Access Your Home LAN Remotely with WireGuard

Goal: from your laptop anywhere, reach printers, NAS, and other devices on your home LAN (192.168.1.0/24). The WireGuard server runs on an always-on box at home (Raspberry Pi, NAS, router).

1. Enable IP forwarding (home server)

echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-wg.conf
sudo sysctl --system

2. Home server — /etc/wireguard/wg0.conf

NAT onto the LAN interface (eth0 here) so LAN devices can reply without their own VPN route:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# laptop
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

3. Client (laptop) — /etc/wireguard/wg0.conf

Route both the VPN subnet and the home LAN through the tunnel:

[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = HOME_PUBLIC_IP:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

4. Getting in from outside

Your home IP is usually dynamic and behind the router’s NAT, so:

• Port-forward UDP 51820 on the home router to the WireGuard box, and
• use a dynamic-DNS hostname as the client Endpoint (e.g. home.example.duckdns.org:51820).

Verify

sudo wg-quick up wg0
ping 192.168.1.10        # a device on the home LAN

Why MASQUERADE here: LAN devices don’t know a route back to 10.0.0.2, so the server NATs your VPN traffic to its own LAN IP. If you’d rather preserve the client’s VPN IP on the LAN, add a static route for 10.0.0.0/24 on the router instead of masquerading.