LightNVR Cloud
← All How-To Guides
Networking

How to Setup WireGuard with Home Routers and LightNVR Cloud

Connect your home security cameras to LightNVR Cloud through a secure WireGuard VPN tunnel — no port forwarding needed, no exposing your home network to the internet.

10 min read Difficulty: Intermediate

1. What is WireGuard and why use it?

WireGuard is a modern, lightweight VPN protocol that creates an encrypted tunnel between your home network and your LightNVR Cloud instance. It’s the recommended way to connect your cameras because:

  • No port forwarding needed — your router initiates the connection outbound, so you don’t need to open any ports on your firewall
  • Encrypted end-to-end — all camera traffic is encrypted between your home and the cloud using state-of-the-art cryptography
  • Low overhead — WireGuard adds minimal latency (~1-2ms) and uses very little CPU, even on small devices like a Raspberry Pi
  • Always-on — the tunnel reconnects automatically after network interruptions

2. Prerequisites

Before you begin, make sure you have:

  • A LightNVR Cloud account with an active instance (create one here)
  • A home router that supports WireGuard — most modern routers do:
    • ASUS routers (Merlin firmware or stock RT-AX series) — built-in WireGuard client
    • GL.iNet routers (e.g., GL-MT3000 Beryl AX) — built-in WireGuard in the admin panel
    • pfSense / OPNsense — WireGuard package available
    • UniFi Dream Machine — WireGuard support in recent firmware
    • MikroTik — WireGuard support in RouterOS 7+
    • OpenWrt routers — WireGuard package available via opkg
  • One or more IP cameras on your local network that support RTSP or ONVIF
  • Know your cameras’ local IP addresses (e.g., 192.168.1.100)
If your router doesn’t support WireGuard, you can use a Raspberry Pi as a WireGuard gateway instead. See Section 5.

3. Create a WireGuard tunnel in LightNVR

Log in to your LightNVR Cloud dashboard and navigate to your instance detail page.

  1. Click the “WireGuard Tunnels” section on your instance page
  2. Click “+ New Tunnel”
  3. Give the tunnel a name (e.g., “Home Router” or “Office Network”)
  4. Enter the local camera subnet you want to route through the tunnel (e.g., 192.168.1.0/24)
  5. Click Create
  6. LightNVR will generate a WireGuard configuration file — download it or copy the configuration
Keep the WireGuard configuration file private. It contains your private key and should be treated like a password.

The generated configuration will look something like this:

[Interface]
PrivateKey = <your-private-key>
Address = 10.8.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <lightnvr-server-public-key>
Endpoint = <your-instance>.lightnvr.com:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25

4. Configure your home router

The exact steps vary by router, but the general process is the same:

ASUS Routers (Merlin firmware)

  1. Go to VPN → VPN Client
  2. Select the WireGuard tab
  3. Click Import and paste the configuration from Step 3
  4. Under Policy Rules, add your camera IPs so only camera traffic goes through the tunnel
  5. Click Apply and enable the connection

GL.iNet Routers

  1. Go to VPN → WireGuard Client
  2. Click “Set Up WireGuard Manually”
  3. Paste the configuration from Step 3
  4. Click Connect

OpenWrt

  1. Install WireGuard: opkg update && opkg install wireguard-tools luci-proto-wireguard
  2. Go to Network → Interfaces → Add New Interface
  3. Protocol: WireGuard VPN
  4. Enter the private key, address, and peer information from your config
  5. Under Firewall Settings, assign the interface to its own zone or the WAN zone
  6. Save and apply

pfSense / OPNsense

  1. Go to VPN → WireGuard
  2. Add a new Tunnel with your private key and address
  3. Add a Peer with the LightNVR server’s public key, endpoint, and allowed IPs
  4. Create a firewall rule allowing traffic from your camera subnet to the WireGuard interface
  5. Add a static route for 10.8.0.0/24 via the WireGuard gateway

5. Alternative: Raspberry Pi as WireGuard gateway

If your router doesn’t support WireGuard natively, a Raspberry Pi (any model with ethernet) makes an excellent dedicated WireGuard gateway. It sits on your local network alongside your cameras and handles the VPN tunnel.

  1. Install WireGuard on the Pi: 
    sudo apt update && sudo apt install wireguard
  2. Save the config from Step 3 to /etc/wireguard/wg0.conf: 
    sudo nano /etc/wireguard/wg0.conf
# Paste your config here
  3. Enable IP forwarding so the Pi can route camera traffic: 
    echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  4. Start the tunnel: 
    sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
  5. Set a static route on your main router: route 10.8.0.0/24 via the Pi’s IP address (e.g., 192.168.1.50). This tells your cameras’ traffic destined for the VPN to go through the Pi.
A Raspberry Pi Zero 2 W ($15) or Pi 3B+ is more than sufficient for handling WireGuard for 10+ cameras.

6. Verify the connection

Once the tunnel is up, verify it’s working:

  1. Check tunnel status — on your router or Pi, check that the handshake is recent: 
    sudo wg show
# Look for "latest handshake" — should be within the last 2 minutes
  2. Ping the LightNVR server through the tunnel: 
    ping 10.8.0.1
# You should get responses with low latency
  3. Check in the LightNVR dashboard — your tunnel should show a green “Connected” status on the instance detail page

7. Add cameras to LightNVR

With the tunnel active, your cameras’ local IPs are now reachable from your LightNVR Cloud instance. Add them using their local IP addresses — the VPN handles the rest.

  1. Open your LightNVR instance at https://your-instance.lightnvr.com
  2. Go to Settings → Streams
  3. Add a new stream with your camera’s RTSP URL, e.g.: 
    rtsp://192.168.1.100:554/stream1
rtsp://admin:password@192.168.1.101:554/h264Preview_01_main
  4. Click Save — you should see the live view appear within seconds
Don’t know your camera’s RTSP URL? Check our How to Connect RTSP Cameras guide.

8. Troubleshooting

Tunnel won’t connect

  • Make sure your router/Pi can reach the internet (outbound UDP port 51820 must not be blocked)
  • Double-check the endpoint address matches your LightNVR instance
  • Verify the private key and public key are correct (no extra whitespace)

Tunnel is connected but cameras aren’t visible

  • Verify the AllowedIPs in the config includes your camera subnet
  • If using a Pi, make sure IP forwarding is enabled and your main router has a static route to the Pi
  • Try pinging a camera IP from the LightNVR side (contact support if needed)

High latency or dropped frames

  • Check your upload speed — each 1080p camera needs roughly 4-8 Mbps of upstream bandwidth
  • Consider reducing camera resolution or frame rate if bandwidth is limited
  • If your ISP uses CGNAT, WireGuard should still work (it’s outbound-initiated), but latency may be slightly higher

Need more help?

Email support@lightnvr.com with your instance name and we’ll help you troubleshoot.

Related guides

📹

How to Connect RTSP Cameras to LightNVR Cloud

8 min read

 🏢

How to Setup LightNVR Cloud for Multiple Client Sites (MSP Guide)

12 min read