridge with Wireguard.

September 28, 2022

We are renting, and I have a small homeserver in the office. I mostly host different apps and sevices for my own use, but also a few pages for public access. I needed a way to securely access my homeserver without having access to the router. This led me to renting a small VPS at Hetzner and run a Wireguard instance on this to tunnel all relevant traffic to my home-server. I have been able to find a lot of inspiration online, but nowhere, I found the setup I needed, so here goes for inspiration.


My inspiration is heavily drawn from these two following sites, that I am in no way affiliated with.

My configuration files

Follow these steps to generate your private and public encryption keys and then use the following for inspiration on how to set up your own server configuration file (e.g. /etc/wireguard/wg0.conf).


Address =,fd42::1/128
PrivateKey = [Private key for VPS]
ListenPort = [VPS port]

PreUp = sysctl -w net.ipv4.ip_forward=1

PreUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination

PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

PublicKey = [Public key for home-server]
AllowedIPs =
PersistentKeepalive = 25


Address =
ListenPort = [Wireguard port number]
PrivateKey = [Private key for home-server]

## Hetzner VPS
PublicKey = [Public key for VPS]
AllowedIPs =
Endpoint = [VPS public IP]:[Wireguard port number]
PersistentKeepalive = 25
Closing thoughts

2024.06.20: I collected these notes quite some time ago. The solution has been rock solid through Internet provider changes and so on.