WireGuard
Encrypted point-to-point tunnel between VPS and homelab.
Keys · AllowedIPs · Keepalive
WireGuard creates an encrypted link between homelab and VPS. The homelab initiates the tunnel outward, making services reachable despite CGNAT.
Routing
Traffic enters the VPS and is routed through the tunnel to internal services.
Split routing
Safety
Expose only what you need; everything else stays internal.
Defense-in-depth