Securely Connect Your HestiaCP Server to Your HomeLab via WireGuard
This guide shows you—step by step—how to establish a secure WireGuard VPN tunnel from an external Ubuntu server (running HestiaCP) into your home network behind a FRITZ!Box. Once up and running, you’ll be able to:
- Monitor your external server with local tools like Wazuh
- Expose internal services (e.g. containers, web-apps) securely over the tunnel
- Access any device in your home LAN as if you were on site
Prerequisites
-
DynDNS on your FRITZ!Box
- Configure a dynamic DNS provider (e.g.
myhome.dyndns.org) under Internet → MyFRITZ! / DynDNS.
- Configure a dynamic DNS provider (e.g.
-
FRITZ!Box WireGuard firmware (FRITZ!OS 7.50+ or a custom WireGuard add-on).
-
SSH/root access to your Ubuntu server with HestiaCP installed.
1. Export WireGuard Config from FRITZ!Box
- Log in to FRITZ!Box UI → VPN → WireGuard.
- Create a new peer profile for your external server.
- Export the
.conffile. You’ll get something likewg_config.conf.
2. Prepare Your Ubuntu/HestiaCP Server
2.1 Install WireGuard & Resolver Helper
sudo apt update
sudo apt install wireguard wireguard-tools openresolv
openresolvprovides theresolvconfbinary WireGuard uses to push DNS settings.
2.2 Place and Secure the Config
sudo nano /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf
sudo chown root:root /etc/wireguard/wg0.conf
3. Tweak the Configuration for Split-Tunnel
Edit /etc/wireguard/wg0.conf and restrict the VPN to only your home-LAN subnets. Remove any 0.0.0.0/0 or ::/0 entries:
[Interface]
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
Address = 192.168.178.135/24,fd4e:6fb7:3f1::135/64
DNS = 192.168.178.1
[Peer]
PublicKey = <FRITZBOX_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
Endpoint = myhome.dyndns.org:51820
# Important! Original is:
# AllowedIPs = 192.168.178.0/24,0.0.0.0/0,fd4e:6fb7:3f1::/64,::/0
# You dont need 0.0.0.0/0 - You will lost your Connection!
# Repair with: ----------- !!!sudo wg-quick down wg0 ----------- !!!
AllowedIPs = 192.168.178.0/24,fd4e:6fb7:3f1::/64
PersistentKeepalive = 25
4. Open Port 51820 in HestiaCP Firewall
WireGuard uses UDP port 51820 by default. In HestiaCP:
-
Go to Server → Firewall.
-
Click Add Rule:
- Action: Allow
- Protocol: UDP
- Port: 51820
- Source:
0.0.0.0/0(and/or::/0for IPv6) - Comment: WireGuardVPN
-
Save and ensure the rule is active.
Or via CLI
5. Bring Up the WireGuard Tunnel
sudo wg-quick up wg0
- Verify:
ip a show wg0
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.178.135/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fd4e:6fb7:3f1::135/64 scope global
valid_lft forever preferred_lft forever
ip route | grep 192.168.178.0/24
192.168.178.0/24 dev wg0 proto kernel scope link src 192.168.178.135
-
Enable on boot:
sudo systemctl enable wg-quick@wg0
6. Install & Configure Wazuh Agent over the Tunnel
With the VPN live, your server can now reach your local Wazuh Manager.
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.12.0-1_amd64.deb
sudo WAZUH_MANAGER='192.168.178.103' \
WAZUH_AGENT_GROUP='default,linux-ubuntu' \
WAZUH_AGENT_NAME='extern-nc-server' \
dpkg -i wazuh-agent_4.12.0-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
systemctl status wazuh-agent
Your external server’s Wazuh agent will now report into your local Wazuh deployment over the WireGuard tunnel.
7. What You Can Do Next
- Securely expose internal web-apps (Nextcloud, Home Assistant) via reverse-proxy on your server.
- SSH into any home-LAN device without port-forwarding on your router.
- Monitor all your critical systems centrally with Wazuh, Grafana, etc.
- Extend to multiple remote sites or branch offices with the same setup.
By following this tutorial, you’ve created a fast, encrypted VPN link between your HestiaCP server and your FRITZ!Box home network—unlocking countless secure-access use cases for admins and developers alike.