WireGuard: Beyond the most basic configuration

Original Article ↗ Hacker News Discussion ↗

Dynamic DNS, Home Networks, and WireGuard

  • Many use dynamic DNS (Cloudflare, freedns.afraid.org, cron jobs on routers/servers) to track home ISP IP changes and make a home WireGuard endpoint usable from the road.
  • Some question why dynamic DNS is needed; others clarify it’s for tracking the public home IP so mobile clients can find the VPN server without manual updates.
  • A minority prefers putting a VPS in front of the home network as a hub for security and bandwidth reasons; others are comfortable exposing WireGuard directly on a home router.

DNS, Internal Services, and Tools

  • Internal DNS options mentioned: Unbound, dnsmasq, dnscrypt, PowerDNS, Pi-hole, router-integrated services.
  • Some find PowerDNS powerful but complex; others say the docs and simple backends (sqlite) make it manageable.
  • For small setups, /etc/hosts entries are seen as simpler than running DNS.
  • One person struggles with Tailscale MagicDNS’s lack of subdomain support and is moving to a private DNS server for flexibility.

WireGuard Routing, AllowedIPs, and “Exclude” Use Cases

  • Several people want an easy way to send “all traffic except X” or “most traffic except private ranges” over WireGuard, but note WireGuard’s design mirrors the kernel routing table, which doesn’t support negation.
  • Workarounds include: explicit more-specific routes, firewall rules (nftables/iptables), or turning Table=off in wg-quick and managing routes manually.
  • Tools like calculators for split-tunnels are referenced, but overall this is viewed as clunky.

Config Management, RBAC, and Higher-Level Systems

  • Pain points: manually syncing configs, rotating keys, and managing per-user access (RBAC).
  • Some argue this is by design: WireGuard is a low-level transport, not an identity/RBAC system.
  • Others see this as a missing “standard upper layer” and note that alternatives (e.g., Tailscale, Defguard, Firezone, NordVPN Meshnet-like systems, wirehub) layer identity, SSO, policy, and config distribution on top of WireGuard.
  • Enthusiasts praise these systems for ease-of-use; skeptics dislike giving up control to centralized or proprietary components.

Tailscale, Zerotier, and Alternatives

  • Strong praise for Tailscale’s usability, NAT traversal, exit nodes, and subnet routers (to reach non-client devices).
  • Counterpoints:
    • Concern about lock-in and complexity when you need custom DNS, routing, or nonstandard setups.
    • Some prefer Zerotier’s device-joining workflow.
    • Others insist on plain WireGuard for full control and router compatibility, sometimes combined with headscale.

IPv6, Prefix Delegation, and Advanced Use Cases

  • People use /48 or /56 IPv6 prefixes with WireGuard, sometimes assigning public IPv6 to home infra and phones.
  • A recurring unsolved issue: doing IPv6 prefix delegation and SLAAC over WireGuard for many clients, while keeping WireGuard’s per-peer AllowedIPs model happy.
  • Some experiments with router advertisements (radvd) over WG work in limited scenarios, but multi-client, dynamic addressing conflicts with static AllowedIPs.
  • An abandoned wg-dynamic project is mentioned as a potential, now-stalled, solution.

NAT, UPnP, and P2P Behavior

  • The article’s implication that NAT is required is disputed; several note that plain routed subnets with static routes work fine if the rest of the network knows the WireGuard gateway.
  • UPnP is still viewed as a “security nightmare” by some, but others accept it as a practical way for apps (e.g., BitTorrent) to create port mappings.
  • BitTorrent often works even with UPnP disabled due to additional protocol workarounds, confusing some users about what UPnP actually changes.

Miscellaneous Observations

  • WireGuard is widely praised for simplicity and performance compared to IPsec/OpenVPN; some call it one of the best software projects of the last decade.
  • Others note feature trade-offs: no built-in RBAC, no integrated identity, and a reliance on external tooling for “enterprise” features.
  • Some minor platform-specific footguns are noted (e.g., WireGuard iOS preferring IPv4 DNS results on IPv6-only mobile networks, causing flaky behavior unless configured with an explicit IPv6 endpoint).