The Cloud Relay Guide: Access Your Home Network from Anywhere

This guide details an advanced "Road Warrior" setup where a cloud server acts as a secure and stable middleman between you and your home network. This is the perfect solution if you can't or don't want to open ports on your home router, or if you want a more reliable connection than what a home dynamic IP can provide.

The Concept

Instead of connecting directly to your home, all your devices will connect to a central WireGuard server in the cloud. The cloud server will then intelligently route traffic between your "Road Warrior" device (your laptop or phone) and a client device on your home network (like a Raspberry Pi).

You will have three configured devices:

The Cloud Server: A VPS running WireGuard (like in our other guides).
The Home Client: An always-on device at your home (like a Raspberry Pi) that maintains a constant connection to the cloud server.
The Road Warrior Client: Your laptop, phone, or tablet that you travel with.

Prerequisites

A cloud server with WireGuard already installed and running.
An always-on device at home capable of running WireGuard (a Raspberry Pi is perfect).
Your home network's IP subnet (e.g., 192.168.1.0/24).

Configuration Steps

For this setup, we'll imagine the following IP addresses:

Cloud Server: 10.0.0.1
Home Client (Pi): 10.0.0.2
Road Warrior (Laptop): 10.0.0.3

Step 1: Configure the Cloud Server

Your cloud server's configuration needs to know about both clients and, crucially, needs to know that the home network is accessible via the Home Client.

Edit your cloud server's /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = YOUR_CLOUD_SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer 1: The Home Client (Raspberry Pi)
[Peer]
PublicKey = YOUR_HOME_CLIENT_PUBLIC_KEY
# This peer is allowed to send traffic from its VPN IP AND your entire home network
AllowedIPs = 10.0.0.2/32, 192.168.1.0/24

# Peer 2: The Road Warrior Client (Your Laptop)
[Peer]
PublicKey = YOUR_ROAD_WARRIOR_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

After adding this, restart the WireGuard service on your cloud server: sudo wg-quick down wg0 && sudo wg-quick up wg0.

Step 2: Configure the Home Client (Raspberry Pi)

This client's job is to connect to the cloud server and stay connected. It does not need to route all its internet traffic through the VPN.

Create the /etc/wireguard/wg0.conf on your Raspberry Pi:

[Interface]
Address = 10.0.0.2/32
PrivateKey = YOUR_HOME_CLIENT_PRIVATE_KEY
DNS = 1.1.1.1 # Or your router's IP

[Peer]
PublicKey = YOUR_CLOUD_SERVER_PUBLIC_KEY
Endpoint = YOUR_CLOUD_SERVER_PUBLIC_IP:51820
# This is the key: only send traffic destined for other VPN clients through the tunnel.
# All other traffic (e.g., browsing the web) will go out through your normal home internet.
AllowedIPs = 10.0.0.0/24

# This is essential for keeping the connection alive from behind your home router.
PersistentKeepalive = 25

Enable and start this service on your Pi so it's always running:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Step 3: Configure the Road Warrior Client (Your Laptop)

This is the final piece. Your traveling device needs to know that both the internet and your home network are accessible through the cloud server.

Create the configuration on your laptop/phone:

[Interface]
Address = 10.0.0.3/32
PrivateKey = YOUR_ROAD_WARRIOR_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_CLOUD_SERVER_PUBLIC_KEY
Endpoint = YOUR_CLOUD_SERVER_PUBLIC_IP:51820

# This tells your laptop to send ALL internet traffic (0.0.0.0/0)
# AND all traffic for your home network (192.168.1.0/24) through the VPN.
# While 0.0.0.0/0 already includes the home network, being explicit can help in some cases.
AllowedIPs = 0.0.0.0/0, ::/0

How It Works & Conclusion

Connect your Road Warrior client to the VPN.
When you try to access a device on your home network (e.g., 192.168.1.50), your laptop sends the traffic to the cloud server.
The cloud server sees that 192.168.1.0/24 is handled by the Home Client peer (10.0.0.2) and forwards the traffic there.
Your Raspberry Pi receives the traffic and sends it to the correct device on your home network.

You have now successfully created a robust and secure way to access your home network from anywhere in the world, without the hassles of port forwarding or dynamic DNS!