WireGuard Tunnel¶

WireGuard provides a persistent encrypted tunnel between the NUC and the cloud server, giving both sides fixed IP addresses regardless of the NUC's dynamic public IP.

Why WireGuard¶

Dynamic IP problem: The NUC sits behind a consumer router with a dynamic public IP. WireGuard gives each side a fixed tunnel address (10.10.10.2 for NUC, 10.10.10.1 for cloud), so the cloud Asterisk always knows how to reach the NUC.
Zoiper/NUC conflict: Without the tunnel, the NUC and a Zoiper softphone on the same LAN would share the same public IP, causing SIP routing ambiguity on the cloud. The tunnel separates their traffic.

Tunnel Addresses¶

Side	WireGuard IP	Public IP	Role
NUC	10.10.10.2	Dynamic (behind NAT)	Gateway / Client
Cloud	10.10.10.1	89.116.31.109	PBX / Server

NUC Configuration¶

File: /etc/wireguard/wg0.conf

[Interface]
Address = 10.10.10.2/24
PrivateKey = <nuc-private-key>

[Peer]
PublicKey = mBYgadDa8w/...
Endpoint = 89.116.31.109:51820
AllowedIPs = 10.10.10.0/24
PersistentKeepalive = 25

Address: The NUC's tunnel IP.
Endpoint: The cloud server's public IP and WireGuard listen port.
PersistentKeepalive = 25: Sends a keepalive packet every 25 seconds to maintain the NAT mapping, since the NUC is behind NAT.

Cloud Configuration¶

[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = <cloud-private-key>

[Peer]
PublicKey = oRoJ+EEsYGF...
AllowedIPs = 10.10.10.2/32

ListenPort: The cloud listens on UDP 51820.
AllowedIPs: Only allows traffic from the NUC's tunnel IP.

Public keys are safe to share

WireGuard public keys are not secrets. The private keys (stored in each wg0.conf) must never be shared or committed to version control.

Service Management¶

WireGuard runs as a systemd service:

# Start
sudo systemctl start wg-quick@wg0

# Stop
sudo systemctl stop wg-quick@wg0

# Restart
sudo systemctl restart wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

# Enable on boot
sudo systemctl enable wg-quick@wg0

The service starts automatically on boot.

Troubleshooting¶

Check Tunnel Status¶

sudo wg show

Example output:

interface: wg0
  public key: oRoJ+EEsYGF...
  private key: (hidden)
  listening port: 45678

peer: mBYgadDa8w/...
  endpoint: 89.116.31.109:51820
  allowed ips: 10.10.10.0/24
  latest handshake: 12 seconds ago
  transfer: 1.45 GiB received, 892.31 MiB sent
  persistent keepalive: every 25 seconds

Check the latest handshake

The latest handshake value should be recent (within the last ~30 seconds given the keepalive interval). If it shows a time older than a few minutes, the tunnel is likely down.

Ping Test¶

# From NUC, ping the cloud
ping 10.10.10.1

# From cloud, ping the NUC
ping 10.10.10.2

Common Issues¶

Symptom	Likely Cause	Fix
No handshake at all	Cloud firewall blocking UDP 51820	Open port 51820/udp on the cloud server
Handshake but no ping	AllowedIPs misconfigured	Verify AllowedIPs on both sides
Intermittent drops	NAT timeout	Ensure PersistentKeepalive is set on the NUC side
Service won't start	Config syntax error	Run `wg-quick up wg0` manually to see the error

Adding a New Gateway¶

To add another NUC or gateway to the WireGuard network:

Generate a keypair on the new machine:

wg genkey | tee privatekey | wg pubkey > publickey

Add a peer on the cloud by editing /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <new-gateway-public-key>
AllowedIPs = 10.10.10.3/32

Create the config on the new gateway at /etc/wireguard/wg0.conf:

[Interface]
Address = 10.10.10.3/24
PrivateKey = <new-gateway-private-key>

[Peer]
PublicKey = mBYgadDa8w/...
Endpoint = 89.116.31.109:51820
AllowedIPs = 10.10.10.0/24
PersistentKeepalive = 25

Restart WireGuard on both the cloud and the new gateway:
```
sudo systemctl restart wg-quick@wg0
```
Verify with sudo wg show and a ping test.