As a tech or cybersecurity enthusiast, you might be running a homelab to experiment with various technologies and enhance your skills. If you do, or if you are capable of maintaining a 24/7 VM (or even a physical server), this guide will help you set up a HamCloud WireGuard VPN gateway. This setup can even be done on a single-board computer (SBC) like a Raspberry Pi (though I haven’t tested this personally, it should theoretically work).
This gateway will allow you to access HamNet within your entire home network by configuring your home router to route traffic through the VPN tunnel. It’s a great alternative if your local repeaters are not yet part of HamNet, providing you with seamless connectivity to the network.
Prerequisites:
- A VM running Ubuntu inside your home network (or a physical computer/Raspberry Pi).
- A static IP configured for the above VM, so you can setup a static route
- Basic understanding of networking and VPNs.
- Access to your home router for static route configuration.
- You must be a licensed radio amateur, so you can obtain a ARRL LOWT Certificate to login to the HamCloud VPN.
Note: For security reasons, this setup should not be done on an internet-facing VM, such as a VM from a cloud provider. Always use a VM within your home network.
Step 1: Update and Install Required Packages
Start by updating your system and installing WireGuard, to do this SSH into your VM and do as such:
sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install wireguard -y
Step 2: Generate WireGuard Keys
wg genkey | tee private.key | wg pubkey > public.key
Step 3: Add your WireGuard key to HamCloud
Now you need to add your public key to your HamCloud account, to do this first you need to actually retrieve it, so do as such:
cat public.key
Your key will print to your console, so now you need to copy this key and go into your HamCloud Panel, and you will go to Wireguard > + (Add Buton) > set public key
Then you will paste the public key you copied previously on the appropriate field and press submit:
You will then go back to the previous page, but it will not show the public key you configured, click on it to get back into the config view page and copy the whole config file as you will need it later.
Step 4: Configure WireGuard
Create the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.conf
Now you will paste the config you copied from before that should look something like this:
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 44.148.xxx.xxx/32
[Peer]
PublicKey = xxxxxxx
AllowedIPs = 44.128.0.0/10
Endpoint = vpn.hc.r1.ampr.org:50000
PersistentKeepalive = 25
Note the YOUR_PRIVATE_KEY thing? We need to replace it by our real one so lets get it and copy it:
cat private.key
Now edit the file again and replace the key by the real one:
sudo nano /etc/wireguard/wg0.conf
Step 5: Start WireGuard
Bring up the WireGuard interface:
sudo wg-quick up wg0
Verify the interface is up:
ip a
Step 6: Enable IP Forwarding
Edit the sysctl configuration to enable IP forwarding:
sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward=1
Apply the changes:
sudo sysctl -p
Step 7: Configure NAT with iptables
Set up NAT to masquerade traffic going out of the WireGuard interface:
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Allow traffic forwarding:
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
Step 8: Make iptables Rules Persistent
Install the iptables-persistent package to save the rules:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
Step 9: Configure Static Route on Your Home Router
To direct AMPRNet traffic through the VM, add a static route on your home router, the exact steps will depend on your Router or Firewall, googling for “Add Static Route” and your router model should do the trick, when you do configure it as such:
Destination Network: 44.128.0.0/10
Gateway: The IP address of your VM on your local network
You can test if its working by seeing if you can ping any HamNet IP form any other device on your network, such as this:
Personally, im running a Sophos (Home) Firewall, for me the setup looks like this:
Bonus: Set Up Port Forwarding (Optional – To host HamNet services)
If you want to forward specific ports (e.g., 80 and 443) to an internal IP to expose services on HamNet, use the following iptables rules:
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 80 -j DNAT --to-destination 10.10.5.1:80
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 443 -j DNAT --to-destination 10.10.5.1:443
sudo iptables -A FORWARD -i wg0 -p tcp --dport 80 -d 10.10.5.1 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -p tcp --dport 443 -d 10.10.5.1 -j ACCEPT
You might want to set the forward target to your home firewall and manage the access rules and actual forwarding for internal services from there for easier management and better security.
By following these steps, you have set up a WireGuard VPN gateway on your VM, allowing you to route traffic through HamNet from any device on your home network.
73, CR8ACT