A lab you can only reach from your desk chair is a lab you stop checking. I wanted to get to mine from anywhere without doing the one thing that makes security people wince: forwarding a pile of ports through the firewall. The answer was WireGuard.
Why WireGuard
If you haven’t used it, WireGuard is a VPN that feels like it was designed by someone who hates VPNs. The config is a handful of lines, the keys are simple public/private pairs like SSH, and there’s no fragile daemon to babysit. Key generation is one line per device:
wg genkey | tee privatekey | wg pubkey > publickey
The lab side listens on exactly one UDP port. Everything else stays dark from the internet:
# lab side: wg0.conf
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <lab-private-key>
[Peer] # my phone
PublicKey = <phone-public-key>
AllowedIPs = 10.10.0.2/32
[Peer] # my laptop
PublicKey = <laptop-public-key>
AllowedIPs = 10.10.0.3/32
Each device gets a peer config pointing home. The AllowedIPs on the client side is the routing decision, and it’s worth thinking about instead of copying 0.0.0.0/0 from a tutorial:
# laptop side
[Interface]
Address = 10.10.0.3/24
PrivateKey = <laptop-private-key>
[Peer]
PublicKey = <lab-public-key>
Endpoint = my.ddns.hostname:51820
AllowedIPs = 10.10.0.0/24, 192.168.1.0/24 # lab subnets only, split tunnel
PersistentKeepalive = 25
Listing only the lab subnets means normal internet traffic stays off the tunnel, and the VPN only carries what it needs to. PersistentKeepalive matters for the phone: without it, the NAT mapping on whatever network the phone is on times out, and the tunnel silently stops passing traffic until the phone speaks first.
What it’s like to use
Once the tunnel is up, remote is the same as local. I can hit Grafana to check dashboards, reach NetBox, SSH into boxes, or kick a Semaphore job from wherever I am. When a playbook run fails while I’m away, I look at why instead of wondering until I get home. WireGuard’s roaming is the underrated part: the phone hops from home WiFi to cellular to a coffee shop and the tunnel just follows, because sessions are keyed to the peer, not the IP.
The layering lesson
The setup lesson worth passing on is about layers. The VPN gets you onto the network, but it shouldn’t be the only lock on the doors. Everything behind it still authenticates like the tunnel doesn’t exist: SSH keys, credentials in vault, services that ask who you are. A VPN that leads to trusting everything behind it isn’t security, it’s a single point of failure with good marketing.
