Em's Site

Access your local network using Wireguard VPN and Algo

If you need to access your home network from somewhere other than your home, the traditional way to do that is using a VPN. However, most VPN tutorials send all of your traffic through your home network. I only wanted to reach the devices in my home network, and not send all my traffic through the VPN. So if that's what you're looking for, this is the tutorial for you.

We'll be using algo for this. Algo is a install script that sets up a WireGuard VPN server. WireGuard is a new-ish VPN program that is meant to be easier to use and faster than traditional VPN servers. It also makes it easy to only send certain IP addresses through the VPN instead of all internet traffic.

You'll need these things:

Since we're all using a local computer with Ubuntu, we can shorten the algo install docs somewhat.

Get system and Python requirements

Edit algo config

Install algo

Set up devices

Configure WireGuard for local network

Sorry this section can't be bullet points, the pictures and code get all wonky.

If you want to access computers connected to your local network but not connected to the VPN, find your local subnet. The easiest way is to run ip a. If you're connecting wirelessly, there should be a interfacethat starts with a w and an IP address associated with that. If you're connected via ethernet, it will be the interface beginning with e. Here's mine as an example (it's using a wireless connection): ip address settings

Copy the IP address that's in the place of the one circled (squared?) in that picture, open up a terminal and run python3 and then enter the lines prefixed with >>>, substituting your IP address for my example:

>>> import ipaddress
>>> ipaddress.ip_network("192.168.1.29/24", False)
    IPv4Network('192.168.1.0/24')

The string in the IPv4Network that is returned is the subnet you need to use.

If you like pictures, you started with something similar to this: Initial WireGuard configuration

and you end with something like this: Modified WireGuard configuration

Port forward the WireGuard port

You need to port forward UDP port 51820 to the computer running algo. Unfortunately, there's not a generic way to do this, so you'll need to research how to forward ports on your specific router.

Distribute the configuration files

For desktops and laptops, you can ssh into the computer and copy+paste the configuration. For phones and tablets, the WireGuard app can read a QR code. Algo created one for us, but it isn't valid anymore since we changed the configs. To get the configuration on your phone or tablet, run qrencode -t ansiutf8 -r x.conf, replacing x.conf with the name of the configuration file. The QR code will display in your terminal and you can scan it. If your terminal doesn't support UTF8, run qrencode -t png -r x.conf -o x.png and download x.png to your local computer to display.

IP address conflicts

If you have a common local subnet (192.168.1.0/24 or 192.168.0.0/24 are the most common), it's likely you'll eventually end up on another network that shares the same local subnet, which might prevent you from accessing the local subnet over WireGuard. If you don't need to access any of the local IPs on that network (make sure your DNS isn't using it), there's a few ways to fix it. First, if your ISP and router support IPv6, you can find the IPv6 subnet range just like you found the IPv4 subnet range a few sections up, and add that to your AllowedIPs= line. Then you can connect to your home devices via IPv6. Second, you can connect all the devices to WireGuard so they're all accessible via the WireGuard IP address range. If neither of those are a possibility, the last option is making the IP address rules more specific. I'm not going to show you here, but read up on CIDR ranges (the /24 is the CIDR range I have in my example) and how UNIX/Linux systems route packets, and you may be able to make a more specific route.

Firewall

Algo sets up the iptables firewall to block all ports except the necessary ones for Wireguard. So if you're running some other program that listens on a port, you'll need to go in and add a firewall rule to allow that port.

Conclusion

Thanks for reading this! If you liked it, feel free to share it with places that will also like it. If you are so inclined, you can buy me a Ko-Fi as well. If you have any questions or comments, you can contact me in various ways, and I'll do my best to help you out.