Self-Host a WireGuard VPN with Greffon
A VPN is the front door to your network. That is the one door worth owning outright. Here is the honest setup for a WireGuard VPN on a greffer, sharp edges and all.
A VPN is not just another app. It is the doorway into your network, and whoever runs it holds the keys. Renting that from a provider means trusting them with the door. Self-hosting WireGuard puts the door on hardware you own. The Greffon catalog ships it as wg-easy: WireGuard with a web UI for managing peers, so you are not hand-editing key files.
Why own the VPN
WireGuard is the modern, fast VPN protocol that lives in the Linux kernel. wg-easy wraps it in a small web UI: add a peer, scan a QR code from the official WireGuard app, and you are connected. Grafting it onto a greffer means the VPN endpoint, the peer list, and the keys all live on your machine, not a service you rent.
Graft it from the catalog
Pick WireGuard from the catalog and graft it onto your greffer. You set an admin password for the web UI on first start, and Greffon wires TLS and routing for that UI so you manage peers over HTTPS.
admin.The UDP port you actually need open
Here is the honest part most VPN walkthroughs gloss over. WireGuard moves its traffic over UDP (port 51820), and your phone or laptop has to reach that port directly. A VPN endpoint is only useful if peers on the open internet can connect to it.
This is where a VPN differs from a web app. Greffon's built-in tunnel carries HTTP and TCP app traffic, so a normal greffon behind NAT is reachable without opening ports. WireGuard's data plane is UDP, and the tunnel does not carry UDP yet. So for the VPN itself you need a greffer with a reachable public UDP endpoint: a VPS or box with a public IP, or port forwarding plus dynamic DNS at home. Plan for that before you graft it, not after.
When wg0 will not come up
The sharpest edge is the host kernel. WireGuard's NAT relies on netfilter modules (ip_tables, iptable_nat), and the container cannot always load them itself, especially on Oracle Linux's UEK kernel. When they are missing, the wg0interface never comes up, and the dashboard returns a 500 with a "No such device" error underneath.
The fix is to load the modules on the host and pin them so a reboot does not drop them. If you followed the Oracle Cloud greffer setup, this is the same Step 2 you already ran.
# load the netfilter modules WireGuard's NAT needs
sudo modprobe ip_tables iptable_nat iptable_filter
# pin them so a reboot does not undo this
printf 'ip_tables\niptable_nat\niptable_filter\n' | sudo tee /etc/modules-load.d/iptables.conf
# make sure Docker comes back after a reboot
sudo systemctl enable dockerWho you can safely hand a config
A full-tunnel VPN routes a peer's traffic through your greffer, which means a connected peer can also reach the host running the VPN and the local network it sits on. Your other greffons stay isolated from VPN peers, but the host and its LAN are in reach.
AllowedIPs only sets that peer's own client-side routing. It is not enforced by the server. So only hand a peer config to someone you trust with access to that network, the same way you would with a key to the building.Keep it always-on
A VPN you reach for at odd hours from every device has to be up when you are. Run it on an always-on greffer with a public UDP endpoint, a small VPS or a mini-PC at home with port forwarding, rather than a laptop that sleeps. The free Oracle Cloud box is a good fit, since it is always-on and has a public IP you can open the UDP port on.