10/15/2025

unRAID Reverse Proxy with WireGuard and Nginx

If you want to expose self‑hosted apps on unRAID to the internet without revealing your home IP address, WireGuard and Nginx are a great combination.

You'll create a server‑to‑server WireGuard connection between a cheap VPS and your unRAID box, then route traffic from the VPS’s public IP to unRAID.

This keeps your home IP private, bypasses ISP double NAT, and the setup takes less than 60 minutes.

WireGuard

Step 1: Get a VPS

Get a VPS from a provider of your choosing. I'm using OVHcloud as they're affordable and don't limit your bandwidth, but any VPS provider will work just fine here.

Step 2: Set up your VPS

Install WireGuard

# Update your server's package list
apt update

# Install WireGuard and its tools
apt install wireguard -y

Generate server keys

# Switch to the root user
sudo -i

# Go to the WireGuard directory
cd /etc/wireguard/

# Generate a private key and a public key
wg genkey | tee vps_private.key | wg pubkey | tee vps_public.key

To see and copy your keys:

  • cat vps_private.key (Keep this secret, only for the VPS)
  • cat vps_public.key (You will need this for the unRAID setup)

Create the WireGuard configuration

vim /etc/wireguard/wg0.conf

[Interface]
# This server's private tunnel IP
Address = 10.10.0.1/24

# The port WireGuard will listen on
ListenPort = 51820

# Paste the contents of your vps_private.key here
PrivateKey = [PASTE-VPS-PRIVATE-KEY-HERE]

# Peer (Your unRAID Server)
[Peer]
# This public key will come from your unRAID setup in the next section
PublicKey = [PASTE-UNRAID-PUBLIC-KEY-LATER]

# This is the private tunnel IP we will give to unRAID
AllowedIPs = 10.10.0.2/32

10.10.0.0/24 is the network we're setting up for WireGuard. 10.10.0.1 is the IP address we're giving to your VPS. 10.10.0.2 will be the IP assigned to your unRAID server. You can use a different private IP range if you'd prefer.

Open your firewall

If you're using ufw, make sure you open up port 51820:

ufw allow 51820/udp

Set up unRAID

Open unRAID's VPN manager

  • In unRAID's GUI, go to Settings > Network Services > VPN Manager

Open Advanced Settings

Toggle "Advanced" in the top right. A few new options will pop up.

Configure the tunnel

  1. Local name: vps-tunnel (or anything you want)
  2. Click "Generate keypair" - this will generate both the local public and private keys for unRAID
  3. Network protocol: keep as IPv4 only
  4. Local tunnel network pool: 10.10.0.0/24
  5. Local tunnel address: 10.10.0.2
  6. Local endpoint: LEAVE THIS BLANK - this is a critical step that makes unRAID run as a WireGuard client, not a server

Add a peer (your VPS)

  1. Click "Add peer"
  2. Peer name: vps-server (or anything you want)
  3. Peer type of access: "Server to server access"
  4. Peer private key: Leave blank
  5. Peer public key: Paste in the VPS public key you generated earlier (run sudo cat /etc/wireguard/vps_public.key in your server)
  6. Peer endpoint: Your server's public IP, and port 51820
  7. Peer allowed IPs: 10.10.0.1/32
  8. Persistent keepalive: 25 seconds

Finalize connection on your VPS

Update the VPS config

  1. Go back to your VPS SSH terminal.
  2. Edit the config file again:
sudo vim /etc/wireguard/wg0.conf
  • Go to the [Peer] section and replace [PASTE-UNRAID-PUBLIC-KEY-LATER] with the unRAID-generated public key.

Start the tunnel

sudo wg-quick up wg0

sudo systemctl enable wg-quick@wg0

Enable the unRAID tunnel

In the VPN Manager in unRAID, toggle "Active" and "Autostart". You should see "Data received", "Data sent" and "Last handshake" update immediately.

Testing the connection

  1. In unRAID's VPN Manager, click "Ping" next to "Peer tunnel address: 10.10.0.1". You should see the "Ping" button show "Replied" once you click it.
  2. In your VPS, ping your unRAID server through WireGuard and see the response:
ping 10.10.0.2

Nginx

I use Nginx Proxy Manager to manage all my reverse proxies. It gives you a nice, simple UI to manage hosts, SSL certificates and basic access control.

Install Nginx Proxy Manager

In your VPS, install Nginx Proxy Manager: Nginx Proxy Manager: Quick Setup

Create an SSL certificate

If you're using a domain, point it to your VPS's public IP.

Then go into "Certificates" in Nginx Proxy Manager, and create a wildcard SSL certificate.

Alternatively, you can do this later when adding Proxy Hosts.

Adding hosts

  1. Open Nginx Proxy Manager's admin UI at your-server-ip:81
  2. Go into "Hosts" > "Proxy Hosts"
  3. Add Proxy Host
  4. In "Domain names" choose the subdomain you want to use, i.e. nextcloud.yourdomain.com
  5. In "Scheme", choose whatever you configured your self-hosted app to accept when accessed locally.
  6. In "Forwarded Hostname / IP", enter 10.10.0.2
  7. In "Forwarded Port", choose the port of your service
[back to articles]