Route VPS Traffic Through Home WireGuard with LAN Access

NETWORK

This article explains a setup where a VPS sends traffic through a home Internet connection using WireGuard, while still allowing access between the VPS and the home LAN.

Topology

Internet
    <->
MikroTik (pppoe-out1) - Dynamic home IP via DDNS
    <-> WireGuard tunnel
VPS (203.0.113.10) - wg0: 10.10.2.1/24
    <->
LAN 172.16.0.0/24

1. VPS - /etc/wireguard/wg0.conf

[Interface]
Address = 10.10.2.1/24
ListenPort = 51820
PrivateKey = <private_key_vps>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT

[Peer]
# MikroTik
PublicKey = <public_key_mikrotik>
AllowedIPs = 0.0.0.0/0          # route all traffic through the tunnel
Endpoint = home.example.net:53281
PersistentKeepalive = 25

2. VPS Firewall

Protocol Port Source
UDP 51820 0.0.0.0/0
TCP 22 0.0.0.0/0

3. MikroTik

WireGuard Interface

/interface wireguard
add name=wg0 listen-port=53281 private-key="<private_key_mikrotik>"

/ip address
add address=10.10.2.2/24 interface=wg0

Peer (VPS)

/interface wireguard peers
add interface=wg0 \
    public-key="<public_key_vps>" \
    endpoint-address=203.0.113.10 \
    endpoint-port=51820 \
    allowed-address=10.10.2.1/32 \
    persistent-keepalive=25s

Route - Let LAN know the path back to VPS

/ip route
add dst-address=10.10.2.0/24 gateway=wg0

Firewall - Allow forwarding

/ip firewall filter
add chain=forward in-interface=wg0 action=accept place-before=0
add chain=forward out-interface=wg0 action=accept place-before=1

4. Verification

# On VPS - check whether the tunnel has a handshake
wg show

# On VPS - check current public IP
curl ifconfig.me

# On MikroTik - ping VPS WireGuard IP
/ping 10.10.2.1

# From a LAN machine - ping VPS WireGuard IP
ping 10.10.2.1

Important Notes

  • If DNS resolution fails on the VPS: echo "nameserver 1.1.1.1" > /etc/resolv.conf
  • For dynamic home IP, use DDNS (home-gw.example.net) as endpoint. MikroTik must keep DDNS updated when the WAN IP changes.
  • SSH to VPS still uses 203.0.113.10 if the VPS provider allows inbound TCP 22.