Running your own VPN can feel like one of those projects you build for yourself, but nobody else in the house will ever touch it. I originally started this because I wanted my family to have a simple way to browse securely on public Wi-Fi, connect back to my home network, and avoid handing their data to a commercial VPN provider.
Unfortunately, self-hosted VPNs and their functionality are difficult to explain to non-technical people, and even if you can set one up, convincing them to install configuration files and troubleshoot connection errors is a fool's errand. A very simple web interface called wg-easy, which is the WireGuard we all know and love, combined with a very intuitive and easy-to-use web UI, is the perfect solution.
Why WireGuard?
It has everything I want
WireGuard has earned a reputation, and it's a bloody good one. Its codebase is a fraction of the size of older protocols like OpenVPN or IPSec, which means there are fewer things to go wrong and fewer potential vulnerabilities to exploit. It also prioritizes speed, which I really like. Handshakes happen almost instantly, latency is minimal, and mobile devices tend to perform a lot better in my experience.
Security is also top-notch with WireGuard. Not that OpenVPN or IPSec are necessarily insecure VPNs, but the fact that WireGuard has been baked into the Linux kernel and directly praised by Linus Torvalds himself definitely enhances the trust I have in it. Rather unfortunately, however, WireGuard isn't simple to get setup for those who aren't technically inclined.
wg-easy makes WireGuard usable for non-tech enthusiasts
It's just the easiest way to set up WireGuard
The way you normally configure WireGuard looks intimidating to anyone who isn’t used to text editors and command lines. You have to generate key pairs, create configuration files by hand, and then distribute those files carefully to each device. If you get one value wrong, nothing connects, and there’s little feedback as to why. It’s fine for hobbyists and home-lab tinkerers, but it’s not something your non-techie family will ever want to spend time troubleshooting.
This is where wg-easy comes in. It wraps all of WireGuard’s complexity in a clean, browser-based dashboard. Instead of typing commands to add peers, you click a button, which makes setup on my end super trivial, but the real game-changer is how configurations are created.
Instead of pasting configuration values into text files, the app generates them for you. For mobile users, the killer feature is the automatic QR code that can be scanned directly into the WireGuard app. In practice, that means my family doesn’t even need to know what a configuration file is. They open the app, scan the code, and tap connect.
Setting up wg-easy
With Caddy for the reverse proxy
I run wg-easy inside a Docker container on a Proxmox LXC, though the same steps work on a VM or bare metal if that’s your preference. That's how I ran it in the past, but switching over to an LXC where I have other Docker containers running just made it easy to manage. I also personally use Nginx for reverse proxying my services, but I've also found using Caddy is extremely easy. It actually takes care of all the TLS certificate stuff for you. It requests and renews them automatically, without you needing to actually do anything.
Using Docker Compose is the recommended way to get up and running, and after creating a directory, pulling the compose file and starting it, you're really close to having everything up and running already. I'm using root here to set things up for demonstration purposes, but if you plan to do this yourself, do so using another user using sudo. The sample Caddy composition file is just a few small changes from what you'll actually be using to host the web UI. Simply change the Caddyfile to point to the correct subdomain and ensure that it can communicate properly with the wg-easy container, and you're good to go.
The important part is that you map WireGuard’s UDP traffic on port 51820 directly to the host, so that outside devices can reach it, while keeping the web dashboard tucked away behind Caddy or another reverse proxy of your choosing. By default, wg-easy’s web UI lives on port 51821. Instead of exposing that directly, which is a poor idea for security reasons, I only bound it to localhost and let Caddy handle the public side.
After pointing my subdomain to the LXC container with the correct port, going through setup on the web UI itself was very easy. In the past, I had done all the initial configuration through editing the configuration files manually, and I actually had no idea that wg-easy would actually hold your hand through the entire initial process.
Sharing configurations with family
The easiest thing we've done as a family
This setup ensures that the VPN traffic itself is secured end-to-end with WireGuard, and the web UI is accessible on the web, which is almost perfect. The only additional measure I would add is further authentication through something like Authentik, so that bad actors that find your subdomain can't brute force the login page.
Once the server is running, though, adding peers for family members is as simple as clicking “Add” in the dashboard. I gave each one a clear name, like “Mom-iPhone” or “Dad-Laptop,” which keeps things organized. For desktops and laptops, wg-easy provides a configuration file that can be imported directly into the official WireGuard client. On Windows, it’s just a matter of downloading the file, opening the app, and clicking “Activate.” On macOS, the process is similar, and AirDrop makes moving the config over seamless if you generate it from another machine. For mobile devices, they can simply scan a QR code displayed right on the dashboard, which adds the configuration straight into the WireGuard app, available on iOS and Android. If both of these methods fail, I can also just send them a one-time link to get connected.
wg-easy is a no-brainer for a family VPN
WireGuard is one of the most secure and performant VPN protocols available today, but its setup has always been a barrier for everyday people. By pairing it with wg-easy and putting the web interface behind a simple Caddy reverse proxy, I ended up with a VPN my entire family can use without friction. They don’t need to know anything besides scanning a QR code, AirDropping a file, or even clicking a one-time link.