WireGuard setup for PocketNOC

Last updated: 2026-05-24

Self-hosted WireGuard VPN to reach your SolarWinds Orion server from PocketNOC without relying on a third-party coordination plane.

Overview

WireGuard is a modern VPN protocol built into the Linux kernel and shipped as native clients for every major OS. Unlike Tailscale or ZeroTier (which run WireGuard / their own protocol plus a SaaS coordination plane), self-hosted WireGuard is just you, two peers, and a UDP port. This guide sets up WireGuard so PocketNOC on your phone can reach a SolarWinds Orion server inside your network.

Pick self-hosted WireGuard when you cannot tolerate any third-party between your phone and Orion — financial services, government, classified-environment-adjacent work. For everyone else, Tailscale and ZeroTier save real operational effort and have the same security model at the data plane.

Prerequisites

A SolarWinds Orion server inside your network.
A Linux host (any modern distro) on the same network as Orion, with a public IP and one inbound UDP port (default 51820) reachable from the internet. This is the WireGuard endpoint. A small VPS, a router that supports WireGuard, a Raspberry Pi inside the DMZ — anything works.
Admin access to the Linux host.
PocketNOC installed on iOS or Android.

This setup uses the server endpoint pattern: phone connects to the Linux host's public WireGuard endpoint, then routes traffic destined for the Orion subnet through the tunnel.

Setup

1. Install WireGuard on the Linux endpoint

On Debian/Ubuntu:

apt update && apt install -y wireguard wireguard-tools qrencode

On RHEL/Rocky:

dnf install -y epel-release && dnf install -y wireguard-tools qrencode

2. Generate the server keypair

cd /etc/wireguard
umask 077
wg genkey | tee server.key | wg pubkey > server.pub

3. Generate the phone's keypair

The phone's keypair can be generated on the phone (WireGuard app → Add tunnel → Create from scratch), but generating on the server first lets you build a complete config + QR code for one-tap import. Either works; do whichever feels cleaner.

On the server:

wg genkey | tee phone.key | wg pubkey > phone.pub

4. Write `/etc/wireguard/wg0.conf` on the server

Replace SERVER_PUBLIC_IP with the endpoint's reachable IP, ORION_SUBNET with the CIDR your Orion server lives in (e.g. 10.0.5.0/24), and <server-key> / <phone-pub> with the contents of the matching files.

[Interface]
Address = 10.99.0.1/24
ListenPort = 51820
PrivateKey = <server-key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Phone
PublicKey = <phone-pub>
AllowedIPs = 10.99.0.2/32

Enable IP forwarding:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-wireguard.conf
sysctl -p /etc/sysctl.d/99-wireguard.conf

Bring the interface up:

wg-quick up wg0
systemctl enable wg-quick@wg0

5. Build the phone's config

Create phone.conf (do not deploy this file anywhere — it's just for QR generation):

[Interface]
PrivateKey = <phone-key>
Address = 10.99.0.2/24
DNS = 10.0.5.10  # optional: your internal DNS

[Peer]
PublicKey = <server-pub>
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = ORION_SUBNET   # e.g. 10.0.5.0/24 — only route Orion traffic, leave the rest of the phone's connectivity alone
PersistentKeepalive = 25

Generate a QR code:

qrencode -t ansiutf8 < phone.conf

6. Import on the phone

Install the WireGuard app from the App Store or Google Play. Tap Add tunnel → Create from QR code, scan the QR you printed above, give the tunnel a name like orion-vpn, and toggle it on.

7. Confirm reachability

With the tunnel active on the phone, open Safari/Chrome and visit https://<orion-internal-ip>:17778. You should see the expected TLS warning for a self-signed cert.

8. Point PocketNOC at the Orion server's internal IP

Open PocketNOC, choose Connect to your Orion server, and enter:

Host: the Orion server's internal IP (e.g. 10.0.5.10)
Port: 17778
Username / password: a dedicated read-only Orion account

On first connect, PocketNOC shows the cert fingerprint via TOFU. Verify and accept.

Firewall requirements

On the Linux endpoint

Inbound 51820/udp from anywhere (or your phone's known IPs if you have them).
Outbound to the Orion subnet on 17778/tcp.

Between the Linux endpoint and Orion

The endpoint's WireGuard interface (wg0) routes through eth0 to reach Orion. The Orion subnet must accept traffic from the endpoint's eth0 IP.

SolarWinds account recommendations

Same as for all transports: dedicated read-only Orion account, scoped group membership, never reuse the admin account. See the Tailscale setup guide.

Troubleshooting

Handshake never completes. Phone shows "0 bytes received." Almost always 51820/udp is blocked somewhere between the phone and the endpoint. Test with another network (cellular vs Wi-Fi) to confirm.

Handshake works but Orion is unreachable. Check IP forwarding (cat /proc/sys/net/ipv4/ip_forward should be 1) and iptables -L FORWARD for the accept rule. The Orion subnet may also have a host firewall that drops traffic from the endpoint's IP.

Tunnel disconnects when the phone sleeps. Add PersistentKeepalive = 25 to the phone's peer config (already in the example above). For battery-conscious operation, set the keepalive higher (e.g. 60) — handshakes are cheap.

Multiple devices. Each device needs its own keypair and its own [Peer] block on the server. Don't share a keypair across devices; if one is lost you have to rotate everywhere.

Security considerations

Rotate keys at least annually. WireGuard has no key-rotation protocol built in — you do it by replacing the config.
The server's PrivateKey and each phone's PrivateKey are root credentials. Anyone with the key is the device. Treat them like SSH keys.
WireGuard does not log by default. If you need to know which phone was connected when, run a tool like wg-monitor or use systemd journal entries from wg-quick.
For multi-engineer rotations, consider Tailscale — its ACL and user-identity model are better suited to teams than raw WireGuard.