- A different device from your home server?
- On the same home server as the services but directly on the host?
- On the same home server as the services but inside some VM or container?
Do you configure it manually or do you use some helper/interface like WGEasy?
I have been personally using wgeasy but recently started locking down and hardening my containers and this node app running as root is kinda…
Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.