Wireguarding my home (How to put your entire network through a VPN using just a laptop, modem, and access point)

Amir Omidi
Sep 2, 2018 · 4 min read

I recently decided to visit my home country, Iran. One thing I immediately noticed was that the internet was a lot less accessible. Some services based in the United States, such as Google Cloud Platform had blocked Iranians from accessing services hosted on there. What am I supposed to do without my spotify?

Unfortunately, bypassing these limitations aren’t easy for the average Iranian. VPN services are extremely slow and DPI from the Iranian government makes maintaining a connection extremely difficult.

I had learned about Wireguard before and decided to give it a go. Maybe it’s more resilient towards getting blocked by the Iranian government? I decided to try Mullvad’s commercial Wireguard service (I am not affiliated with Mullvad). I followed their guide to setup a VPN service on my mac laptop. Guess what? It worked extremely well! No more random disconnects, no more random throttling issues, no more annoying limitations from the Iranian and the United States government. Internet in Iran was how it was supposed to be: Fast and accessible.

Unfortunately, Wireguard doesn’t have an official windows or iOS client. This made it extremely difficult to use Wireguard on my phone and other devices. Eventually I decided to try to make Wireguard tunnel my entire network. I have chromecast devices, multiple phones, and laptops on the network. All of them were suffering from this issue.

Unfortunately, the sanctions have made it essentially impossible to purchase any proper networking equipment so I had to work with what I had. A terrible 4G modem & router combo, my Macbook Pro, and a Ubiquiti access point (AP). I decided to turn my laptop into a router to share my VPN connection with the rest of the house. Fortunately, I had brought two Ethernet -> USB C dongles with myself.

Dongles and Ethernet

I connected the 4G modem to one of the dongles and the AP to the other one. Turned off the Wi-Fi and confirmed that my internet is working! The 4G router was running on the 192.168.1.0/24 subnet. So, to avoid any problems I decided to setup the AP’s interface on 192.168.2.0/24. I also confirmed the names of the interfaces with ifconfig. en5 is the interface between my laptop and the AP and en6 is the interface between my laptop and the 4G router.

Internet settings for en5 (the AP interface)

So what does a modern “router” need in this day and age? DHCP and NAT! Fortunately, OSX handles all of these for us with its built in utilities. For DHCP we have bootpd. This utility is configured in /etc/bootpd.plist, and is actually what OSX uses when you share turn your laptop into a hotspot. After reading the man page, and with a ton of help from friends I finally arrived at the configuration file that sets it up as a DHCP server:

bootpd.plist file

In this file, I setup the network on 192.168.2.1 with an ip range of 192.168.2.5 — 192.168.2.254, and decided to use Cloudflare’s privacy oriented DNS server. Once this was done, running the DHCP server as a foreground process (for debug purposes) was extremely simple. All that had to be done was to run the DHCP server:

cd /usr/libexec
sudo ./bootpd -i en5 -d

After connecting a device to that interface, I was able to confirm that the DHCP server was successfully handing out IPs:

Amirs-MacBook-Pro:libexec amir$ sudo ./bootpd -i en5 -dSep  2 19:48:25  bootpd[32682] <Notice>: can't open /etc/bootptabSep  2 19:48:25  bootpd[32682] <Notice>: server name Amirs-MacBook-Pro.localSep  2 19:48:25  bootpd[32682] <Notice>: interface en5: ip 192.168.2.1 mask 255.255.255.00/1 ==> link 160.0.0.0 ==> 192.168.1.1127 ==> 127.0.0.1128/1 ==> link 16169.254 ==> link 19169.254 ==> link 18192.168.1 ==> link 19192.168.1.1 ==> link 19192.168.1.180 ==> link 19192.168.2 ==> link 18192.168.2.1 ==> link 18224/4 ==> link 19224/4 ==> link 18255.255.255.255 ==> link 19255.255.255.255 ==> link 18There are 1 entries1. Subnet 'macdhcp'Network: 192.168.2.0/255.255.255.0Range: 192.168.2.5..192.168.2.254Allocate: yesLease Min: 86400   Lease Max: 86400Options:Code Length   Data3      4   c0 a8 02 016      4   01 01 01 01DNS servers: 193.138.219.228DNS domain: lanDNS search: landestination address 255.255.255.255Sep  2 19:48:25  bootpd[32682] <Notice>: DHCP REQUEST [en5]: 1,MAC-ADDRESS <iPhone>init-rebootstate=INIT/REBOOTSending: DHCP ACK (size 300)Sep  2 19:48:25  bootpd[32682] <Notice>: ACK sent iPhone 192.168.2.8 pktsize 300

So far, I had LAN working but there was no sign of internet connection on that interface. The next step was to setup NAT. Fortunately, OSX was kind enough to provide this for us too. This is provided to us using pfctl, a controller for packet filter firewall. I decided to make a simple script called vpn.sh to handle this:

The utun2 interface was created by Wireguard.


After executing this script and ensuring the DHCP server is running, any client that tries to connect to the AP will now be going through Wireguard. And guess what? I can finally work on all my devices without interruption and bypass all the limitations imposed on me by the American and Iranian government.

So now if Wireguard disconnects for whatever reason, the network goes down. So this network setup accidentally became a kill switch too!


If you believe internet has to be free and accessible for everyone in the world, no matter where they are. Do everyone a favor and avoid using Google Cloud Platform. It is one of the only American cloud providers that simply bans any Iranians from accessing services hosted on there. Neither AWS or Azure have this ridiculous limitation.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade