wg0..conf, turn the tunnel ON.10.8.0.30 (Ally) or 10.8.0.20 (laptop).You must install WireGuard on every device and import that device's config once. There is no way around that for split subnets without merging the LANs.
Once the tunnels are up, RustDesk runs from Windows to 10.8.0.30 / 10.8.0.20, and SSH runs from anywhere to pihole@10.8.0.1. Domains like voidgate.top are only used as the away-from-home WireGuard endpoint.
| Client config | Device | VPN IP |
|---|---|---|
| windows-pc.conf | Windows desktop | 10.8.0.10 |
| arch-laptop.conf | Omarchy Arch laptop | 10.8.0.20 |
| rog-ally.conf | ROG Ally (SteamOS) | 10.8.0.30 |
| oneplus-phone.conf | OnePlus Android | 10.8.0.40 |
Pi server stays 10.8.0.1. Each device imports only its own config.
NAT hairpin to the public IP does not work from inside the house, so a home config must point at a same-subnet Pi LAN IP. Away configs use the public hostname. The home and away variants share the same key and VPN IP; only the Endpoint line differs. Import both tunnels and activate whichever matches your location.
| Device | At home (Endpoint) | Away (Endpoint) |
|---|---|---|
| Windows PC (ethernet) | 192.168.3.100:51820 windows-pc.conf | voidgate.top:51820 windows-pc-away.conf |
| ROG Ally / Arch laptop (Eero Wi-Fi) | 192.168.7.251:51820 rog-ally.conf / arch-laptop.conf | voidgate.top:51820 *-away.conf |
| OnePlus phone | 192.168.7.251:51820 oneplus-phone-home.conf | voidgate.top:51820 oneplus-phone.conf |
Do not use 104.8.0.42 as a home endpoint. HTTPS / WireGuard to the public IP from inside the LAN gets no response (hairpin is broken). Home configs must use the Pi LAN IP on your own subnet; never target 192.168.3.100 from the 192.168.7.x Wi-Fi (separate routers, no route between them).
Pre-flight (one per portable device, on home Wi-Fi, before importing): ping 192.168.7.251 from the Ally/laptop, or ping 192.168.3.100 from Windows, should succeed. If the Eero 192.168.7.251 ping fails, the Eero has client isolation enabled; turn it off or place the Pi and clients on the same Eero profile.
No DNS line is set, so each device keeps its own resolver: Pi-hole at home (so *.voidgate.top web stays reachable while the tunnel is up), cellular DNS away.
| App | Where |
|---|---|
| WireGuard | wireguard.com/install (Windows, Android Play Store, Linux wireguard-tools) |
| RustDesk | rustdesk.com (Windows, Linux Flatpak/pacman, Android) |
You do not download WireGuard from voidgate. Install the WireGuard app, then import the .conf file for that device.
10.8.0.x and must use the public RustDesk ID.10.8.0.0/24 while the tunnel is up.10.8.0.30 (Ally) or 10.8.0.20 (laptop) into Remote ID.ssh user@10.8.0.30 in PowerShell (run whoami on the host to learn the user).Wayland caveat (SteamOS / KDE / Omarchy): if the remote screen is black or input is ignored, the host is on a Wayland session. Use an X11 / Xorg login session, or grant RustDesk the PipeWire screen-capture portal per the RustDesk Wayland notes. SteamOS Game Mode is a poor RustDesk host; use Desktop Mode for setup and when you expect remote control.
The repo github.com/aringadre76/selfhosted is private, so cloning or a raw download on the Ally needs authentication: a GitHub personal access token (PAT) or an SSH key added to your GitHub account.
git clone over SSH, or HTTPS with a PAT, then copy wireguard/clients/rog-ally.conf..conf from Windows by USB stick or scp. It is the same file; no GitHub auth needed on the Ally.Take only that device's file. Do not copy another device's .conf onto the Ally.
On cellular or hotel Wi-Fi, turn on WireGuard with the away config (voidgate.top:51820). You join the same 10.8.0.0/24 network as home. Then:
| Target | Tool | Works away? |
|---|---|---|
Raspberry Pi (homelab, Cursor CLI, docker compose) | SSH to pihole@10.8.0.1 | Yes, if the Pi is on and UDP 51820 is forwarded |
| Laptop / Ally (full desktop) | RustDesk to 10.8.0.20 / 10.8.0.30 | Only if that device is powered on with its tunnel active |
| Pi via Cursor cloud | cursor.com/agents → raspberry-pi-homelab | Yes, no VPN required (outbound worker) |
Phone to Pi for Cursor CLI:
cd ~/selfhosted
docker compose ps
docker compose logs --tail=50 caddy
~/.local/bin/agent --helpTyping long commands on a phone is awkward but valid. For serious work, Cursor Cloud Agents are usually easier and need no VPN (the Pi worker cursor-worker.service must be running).
| Symptom | Check |
|---|---|
| RustDesk times out | WireGuard off on Windows or on the host; ping 10.8.0.30 first. |
| Ping fails | Host tunnel not active, or peer missing on the Pi (sudo wg show). |
| Connects then black screen | Host in Game Mode or display asleep; wake it in Desktop Mode. |
| Black screen / no input | Wayland session: switch to X11 or set up the RustDesk Wayland portal. |
| Ping OK but RustDesk refuses | Host firewall: allow RustDesk (21114-21119) and Direct IP Access; allow incoming from 10.8.0.0/24 while WG is up. |
| Works at home but not away | Activate the -away.conf (Endpoint = voidgate.top:51820). Away needs the public A record pointing at the live home IP (dig voidgate.top @1.1.1.1) and UDP 51820 forwarded to 192.168.3.100. |
| WG works away but not at home (Windows, 3.x) | Use the home config Endpoint = 192.168.3.100:51820 (Pi eth0). The public IP / hostname fails at home because hairpin is broken. |
| WG fails on Ally / laptop at home | Use Endpoint = 192.168.7.251:51820 (Pi wlan0, same Eero subnet). Not 104.8.0.42, not 192.168.3.100. If ping 192.168.7.251 fails, Eero client isolation is on. |
v1 uses RustDesk public rendezvous servers. The Pi is SSH / Cursor CLI only (no RustDesk host). A self-hosted RustDesk relay on the Pi is a possible later phase.