Set up WireGuard VPN for secure remote home network access.
This skill appears to be an open-source, prompt/documentation-style WireGuard setup guide. It does not declare required secrets or third-party remote endpoints, so overall risk is low; however, it includes system-level network configuration, iptables changes, and handling of local sensitive config files, which merits normal operational caution.
No API keys, tokens, or external account credentials are required by the material. It only covers local WireGuard keypair generation and storage; the private key is sensitive, but the README explicitly warns against sharing or committing it, with no sign of credential exfiltration or misuse.
No third-party service endpoints are declared. The networking described is limited to an encrypted tunnel to the user's own WireGuard server/home network over the usual UDP 51820 path, with no stated transfer of user data to unrelated external services.
The README includes system commands such as apt installation, wg key generation, iptables rules, chmod, and IP forwarding changes. If followed, these would make privileged local changes to networking and firewall behavior; this is normal for this kind of ops/networking skill, but commands should be reviewed carefully before use.
The documentation involves reading and writing local configuration and key files, such as private/public keys and wg0.conf under /etc/wireguard, with restrictive file permissions. This access scope matches the stated WireGuard deployment purpose, with no sign of unrelated data collection or overbroad authorization, though the files themselves are sensitive.
The source is an open-source GitHub repository with very high community adoption (~210k stars), which materially lowers supply-chain risk. Although the license is unspecified and maintenance status is unknown, and only documentation is shown rather than a full code audit, there are no clear red flags based on the available facts.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "homelab-wireguard-vpn" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/homelab-wireguard-vpn/SKILL.md 2. Save it as ~/.claude/skills/homelab-wireguard-vpn/SKILL.md 3. Reload skills and tell me it's ready
Create a step-by-step guide to set up a WireGuard VPN server for my homelab, including server installation, key generation, sample configs, firewall rules, and port forwarding on Ubuntu.
An actionable Ubuntu WireGuard server setup guide with sample configs and networking requirements.
I already have a WireGuard server. Generate example peer configurations for an iPhone and a Windows laptop, including key generation steps, AllowedIPs settings, and QR import instructions.
Client configuration examples for mobile and desktop, with clear instructions for secure import and connection.
Compare WireGuard full tunnel and split tunnel setups, and recommend a configuration for the need: only access home NAS and LAN services without affecting normal internet browsing. Include AllowedIPs examples.
A clear comparison of both routing modes and a recommended configuration for home remote access.
WireGuard is a fast, modern VPN protocol. It is the right choice for remote access to a home network — simpler to configure than OpenVPN and faster than most alternatives.
All configuration examples show common setups. Review each command — especially the iptables forwarding rules and key file permissions — before applying them to your system, and make changes in a maintenance window.
Your phone (WireGuard client)
│
│ Encrypted UDP tunnel (port 51820)
│
Your home router (WireGuard server — needs a public IP or DDNS)
│
Your home network (192.168.1.0/24, NAS, Pi, etc.)
Every device has a keypair (public + private key).
The server knows each client's public key.
The client knows the server's public key + endpoint (IP:port).
Traffic is encrypted end-to-end with no central server or certificate authority.
# Install WireGuard
sudo apt update && sudo apt install wireguard -y
# Generate server keypair — create files with private permissions from the start
sudo mkdir -p /etc/wireguard
sudo sh -c 'umask 077; wg genkey > /etc/wireguard/server_private.key'
sudo sh -c 'wg pubkey < /etc/wireguard/server_private.key > /etc/wireguard/server_public.key'
# Write server config — substitute the actual private key value
# Do not store private keys in version control or share them
sudo tee /etc/wireguard/wg0.conf << 'EOF'
[Interface]
Address = 10.8.0.1/24 # VPN subnet — server gets .1
ListenPort = 51820
PrivateKey = <paste_server_private_key_here>
# Scoped forwarding rules: allow VPN traffic in/out, not a blanket FORWARD ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Phone — replace with the actual phone public key
PublicKey = <phone_public_key>
AllowedIPs = 10.8.0.2/32
[Peer]
# Laptop — replace with the actual laptop public key
PublicKey = <laptop_public_key>
AllowedIPs = 10.8.0.3/32
EOF
sudo chmod 600 /etc/wireguard/wg0.conf
# Replace eth0 with your actual outbound interface name
# Check with: ip route show default
# Enable IP forwarding (required for routing traffic through the server)
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl --system
# Start WireGuard and enable on boot
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
# Generate a unique keypair for each client device
# Run on the client, or on the server and transfer the private key securely — never in plaintext
umask 077
wg genkey | tee phone_private.key | wg pubkey > phone_public.key
# Client config file (phone_wg0.conf):
[Interface]
PrivateKey = <phone_private_key>
Address = 10.8.0.2/32
DNS = 192.168.1.2 # Optional: use Pi-hole for DNS over the tunnel
[Peer]
PublicKey = <server_public_key>
Endpoint = your-home-ip.ddns.net:51820 # Your public IP or DDNS hostname
AllowedIPs = 192.168.1.0/24 # Split tunnel: only home network traffic
# AllowedIPs = 0.0.0.0/0, ::/0 # Full tunnel: all traffic through VPN
PersistentKeepalive = 25 # Keep NAT hole open (required for mobile clients)
…
Handle returns, refunds, fraud checks, and warranty claim decisions efficiently.
Use Bun for runtime, bundling, testing, packages, and Node migration decisions.
Use the correct Ethereum Keccak-256 hashing in Node.js and TypeScript.
Apply Nuxt 4 patterns for SSR safety, performance, and data fetching.
Generate images, videos, and audio with one unified AI media workflow.
Design Quarkus 3 backend patterns for messaging, APIs, data, and async workflows.
Checks homelab network readiness before VLAN, DNS, firewall, or VPN changes.
Plan a reliable home or homelab network with practical setup guidance.
Expose localhost services through public HTTPS, TCP, or UDP tunnels.
Securely expose local services to the public internet through encrypted tunnels.
Set up and manage Pi-hole DNS, blocking, and home network resolution.
Manage SSH tunnels and remote hosts with file, security, and config tools.