You can self-host everything! You can self-host your own spotify. That’s part of our Ultimate Home Server series.
But will you have enough bandwidth? It takes a vanishingly small amount of bandwidth to stream music. If your upload is as little as 2 megabit you can do it!
But how can you safely connect back to your home sporify server? A VPN! With Wireguard.
Wireguard is a fast, modern and secure VPN tunnel. As you build your Ultimate Home Server with Level1Techs resources, it is only natural to want access to everything on that server from everywhere.
In the past we’ve covered running a Proxy on your router or hosted provider like Linode to manage access to your home server, but this is not for the Level1 Techs among us
Opening up services on the public internet is convenient, but over the longer term it isn’t secure unless you really keep up with the security updates of all the underlying software.
The alternative? a VPN. A VPN setup gives you a virtual and private network from specific devices back to your home network. Your home network, and services on it, is not on the public internet.
VPN software is generally pretty hardened against attackers and the “security lifetime” is generally much longer. You should still apply security updates to the software you’re using but the chances of a flaw that is remotely exploitable in Wireguard is much less than other things.
The good news is that Wireguard IS one of the newest AND easiest to setup options for self-hosting your own VPN.
- Wireguard as a server or client on your Home Router (pfSense)
- Wireguard, as a server or client, on your NAS (Truenas Scale or Core)
If you have done other Level1Techs tutorials going back to the beginning of time, you know we’re big fans of building your own router because of the flexibility and experience that gives you. It is a good learning exercise.
Tom at Lawrence systems did a more recent video on setting up pfSense with Wireguard and you should check that out:
The part we need is up to about the 10 minute mark.
If you don’t have pfsense that can be OK. If your ISP requires you use their router, or you have carrier-grade NAT (meaning your IP is not a public IP) it can still work.
If you have a public IP, this guide does require you to reconfigure your firewall or router to forward a port for Wireguard to an internal machine.
Your ISP probably gives you a public IP address only on your router and then translates all your internal devices to just that one IP when they need to make outbound requests.
Generally you don’t want your internal network “naked” on the public internet with public unfirewalled IPs, either.
Some ISPs don’t even hand out public IP addresses!
This is called Network Address Translation (NAT). When your ISP doesn’t even give you a public IP and there are multiple layers of NAT that is called carrier-grade nat.
A remote device on the internet cannot address your home server by its internal IP address ( such as 192.168.1.5 ) and so you must Forward a port on your home router to this internal address.
If you’re in the unfortunate position of not having a public IP on your router then you can still use a VPN from your home server out to a small Virtual Private Server (VPS) on a provider like Linode.
Ryan covered that eventuality here:
In this scenario, you would setup TrueNAS as a wireguard Client to linode, same as everything, and other Clients to Linode, like your mobile phone, can also connect as clients.
We’ll cover more about this in the context of a home server in a sec.
If your ISP gives you a real IP address, but one that changes periodically, you can use a dynamic DNS service that automatically updates a hostname to point to
This one seems pretty decent? I don’t use dynamic DNS personally – perhaps some other L1 community members can chime in with non-scammy ones? Dynamic DNS should be very-near-to-free (if not free). On the order of $5/year (or less).
The DuckDNS page explains it but, in a nutshell, you get a name from duckdns such as myhomeserver.duckdns.org. As your ISP changes your IP address, there is a little program that runs on your home server periodically and pings DuckDNS with your security key from DuckDNS.
Wherever that ping comes from, it updates the name myhomeserver.duckdns.org to point to the new IP.
That’s the address you use, rather than your IP address, with Wireguard when the time comes.
So if it seems like we’re jumping right in the good news is that we’ve covered the step-by-step in other videos and posts here up till now.
The setup we’re using for the server is TrueNAS Scale for our home server (and covered tha in past videos). It’ll work just fine on anything from a potato-class castoff PC from a business to high-end servers (and everything in between).
TrueNAS Scale is great because it is based on Linux under the hood (which has excellent Wireguard support and because we can run all sorts of containers and appliances on it to do things for us like manage media and the like.
It is important to understand that TrueNAS Core is built on FreeBSD under the hood, and so it works different than TrueNAS Scale. Core also has “native” wireguard support in the GUI, and there is good documentation:
… but TrueNAS Scale doesn’t have the same UI Options
Go to system > shell and do
apt update apt install wireguard wireguard-tools
Verify that you have an
ls -l /etc/wireguard
In this directory is where we store our Wireguard configuration.
Next we’ll generate our keypairs for wireguard:
wg genkey | tee /etc/wireguard/private.key chmod go= /etc/wireguard/private.key cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key
Next we need to decide what IPs to give Wireguard clients that connect here.
I’ve selected 172.16.16.1 - 172.16.16.254 this is a subnet mask of 255.255.255.0 and is sometimes written as 172.16.16.0/24 .
I picked this because it is different than anything I’m already running locally. You can’t re-use the same IP range for different networks in different contexts without a lot of headache.
In the video, we setup a phone to connect to Wireguard Server. It’s a little tricky because to setup the server, we should “at least” have the details we need for the first client, called [Peer] in the configuration.
Ryan covered this really well; we don’t need to rehash setting up wireguard. We’re essentially doing the same thing here, but with the phone as the client.
Next we configure the interface wg0:
/etc/wireguard/wg0.conf [Interface] PrivateKey = base64_encoded_private_key_goes_here Address = 172.16.16.1/24 ListenPort = 51820 SaveConfig = true [Peer] PublicKey = NtriTSUtGSXXk4JUkE35savYY72x9HSw8GUeSCI2fn4= AllowedIPs = 172.16.16.0/24 192.168.1.0/24
The one difference is that we don’t have an endpoint. Phones and client devices could come from anywhere.
Also note that ListenPort – that’s the port you need to forward from your router and you can make it any arbitrary port you want. It maybe does make things slightly more secure to pick a random port between 2000 and 65000.
The AllowedIPs controls what IPs are accessible to that Peer. We have allowed the wireguard network (potentially you could have multiple peers!) as well as our internal/lan network.
If you want to do something like use this wireguard connection to connect to an internal computer, for example, for remote control or steam streaming it won’t work right.
What is happening is your default gateway doesn’t know about this new 172.16.16.0/24 network. You must add a route on your router to get to 172.16.16.0/24 via 192.168.1.5 (IP of your truenas).
If you can’t add routes on your router, you can do it on windows with a command like:
route add 172.16.16.0 mask 255.255.255.0 192.168.1.5 -p
The -p makes it persist across reboots. I trust the rest is self explanitory?
TrueNAS Scale comes setup for IP Forwarding (basically, the machine will route traffic) but double check:
sysctl -a |grep ip_for net.ipv4.ip_forward = 1 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0
The output should say net.ipv4.ip_forward = 1 meaning that the system will permit ip_forwarding.
In this case, we’ve got a bit of a 3-way relationship.
TrueNAS Scale connects to our Linode VPS and gets the IP 172.16.16.2
Our phone connects to our Linode VPS and gets the IP 172.16.16.3
From there, we can access services on the TrueNAS machine via the IP 172.16.16.2
It is possible to also access your home LAN via this 3-way wireguard, but that is a little more complicated. You have to setup the route on the wireguard box and allow the traffic.
Now we have a connection to our home server on our phone. We can connect to our internal self-hosted spotify clone. No more subscriptions for me!
Not just spotify – all our home server stuff. Anything running in our home lab!