Mark de Wijk

It's easier to invent the future than to predict it.

Licensed under CC BY 4.0

WireGuard VPN with Wstunnel and Nginx

11 Oct 2025

I like to have as much choice as possible in what is censored from me, and I am abroad a lot. I don´t trust VPN providers and like hosting my own services for full control. Personal VPN’s are also harder to block. For these reasons, I setup my own VPN with Wstunnel, WireGuard and Nginx.

You can find my setup here. Below is a schematic overview. You can pan and zoom this.

VPN Setup

My reasoning for this architecture was:

  • Security is important, so WireGuard is a logical choice and easy to setup.
  • However, WireGuard by itself is easy to block for an ISP because of patterns in the protocol, so we tunnel over an HTTPS WebSocket connection with Wstunnel. This by itself makes it look a lot like normal internet traffic.
  • Even then, by default, Wstunnel uses self signed TLS certificates. To really blend in, you should use a regular CA-authorized TLS certificate, by Let’s Encrypt e.g.
  • Although it’s possible to use such a certificate with Wstunnel, I decided to use Nginx for this. This makes it IMO a bit easier to reuse your server for other use cases.
  • On the server we can configure WireGuard with iptables to do NAT on IPv4 and IPv6 and forward that traffic to the internet.