Skip to content
Greffon
Tutorial

Self-Host a WireGuard VPN with Greffon

A VPN is the front door to your network. That is the one door worth owning outright. Here is the honest setup for a WireGuard VPN on a greffer, sharp edges and all.

GLGreffon Labs6 min read
~/blog/self-host-wireguard

A VPN is not just another app. It is the doorway into your network, and whoever runs it holds the keys. Renting that from a provider means trusting them with the door. Self-hosting WireGuard puts the door on hardware you own. The Greffon catalog ships it as wg-easy: WireGuard with a web UI for managing peers, so you are not hand-editing key files.

Why own the VPN

WireGuard is the modern, fast VPN protocol that lives in the Linux kernel. wg-easy wraps it in a small web UI: add a peer, scan a QR code from the official WireGuard app, and you are connected. Grafting it onto a greffer means the VPN endpoint, the peer list, and the keys all live on your machine, not a service you rent.

Graft it from the catalog

Pick WireGuard from the catalog and graft it onto your greffer. You set an admin password for the web UI on first start, and Greffon wires TLS and routing for that UI so you manage peers over HTTPS.

Give the admin password at least 12 characters
wg-easy rejects a shorter password at login, which would lock you out of your own UI. The password applies on first start only; change it later from the UI itself. Username is admin.

The UDP port you actually need open

Here is the honest part most VPN walkthroughs gloss over. WireGuard moves its traffic over UDP (port 51820), and your phone or laptop has to reach that port directly. A VPN endpoint is only useful if peers on the open internet can connect to it.

This is where a VPN differs from a web app. Greffon's built-in tunnel carries HTTP and TCP app traffic, so a normal greffon behind NAT is reachable without opening ports. WireGuard's data plane is UDP, and the tunnel does not carry UDP yet. So for the VPN itself you need a greffer with a reachable public UDP endpoint: a VPS or box with a public IP, or port forwarding plus dynamic DNS at home. Plan for that before you graft it, not after.

When wg0 will not come up

The sharpest edge is the host kernel. WireGuard's NAT relies on netfilter modules (ip_tables, iptable_nat), and the container cannot always load them itself, especially on Oracle Linux's UEK kernel. When they are missing, the wg0interface never comes up, and the dashboard returns a 500 with a "No such device" error underneath.

The fix is to load the modules on the host and pin them so a reboot does not drop them. If you followed the Oracle Cloud greffer setup, this is the same Step 2 you already ran.

host-modules.sh
# load the netfilter modules WireGuard's NAT needs
sudo modprobe ip_tables iptable_nat iptable_filter

# pin them so a reboot does not undo this
printf 'ip_tables\niptable_nat\niptable_filter\n' | sudo tee /etc/modules-load.d/iptables.conf

# make sure Docker comes back after a reboot
sudo systemctl enable docker
This is a host job, not a greffon job
The greffer does not load host kernel modules for you yet. Until it does, an iptables-based greffon like WireGuard needs the modules present on the host. It is a one-time setup per machine.

Who you can safely hand a config

A full-tunnel VPN routes a peer's traffic through your greffer, which means a connected peer can also reach the host running the VPN and the local network it sits on. Your other greffons stay isolated from VPN peers, but the host and its LAN are in reach.

AllowedIPs is not a server-side fence
In wg-easy, a peer's AllowedIPs only sets that peer's own client-side routing. It is not enforced by the server. So only hand a peer config to someone you trust with access to that network, the same way you would with a key to the building.

Keep it always-on

A VPN you reach for at odd hours from every device has to be up when you are. Run it on an always-on greffer with a public UDP endpoint, a small VPS or a mini-PC at home with port forwarding, rather than a laptop that sleeps. The free Oracle Cloud box is a good fit, since it is always-on and has a public IP you can open the UDP port on.

FAQ

Is wg-easy real WireGuard?
Yes. wg-easy is a web UI on top of the kernel's WireGuard implementation, not a reimplementation. The official WireGuard apps connect to it normally.
Can I use the official WireGuard clients?
Yes. Add a peer in the wg-easy UI, then scan the QR code with the WireGuard app on your phone or import the config file on desktop.
Why can't the built-in tunnel expose the VPN for me?
The tunnel carries HTTP and TCP app traffic. WireGuard's data plane is UDP, which the tunnel does not carry yet, so the VPN port needs a directly reachable public UDP endpoint (public IP or port forwarding).
My dashboard returns a 500 and the interface won't start. Why?
Almost always the host is missing the netfilter kernel modules (ip_tables, iptable_nat), common on Oracle Linux's UEK kernel. Load and pin them on the host as shown above, then restart the greffon.
GL
Greffon Labs
We build Greffon, the simplest way to turn any machine into a server you own.

Ready to turn on your greffer?

Install in minutes. Deploy each app in seconds. Your server, your apps.

Read the docs