Skip to content

VPN setup

You can choose between Tailscale, Wireguard, or use both like me.

Tailscale (requires third-party account)

Get an auth key from Tailscale admin console:

  • Description: homelab
  • Reusable: optionally set this to true

Add it to external/terraform.tfvars as an extra secret:

extra_secrets = {
  tailscale-auth-key = "tskey-auth-myauthkeyhere"

Apply the secret:

make external

Finally, enable subnet routes for homelab-router from the admin console.

You can now connect to your homelab via Tailscale and invite user to your Tailscale network.

Wireguard (requires port-forwarding)

Update the peer list in apps/wireguard/values.yaml:


Go to your router settings and forward the Wireguard service. Each router is different, here's mine for reference:

  • Protocol: UDP
  • Start Port: 51820
  • End Port: 51820
  • Local IP Address: (find it with kubectl get service -n wireguard wireguard)
  • Start Port Local: 51820
  • End Port Local: 51820

To get the QR code (for mobile) and config (for desktop), run:


This command will print sensitive secrets to the terminal.

./scripts/get-wireguard-config FooPhone