WireGuard VPN Tunnel — Take Your Home Protection With You

Extend your home network security, Pi-hole DNS filtering, and content controls to any device, anywhere in the world

Intermediate ~25 min read Updated: May 2026

🛡️ Why This Matters

The Securing Your Home Network guide explains how to replace your ISP router with hardware that gives you real IDS/IPS protection, deep packet inspection, and a proper firewall. The DNS Filtering guide walks through running Pi-hole and Unbound so your DNS is filtered, private, and free from ISP snooping. Together, those two guides build a well-defended home network.

The problem is that protection ends the moment you walk out the front door.

⚠️ Your Protection Stops at the Door

Every device you own that leaves your home network loses all the protections you've set up — unless you have a VPN tunnel home. Your phone on 4G, your laptop in a hotel, your child's tablet at a friend's house: all of them are back to unfiltered, unprotected internet the instant they leave your Wi-Fi.

What Happens When You Leave Home

  • Mobile on 4G/5G — DNS goes to your mobile carrier's servers. Pi-hole is bypassed entirely. ISP logging applies.
  • Public Wi-Fi — Hotel, café, and airport networks are unencrypted and untrustworthy. Traffic can be intercepted. DNS is controlled by whoever runs the hotspot.
  • Children's devices away from home — Every content filter and access schedule you've set up on your router stops working the moment the device connects to a different network.
  • IDS/IPS blind spot — Your router's intrusion detection cannot see traffic that isn't passing through it. Malware on a device can communicate freely when away from home.

A WireGuard VPN tunnel closes all of this. Traffic from your phone, laptop, or child's device is encrypted and routed back through your home router — so it passes through your IDS/IPS, your Pi-hole, your content filters, and your access schedules exactly as if the device were sitting on your home Wi-Fi. You own the server. No third-party VPN provider can see your data.

⚙️ How It Works

WireGuard creates an encrypted tunnel between your device and your home router. All network traffic — including DNS queries — travels through that tunnel. From the internet's perspective, everything originates from your home broadband connection.

The Traffic Flow

📡 Full Tunnel Traffic Path

Your Device (phone / laptop / tablet)
    ↓  [encrypted WireGuard tunnel over 4G, public Wi-Fi, etc.]
Your Home Router (UDM Pro / pfSense / OPNsense)
    ↓  IDS/IPS inspects and filters traffic
    ↓
Pi-hole (192.168.0.100) — DNS filtering + blocklists active
    ↓
Unbound — recursive private DNS resolution
    ↓
Internet

Every DNS query from your device is answered by Pi-hole, just as if the device were on your home Wi-Fi. Every blocked domain stays blocked. Content filters apply. Access schedules apply.

Why WireGuard?

"WireGuard uses state-of-the-art cryptography — ChaCha20 for symmetric encryption, Curve25519 for key exchange, and Poly1305 for message authentication — with a codebase small enough to be meaningfully audited. It is consistently faster, more battery-efficient, and simpler to configure than OpenVPN."
WireGuard Technical Overview — wireguard.com

✅ WireGuard

  • ~4,000 lines of code — auditable
  • Built into the Linux kernel
  • Fast — low CPU overhead
  • Low battery drain on mobile
  • Modern, fixed cipher suite — no misconfiguration risk
  • Native in UDM Pro (UniFi OS 3.x+), pfSense, and OPNsense
  • Free client apps for iOS, Android, Windows, macOS, Linux

⚠️ OpenVPN (for comparison)

  • 70,000+ lines of code
  • Requires additional software layer
  • Slower — higher CPU usage
  • Noticeable battery impact on mobile
  • Highly configurable — easy to misconfigure
  • Older protocol still widely supported
  • OpenVPN is not covered in this guide

💡 You Own the Server

Unlike commercial VPN services (NordVPN, ExpressVPN, etc.), this tunnel connects directly to your own home router. There is no third-party company logging your traffic, no subscription fee, and no reliance on another organisation's infrastructure. Your data stays yours.

📋 What You Need Before You Start

📚 Prerequisites

This guide assumes you have already followed the Securing Your Home Network guide and have a UDM Pro, pfSense, or OPNsense router in place. If you have also set up Pi-hole and Unbound, your DNS filtering will carry over to all tunnelled devices automatically.

1. A Compatible Router

Ubiquiti UDM Pro (UniFi OS 3.x or later), or a pfSense / OPNsense box. Both are covered in the home network guide. WireGuard is built in to all three — no additional packages needed on the UDM Pro.

2. Static IP or DDNS

Your home router needs a stable address for remote devices to connect to. If your ISP gives you a static IP, use it. Most residential connections use a dynamic IP — in that case, set up a free DDNS service such as DuckDNS or Cloudflare DDNS. Without this, the tunnel breaks every time your IP changes.

3. Port Forwarding (Only If Behind Double NAT)

On a UDM Pro that receives a public IP directly from your ISP, no manual port forwarding is needed — UniFi creates the required firewall rules automatically when you set up the WireGuard server. If your UDM Pro sits behind another router, you will need to forward UDP port 51820 on that upstream device to your UDM Pro's WAN IP. On pfSense or OPNsense, you will need to add the WAN firewall rule manually (covered in Section 7).

4. Pi-hole Running (Optional)

If you have Pi-hole installed at a known static LAN IP — this guide uses 192.168.0.100 as the example — your DNS filtering travels with the tunnel automatically. If you don't have Pi-hole, an alternative DNS fallback is covered in Section 9.

5. WireGuard Client App

Free and open source. Download: wireguard Windows installer, available on iOS (App Store), Android (Play Store / F-Droid), macOS install instructions, and Linux.

6. A Separate VPN Subnet

WireGuard needs its own private subnet — separate from your home LAN. This guide uses 10.10.10.0/24 for the tunnel. If your home network is already on 10.10.10.x, choose something else (e.g. 10.99.0.0/24).

⚠️ Subnet Conflict

Do not use the same subnet for your WireGuard tunnel as your home LAN. If your home network is 192.168.0.0/24, use something like 10.10.10.0/24 for the tunnel. Using the same range causes routing conflicts and the tunnel will not work correctly.

🔧 WireGuard Setup — Ubiquiti UDM Pro

The UDM Pro has WireGuard built directly into UniFi Network. No packages, no command line — the entire setup is done through the web interface. When you create the WireGuard server through the UniFi UI, it automatically configures the necessary firewall rules on your behalf — no manual port forwarding is required in a standard setup where your UDM Pro receives a public IP directly from your ISP.

💡 Double NAT Exception

If your UDM Pro sits behind another router (a common setup where an ISP-supplied device is still in the chain), you are in a double NAT situation. In that case you will need to forward UDP port 51820 on the upstream router to your UDM Pro's WAN IP. Go to Settings → Internet in UniFi to find your UDM Pro's WAN IP. If it starts with 192.168.x.x or 10.x.x.x, you are behind a NAT and will need that upstream port forward.

Step 1: Create the WireGuard Server

  1. Log in to your UniFi Network application (usually at https://192.168.0.1 or via unifi.ui.com)
  2. Go to Settings → VPN → VPN Server
  3. Click Create New and select WireGuard
  4. Give it a name — e.g. HomeVPN
  5. The UDM Pro generates a key pair automatically — no need to copy it at this stage, it is embedded in client configs automatically
  6. Set Listen Port to 51820 (UDP)
  7. Set Tunnel IP to 10.10.10.1/24 — this is the router's address inside the VPN subnet
  8. Click Save

UniFi automatically creates all required firewall policies in the policy engine for this VPN server. The WireGuard network is assigned to the VPN zone automatically.

Step 2: Configure DDNS (If No Static IP)

  1. First, register a free subdomain at duckdns.org — e.g. myhome.duckdns.org
  2. In UniFi Network, go to Settings → Internet → Dynamic DNS
  3. Click Add Dynamic DNS
  4. Select DuckDNS as the provider
  5. Enter your subdomain and DuckDNS token (found in your DuckDNS account dashboard)
  6. Save — UniFi updates DuckDNS automatically whenever your WAN IP changes

Your endpoint address for all client configs will be: myhome.duckdns.org:51820

📱 UDM Pro: Connecting a Mobile Device

The UDM Pro generates a QR code for each client — the easiest way to get a phone connected without any manual configuration.

Step 1: Add a Client in UniFi

  1. Go to Settings → VPN → WireGuard → HomeVPN
  2. Click Add Client
  3. Enter a name for the device — e.g. iPhone-15 or Pixel8
  4. Set the Client Tunnel IP to an address in your VPN subnet — e.g. 10.10.10.2/32 for the first mobile device
  5. Set Allowed IPs to 0.0.0.0/0 — this routes all traffic through the tunnel (see Split-Tunnelling if you prefer selective routing)
  6. Set DNS to 192.168.0.100, 1.1.1.1 (Pi-hole primary, Cloudflare fallback — see Section 9)
  7. Click Save — UniFi displays a QR code

Step 2: Scan the QR Code on Your Phone

  1. Install the WireGuard app on your phone from the App Store (iOS) or Google Play (Android)
  2. Open the WireGuard app and tap +Scan QR Code
  3. Point the camera at the QR code shown in UniFi — the profile imports automatically
  4. Give the tunnel a name when prompted — e.g. Home Network
  5. Tap the toggle to activate the tunnel

✅ Always-On VPN (Recommended for Children's Devices)

On iOS, go to Settings → General → VPN & Device Management → VPN — set the tunnel to Connect On Demand. On Android, go to Settings → Network & Internet → VPN — enable Always-on VPN. This ensures the tunnel activates automatically whenever the device has an internet connection, without the user needing to toggle it manually.

💡 One Client Per Device

Each device should have its own client profile and its own tunnel IP address. Never share the same WireGuard configuration between two devices — they will conflict and both will lose connectivity.

💻 UDM Pro: Connecting a Laptop

Laptops can't scan a QR code, so the client configuration is downloaded as a file instead.

Step 1: Create the Client Profile

  1. Go to Settings → VPN → WireGuard → HomeVPN → Add Client
  2. Name the client — e.g. MacBook-Pro or WorkLaptop
  3. Assign a tunnel IP — e.g. 10.10.10.3/32 (increment for each new device)
  4. Set Allowed IPs to 0.0.0.0/0
  5. Set DNS to 192.168.0.100, 1.1.1.1
  6. Instead of the QR code, click Download Configuration — save the .conf file

Step 2: Import on Windows

  1. Download and install WireGuard from wireguard.com/install
  2. Open the WireGuard app → click Import Tunnel(s) from File
  3. Select the .conf file you downloaded
  4. Click the Activate button to connect

Step 2: Import on macOS

  1. Install WireGuard from the Mac App Store
  2. Open WireGuard → File → Import Tunnel(s) from File
  3. Select the .conf file
  4. Click Activate to connect

Step 2: Import on Linux

  1. Install WireGuard: sudo apt install wireguard (Debian/Ubuntu)
  2. Copy the config file to /etc/wireguard/: sudo cp homeVPN.conf /etc/wireguard/wg0.conf
  3. Start the tunnel: sudo wg-quick up wg0
  4. To start automatically on boot: sudo systemctl enable wg-quick@wg0
  5. To stop: sudo wg-quick down wg0

🔧 WireGuard Setup — pfSense / OPNsense

Both pfSense and OPNsense support WireGuard natively. The setup involves more manual steps than the UDM Pro but gives you the same level of control.

pfSense Setup

Step 1: Install the WireGuard Package (pfSense)

  1. Log into your pfSense web interface
  2. Go to System → Package Manager → Available Packages
  3. Search for WireGuard and click Install
  4. Wait for installation to complete, then go to VPN → WireGuard

Step 2: Create the Tunnel (pfSense)

  1. Go to VPN → WireGuard → Tunnels → Add Tunnel
  2. Check Enable Tunnel
  3. Set Listen Port to 51820
  4. Click Generate to create a key pair — note the Public Key as you'll need it for client configs
  5. Set Interface Address to 10.10.10.1/24
  6. Click Save Tunnel

Step 3: Firewall and NAT Rules (pfSense)

  1. Go to Interfaces → Assignments — assign the new WireGuard interface and enable it
  2. Go to Firewall → NAT → Outbound — add a rule to masquerade traffic from 10.10.10.0/24 going out the WAN interface
  3. Go to Firewall → Rules → WireGuard interface — add a pass rule to allow traffic from 10.10.10.0/24
  4. Go to Firewall → Rules → WAN — add a rule to allow UDP port 51820 inbound

OPNsense Setup

Step 1: Create the WireGuard Instance (OPNsense)

  1. Log into your OPNsense web interface
  2. Go to VPN → WireGuard → Local and click +
  3. Check Enabled
  4. Set a Name — e.g. HomeVPN
  5. Set Listen Port to 51820
  6. Click the gear icon to generate keys — note the Public Key
  7. Set Tunnel Address to 10.10.10.1/24
  8. Click Save

Step 2: Assign Interface and Firewall Rules (OPNsense)

  1. Go to VPN → WireGuard → General — check Enable WireGuard and save
  2. Go to Interfaces → Assignments — find the WireGuard interface in the list and assign it
  3. Enable the interface and save
  4. Go to Firewall → Rules → WAN — add a pass rule for UDP port 51820
  5. Go to Firewall → Rules → WireGuard interface — add a pass rule for traffic from 10.10.10.0/24
  6. Go to Firewall → NAT → Outbound — ensure the WireGuard subnet is included in outbound NAT rules

Generating Client Key Pairs (pfSense / OPNsense)

Unlike the UDM Pro, pfSense and OPNsense don't generate client keys for you. You create them yourself — either on your client device or on any Linux/macOS machine with WireGuard installed.

Generate Keys on Linux / macOS

# Generate a private key and derive the public key from it
wg genkey | tee client_private.key | wg pubkey > client_public.key

# View the keys
cat client_private.key   # Keep this secret — goes in client config
cat client_public.key    # Share this with the router — goes in peer config

Generate Keys Using the WireGuard App (Windows / Mobile)

On Windows: open the WireGuard app → click the dropdown arrow next to Add TunnelAdd empty tunnel. The app generates a key pair automatically and shows the public key at the top.

On Android/iOS: open WireGuard → tap +Create from scratch. Tap Generate key pair. Note the public key — you will enter it into the router's peer configuration.

Add a Peer (Client) on pfSense

  1. Go to VPN → WireGuard → Peers → Add Peer
  2. Set Tunnel to your HomeVPN tunnel
  3. Enter the client's Public Key
  4. Set Allowed IPs to the tunnel IP for this device — e.g. 10.10.10.2/32
  5. Repeat for each device, incrementing the IP each time

Add a Peer (Client) on OPNsense

  1. Go to VPN → WireGuard → Peers and click +
  2. Check Enabled
  3. Set Name — e.g. Pixel8
  4. Enter the client's Public Key
  5. Set Allowed IPs to 10.10.10.2/32
  6. Set Instance to your HomeVPN local instance
  7. Save

📱 pfSense / OPNsense: Connecting a Mobile Device

Once you have the router's public key and have added the client as a peer, build the client configuration manually. This same config works for both Android and iOS.

Client Configuration File Template

[Interface]
# Your device's private key (generated on the device)
PrivateKey = <paste_client_private_key_here>

# This device's address inside the VPN tunnel
Address = 10.10.10.2/32

# DNS: Pi-hole primary, Cloudflare fallback
DNS = 192.168.0.100, 1.1.1.1

[Peer]
# Your router's public key (from pfSense / OPNsense server setup)
PublicKey = <paste_router_public_key_here>

# Your home router's public address and WireGuard port
Endpoint = myhome.duckdns.org:51820

# Route all traffic through the tunnel (full tunnel)
AllowedIPs = 0.0.0.0/0

# Keeps the tunnel alive through NAT — essential for mobile
PersistentKeepalive = 25

Replace the placeholder values with your actual keys and DDNS hostname. For the next device, use 10.10.10.3/32, and so on.

Import on Android

  1. Save the config as a .conf file (e.g. homeVPN.conf)
  2. Open the WireGuard app → tap +Import from file or archive
  3. Select your .conf file
  4. Activate the tunnel with the toggle

Import on iOS (Shortcut: QR Code)

On iOS, you can avoid file transfer by converting the config to a QR code. On a computer, visit qrcode-monkey.com, paste the full config text as the QR content, generate the code, then scan it with the WireGuard app using + → Scan QR Code.

Alternatively, save the .conf file to iCloud Drive and import it via + → Import from file or archive in the WireGuard app.

🌐 DNS Configuration — Pi-hole and Fallback

Correct DNS configuration is what makes your Pi-hole blocklists and filtering work on remote devices. Get this right and every device using the tunnel benefits from exactly the same protection as on your home network.

✅ If You Have Pi-hole Installed (Recommended)

In every WireGuard client configuration, set:

DNS = 192.168.0.100, 1.1.1.1
  • 192.168.0.100 — your Pi-hole's LAN IP (adjust if yours differs — check your Pi-hole admin panel under Settings → System). All DNS queries go here first, passing through your blocklists exactly as at home.
  • 1.1.1.1 — Cloudflare's privacy-focused public DNS, used as a fallback only if Pi-hole is temporarily unreachable. Under normal operation, all queries hit Pi-hole.

With the VPN tunnel active, the device's DNS traffic is routed through the tunnel to Pi-hole. Every blocked domain — phishing, malware, trackers, adult content — stays blocked, regardless of which network the device is physically connected to.

🔄 If You Do Not Have Pi-hole Installed

In your client configuration, set:

DNS = 192.168.0.1, 1.1.1.1
  • 192.168.0.1 — your home router's LAN IP (your gateway address). DNS queries go to the router, which uses whatever upstream DNS it is configured with.
  • 1.1.1.1 — Cloudflare fallback if the router is unreachable.

This is functional but provides less filtering protection than Pi-hole. The DNS Filtering guide covers Pi-hole setup in full.

⚠️ Do Not Use a Public DNS as Your Primary

Do not set your primary DNS to 8.8.8.8 (Google) or any other external resolver while the tunnel is active. This routes your DNS queries outside the tunnel to a third-party server, bypassing Pi-hole entirely and undoing the point of the exercise.

💡 Finding Your Pi-hole's IP Address

Log into the Pi-hole admin panel at http://192.168.0.100/admin (or whichever IP you set it to) → Settings → System. The IP address is shown at the top. Make sure Pi-hole has a static LAN IP — if it changes, all your VPN client DNS configurations will break silently. Set a static DHCP reservation for it on your router if you haven't already.

👨‍👩‍👧 Keeping Children Safe Online

📜 More Effective Than Waiting for Legislation

The Online Safety Act places obligations on platforms to protect children — but enforcement is slow, patchy, and dependent on tech companies policing themselves. A VPN tunnel home means the content filters and access schedules you've already configured on your router follow your child's device wherever it goes. That's immediate, direct control — no waiting for Ofcom.

Content Filtering That Travels With the Device

With the VPN tunnel active and Pi-hole as the DNS, your Pi-hole blocklists apply to your child's device wherever they are — at a friend's house, on mobile data, or connected to school Wi-Fi. Categories you've enabled in Pi-hole (adult content, social media, gambling, etc.) are blocked network-wide regardless of what app or browser they use.

🔒 UDM Pro: Traffic Management Profiles

  1. In UniFi → go to Settings → Profiles → Traffic Management
  2. Create a Restrictions profile — e.g. Child Device
  3. Enable content category filtering — select categories such as adult content, gambling, social networking, and streaming
  4. Assign the profile to your child's device by its MAC address or its WireGuard tunnel IP
  5. These restrictions apply whether the device is on your home Wi-Fi or tunnelled in remotely

🔒 pfSense / OPNsense: pfBlockerNG DNSBL

  1. Install pfBlockerNG via System → Package Manager
  2. Go to Firewall → pfBlockerNG → DNSBL
  3. Enable category-level blocking — select adult content, gambling, social media, and other categories as appropriate
  4. These DNS-level blocks apply to all devices using Pi-hole or the pfSense DNS resolver as their upstream, including VPN tunnel clients

Device-Level Access Scheduling

Access schedules let you restrict internet access to certain hours — no screens after 9pm on school nights, for example. Configured on the router, these schedules apply to the device's tunnel traffic, so they work even when the device is away from home.

📅 UDM Pro: Traffic Rules with Schedules

  1. Go to Settings → Traffic & Firewall → Traffic Rules
  2. Click Create New Rule
  3. Set the target device (by IP or device group)
  4. Set the Action to Block
  5. Under Schedule, define the days and times when internet should be blocked — e.g. Mon–Fri after 21:00
  6. Save — the rule applies to the device's tunnel traffic as well as local traffic

Belt and Braces — Device-Level Controls Too

Router-level controls are the most robust because no app on the device can bypass them while the VPN is active. Combining them with device-level controls adds an extra layer.

iOS — Screen Time

  • Settings → Screen Time → Content & Privacy Restrictions
  • Restrict explicit content, web filtering, and App Store purchases
  • Set Downtime to restrict device use at night
  • Use a Screen Time passcode separate from the device passcode
  • Set Always Allow for essential apps — everything else blocked during downtime

Android — Digital Wellbeing + Family Link

  • Google Family Link allows parental supervision of a child's account
  • Set app limits and daily screen time via Family Link
  • Digital Wellbeing → Bedtime Mode restricts use at set hours
  • Approve app downloads remotely before they install
  • Location sharing via Family Link for younger children

⚠️ Preventing the Tunnel Being Disabled

For this to work reliably, children should not be able to simply turn the VPN off. On iOS, this can be enforced via Screen Time → Content & Privacy Restrictions → VPN — set to Don't Allow Changes. On Android, use a device management profile (via Google Workspace for Education or a third-party MDM) to enforce always-on VPN and prevent configuration changes. Without this, a tech-savvy teenager will simply disable the tunnel.

✅ Visibility Through Pi-hole

With the VPN active and Pi-hole as the DNS, every domain your child's device queries — whether at home or away — appears in the Pi-hole query log. You can see what sites were attempted, what was blocked, and when. Go to your Pi-hole admin at http://192.168.0.100/adminQuery Log — filter by the device's tunnel IP to see its activity specifically.

🔀 Split-Tunnelling Explained

When you set AllowedIPs = 0.0.0.0/0 in a WireGuard client config, all traffic — every connection the device makes — is routed through the home tunnel. This is called a full tunnel. Split-tunnelling is the alternative: only specific traffic goes through the tunnel, and the rest goes directly to the internet from wherever the device is.

✅ Full Tunnel (Recommended for Most)

  • All traffic protected by home IDS/IPS
  • Pi-hole filtering applies to all DNS queries
  • Content filters and schedules fully enforced
  • Public Wi-Fi traffic encrypted end-to-end
  • Best for children's devices
  • Best for security on untrusted networks
  • AllowedIPs = 0.0.0.0/0

⚡ Split Tunnel (Access Home Resources Only)

  • Only home LAN and tunnel traffic routed via home
  • All other internet traffic goes direct
  • Not limited by home broadband upload speed
  • Pi-hole filtering does not apply to public internet traffic
  • Best for remote working — access NAS, home servers, etc.
  • Best when home upload speed is limited
  • AllowedIPs = 192.168.0.0/24, 10.10.10.0/24

How to Switch Between Full and Split Tunnel

In the [Peer] section of any WireGuard client config, change the AllowedIPs line:

# Full tunnel — all traffic through home
AllowedIPs = 0.0.0.0/0

# Split tunnel — only home LAN and VPN subnet
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24

You can maintain two separate client profiles on a laptop — one full tunnel for public Wi-Fi, one split tunnel for home resource access — and switch between them as needed.

⚠️ Children's Devices: Always Use Full Tunnel

For any child's device, always configure AllowedIPs = 0.0.0.0/0. Split-tunnelling on a child's device means direct, unfiltered internet access for all traffic not destined for your home network — completely bypassing Pi-hole and content filters.

🖥️ Accessing Home Servers Remotely

If you run a web server, NAS, or any other service on your home network, the WireGuard tunnel gives you full access to it from anywhere — as if you were sitting on your home Wi-Fi. No port exposure to the public internet, no third-party remote access tools, no monthly subscriptions.

💡 How This Works

Once the VPN tunnel is active, your laptop or phone is assigned a tunnel IP on the 10.10.10.0/24 subnet. From there, it can reach any device on your home LAN by its local IP address — including servers on VLANs — exactly as if it were physically connected to your network. Your server never needs to be exposed to the internet at all.

Scenario: Accessing an FTP Server on a Separate VLAN

A common home server setup on a UDM Pro uses VLANs to segment traffic — for example, a web/file server on a dedicated server VLAN at 192.168.60.x, separate from the main LAN at 192.168.0.x. Both subnets need to be included in your WireGuard client's AllowedIPs for this to work.

Step 1: Update AllowedIPs in Your Laptop's Client Config

Open your WireGuard client config (the .conf file, or edit via the WireGuard app). In the [Peer] section, update AllowedIPs to include both your main LAN subnet and your server VLAN subnet:

[Peer]
PublicKey = <router_public_key>
Endpoint = myhome.duckdns.org:51820
PersistentKeepalive = 25

# Main LAN + server VLAN + VPN tunnel subnet
AllowedIPs = 192.168.0.0/24, 192.168.60.0/24, 10.10.10.0/24

This is a split tunnel — your general internet traffic goes direct, but anything destined for 192.168.0.x, 192.168.60.x, or the VPN subnet routes through the home router. Your broadband upload speed does not become a bottleneck for general browsing.

Step 2: Check Zone Assignments (UniFi Network 9.0+ Policy Engine)

UniFi Network 9.0 and later (including the current 10.x releases) replaced the old firewall rules interface with a zone-based policy engine. Traffic is now controlled by the zone each network belongs to, not by individual interface rules. Before creating any policy, confirm which zones your networks are in.

  1. Go to Settings → Zones
  2. Confirm your WireGuard VPN server is in the VPN zone — UniFi assigns WireGuard here automatically
  3. Confirm your server VLAN (192.168.60.x) is in the Internal zone — this is the default for locally created networks

Check the Zone Matrix (the grid of zones shown on screen). The cell where VPN (source row) meets Internal (destination column) should show Allow All by default. If it does, traffic from your WireGuard tunnel to your server VLAN is already permitted at the zone level — move to Step 3.

Step 2b: Create a Firewall Policy If Access Is Still Blocked

If the zone matrix shows Policies rather than Allow All on the VPN → Internal cell, or if your server VLAN has been placed in a custom zone, you will need to create an explicit allow policy. Follow each field in the order they appear on screen.

  1. Go to Settings → Policy Table → Create New Policy
  2. Policy type — select Firewall (first option in the list; others are Route, QOS, NAT, DNS, ACL, Port Forward)
  3. Source Zone — select VPN
  4. Source (address) — leave as Any to apply to all WireGuard clients, or select IP and enter a specific tunnel IP (e.g. 10.10.10.2) to restrict to one device
  5. Source Port — leave as Any
  6. Action — select Allow
  7. Destination Zone — select Internal
  8. Destination (address) — select IP → enter 192.168.60.234 to target the specific server only, or leave as Any to allow access to the entire Internal zone
  9. Destination Port — leave as Any for full server access, or select Specific → enter 21 to permit FTP only
  10. IP Version — leave as IPv4 (already selected by default)
  11. Connection State — leave as All
  12. Syslog logging — leave unselected
  13. Schedule — leave as Always
  14. Click Save

Once saved, use the Reorder option in the policy table to place this policy above any existing block policies — rules are evaluated top to bottom and the first match applies.

💡 Intra-Zone Traffic (Both Networks in Internal Zone)

If both your WireGuard tunnel network and your server VLAN are assigned to the Internal zone, the zone matrix will not help — traffic between networks in the same zone is governed by intra-zone policies (Internal → Internal in the matrix). Check that cell. If it shows Allow All, traffic should already flow. If access is still blocked, create a policy with both source and destination zone set to Internal, scoping it to your specific source and destination IPs.

Step 3: Connect and Access the Server

With the tunnel active and the firewall rule in place, connect to your server exactly as you would at home — using its LAN IP address directly:

# FTP connection example (command line)
ftp 192.168.60.234

# Or in an FTP client (FileZilla, Cyberduck, etc.)
Host: 192.168.60.234
Port: 21
Protocol: FTP (or SFTP if configured)

No special configuration is needed on the server itself. It sees the connection arriving from your tunnel IP (10.10.10.x) via the internal network — indistinguishable from a local connection.

⚠️ FTP and Plain-Text Credentials

Standard FTP (port 21) transmits login credentials and file data unencrypted. Since this traffic is inside an encrypted WireGuard tunnel, it is protected in transit — but it is still worth migrating to SFTP (port 22) or FTPS where possible, particularly if other users on the server VLAN could intercept traffic. Most modern FTP clients (FileZilla, Cyberduck, WinSCP) support SFTP natively.

Accessing Other Home Services the Same Way

The same approach works for any service on your home network. Add the relevant subnet to AllowedIPs and, if it's on a different VLAN, add the corresponding firewall rule on the UDM Pro.

Common Home Server Use Cases

  • Web server (HTTP/HTTPS)192.168.60.234:80 / :443 — access via browser at http://192.168.60.234
  • SSH / remote terminal192.168.60.234:22ssh user@192.168.60.234
  • NAS (Synology, QNAP, TrueNAS) — access the admin panel by IP in a browser
  • Home Assistant / self-hosted apps — access by LAN IP and port as normal
  • Plex / Jellyfin media server — add the LAN subnet to AllowedIPs and connect via local IP for maximum quality
  • Remote desktop (RDP port 3389) — connect using the machine's LAN IP directly from Windows Remote Desktop or any RDP client

✅ Why This Is Better Than Port Forwarding

The alternative to this approach is opening ports on your router's WAN firewall — exposing your server directly to the public internet. That puts every service you run at the mercy of automated scanners and brute-force bots that probe open ports 24 hours a day. The VPN tunnel approach keeps everything closed from the outside. Your server is only reachable by devices that have a valid WireGuard key — everything else sees a closed network.

✅ Verifying It Works

Before relying on the tunnel for protection, confirm it is routing traffic correctly and that Pi-hole is receiving DNS queries from the connected device.

1. Check Your Public IP Has Changed

With the WireGuard tunnel active on your device, visit whatismyip.com in a browser. The IP address shown should be your home broadband IP, not your mobile carrier's IP or the hotel Wi-Fi's public IP. If it still shows your mobile/external IP, the tunnel is not routing traffic correctly — check your AllowedIPs setting and confirm the tunnel is active.

2. Confirm the WireGuard Handshake

In the WireGuard app on your device, the active tunnel should show Last handshake: a few seconds ago (or a recent timestamp). If it shows Never, the device has not successfully connected to your home router. Check:

  • Port forwarding on the router (UDP 51820 open and pointing correctly)
  • DDNS is resolving to the correct WAN IP — test with ping myhome.duckdns.org
  • The router's public key in the client config matches what the server generated
  • The server peer config has the correct client public key and allowed IP

3. Check DNS Is Going Through Pi-hole

Open the Pi-hole admin panel at http://192.168.0.100/admin → go to Query Log. With the tunnel active and the device browsing, you should see queries appearing from your device's VPN tunnel IP address (e.g. 10.10.10.2). If no queries appear, the DNS in the client config may be incorrect — verify the Pi-hole IP matches what you entered.

4. Test a Blocked Domain

Try to visit a domain that Pi-hole should be blocking — for example, doubleclick.net (an ad-tracking domain blocked by most default blocklists). It should fail to load. You can also check from a command line:

# On macOS / Linux
dig +short doubleclick.net @192.168.0.100
# Should return: 0.0.0.0

# On Windows (PowerShell)
Resolve-DnsName doubleclick.net
# Should return 0.0.0.0 if Pi-hole is blocking it

5. Confirm DNS Routing (Advanced)

# macOS / Linux — query Pi-hole directly to confirm it's responding
dig +short whoami.cloudflare.com TXT @192.168.0.100

# This query will appear in Pi-hole's query log if DNS is routing correctly

✅ Everything Working?

If your public IP shows your home address, the WireGuard handshake is recent, and Pi-hole's query log shows traffic from your device's tunnel IP — your home network protection is now fully active on the remote device. DNS filtering, content blocking, and (for full tunnel) IDS/IPS inspection all apply exactly as they do at home.

🔄 Ongoing Maintenance

Regular Tasks

Weekly: Check Handshake Status

Open the WireGuard app on each regularly used device and confirm the tunnel shows a recent handshake timestamp. A stale or missing handshake means the tunnel has not connected. Investigate before assuming protection is in place.

Monthly: Review Pi-hole Logs for VPN Devices

Check the query log filtered by each device's tunnel IP. Look for unusual query patterns, high volumes of blocked requests, or any unexpected domains being queried — these can indicate compromised apps or devices.

After Any Broadband Outage

If your ISP changes your WAN IP during an outage, DDNS should update automatically — but verify. Test the tunnel from an external connection after the service is restored. A DDNS update failure means remote devices cannot reconnect until it resolves.

When Adding a New Device

Always generate a fresh client profile with a new key pair and a new tunnel IP address. Never reuse or share a WireGuard private key between devices — if one device is lost or compromised, you can revoke its peer entry on the router without affecting any other device.

After Firmware Updates

🔧 Post-Update Checks

After updating UniFi OS, pfSense, or OPNsense firmware, always verify:

  • The WireGuard service is running — check VPN → WireGuard status
  • The port forwarding rule for UDP 51820 is still in place
  • DDNS is still updating correctly
  • At least one remote device can successfully connect and tunnel traffic through Pi-hole

Firmware updates occasionally reset service configurations. A quick verification takes two minutes and confirms your protection is intact.

If a Device Is Lost or Stolen

⚠️ Revoke the Peer Immediately

If a device with an active WireGuard profile is lost or stolen, remove its peer entry from the router immediately. On the UDM Pro: VPN → WireGuard → HomeVPN → Clients — delete the entry. On pfSense/OPNsense: VPN → WireGuard → Peers — delete the peer. This invalidates the device's key pair and prevents it from tunnelling into your home network. Your other devices are unaffected.