Setting Up WireGuard VPN on Proxmox VE

Why WireGuard on Proxmox?

WireGuard is a modern VPN protocol that is faster, simpler, and more secure than OpenVPN or IPSec. It runs efficiently in an LXC container on Proxmox VE, consuming minimal resources — often under 64 MB of RAM. With WireGuard, you can securely access your entire homelab network from anywhere, route mobile traffic through your home connection for privacy, or link multiple sites together.

Creating the LXC Container

WireGuard is a kernel module, so the container needs access to the host's TUN device and the ability to load kernel modules. Create a lightweight container:

# Create the container
pct create 140 local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst \
  --hostname wireguard \
  --memory 256 \
  --cores 1 \
  --rootfs local-lvm:2 \
  --net0 name=eth0,bridge=vmbr0,ip=192.168.1.40/24,gw=192.168.1.1 \
  --unprivileged 0 \
  --start 1

Note that we use a privileged container (unprivileged 0) because WireGuard needs to create network interfaces. If you prefer an unprivileged container, you will need to install WireGuard on the Proxmox host and use a different approach.

Add the required device access to the container configuration:

# Edit /etc/pve/lxc/140.conf — add these lines
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file 0 0

Installing WireGuard

# Inside the container
apt update && apt install -y wireguard wireguard-tools iptables

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf
sysctl -p

Generating Keys

WireGuard uses public/private key pairs for authentication. Generate keys for the server and each client:

# Generate server keys
cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

# Generate a client key pair
wg genkey | tee client1_private.key | wg pubkey > client1_public.key

# Generate a pre-shared key for additional security
wg genpsk > client1_preshared.key

Server Configuration

Create the WireGuard interface configuration. The VPN subnet uses 10.0.0.0/24 in this example:

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <contents of server_private.key>

# NAT and forwarding rules
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1 — Laptop
[Peer]
PublicKey = <contents of client1_public.key>
PresharedKey = <contents of client1_preshared.key>
AllowedIPs = 10.0.0.2/32

# Client 2 — Phone
[Peer]
PublicKey = <client2 public key>
PresharedKey = <client2 preshared key>
AllowedIPs = 10.0.0.3/32

# Enable and start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

# Verify the interface is up
wg show

Client Configuration

Each client needs a configuration file. Here is an example for a laptop that routes all traffic through the VPN (full tunnel):

# client1.conf — Full tunnel (all traffic through VPN)
[Interface]
PrivateKey = <contents of client1_private.key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 9.9.9.9

[Peer]
PublicKey = <contents of server_public.key>
PresharedKey = <contents of client1_preshared.key>
Endpoint = your-public-ip:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

For a split tunnel that only routes homelab traffic through the VPN, change AllowedIPs to your LAN subnet:

# Split tunnel — only homelab traffic goes through VPN
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

DNS Configuration

If you run a local DNS server (like Pi-hole or AdGuard Home) on your homelab, point VPN clients to it for ad blocking while connected:

# In the client config, set DNS to your Pi-hole address
[Interface]
DNS = 192.168.1.53

Make sure the DNS server allows queries from the WireGuard subnet (10.0.0.0/24).

Router and Firewall Setup

For external clients to connect, you need to forward the WireGuard port on your router:

• Forward UDP port 51820 to the container IP (192.168.1.40)
• If your ISP uses CGNAT, you may need to use a VPS as a relay or request a public IP
• For dynamic IPs, use a DDNS service and set the client endpoint to your DDNS hostname

Mobile Client Setup

The WireGuard app is available for iOS and Android. The easiest way to configure mobile clients is to generate a QR code from the server:

# Install qrencode
apt install -y qrencode

# Generate QR code for the client config
qrencode -t ansiutf8 < /etc/wireguard/client1.conf

Open the WireGuard app on your phone, tap "Add a tunnel" and scan the QR code. The connection will be configured instantly.

Verifying the Connection

After connecting a client, verify the tunnel is working on both ends:

# On the server — check connected peers
wg show
# You should see the peer with a recent handshake timestamp
# and non-zero transfer bytes

# On the client — verify you can reach the homelab
ping 192.168.1.1    # Your router
ping 192.168.1.30   # Another LXC/VM on your network

Monitoring and Maintenance

WireGuard is remarkably stable once configured — it rarely needs attention. The container uses so few resources that it can run alongside other services without issue. For quick verification that your VPN container is online, especially when troubleshooting connectivity from the road, ProxmoxR provides a fast way to check container status and resource usage from your mobile device.

Keep WireGuard updated by running apt update && apt upgrade periodically. Key rotation is not strictly necessary with WireGuard's cryptographic design, but you can regenerate keys and redistribute configs if a device is lost or compromised.

Conclusion

A WireGuard VPN on Proxmox gives you secure remote access to your entire homelab with minimal overhead. The container uses under 256 MB of RAM, the configuration is a single file per peer, and the performance is fast enough to stream video or transfer large files through the tunnel. Once the initial setup is done, it runs silently in the background — connecting in milliseconds whenever you need it.