WireGuard over QUIC using Caddy

A Complete Deployment Guide

Oct 31, 2025

1. Overview

This guide details how to deploy WireGuard over QUIC using Caddy as a QUIC-capable reverse proxy. This configuration encapsulates WireGuard traffic within HTTP/3 (QUIC) sessions, allowing VPN communication to blend in with standard HTTPS/3 traffic — an effective method for circumventing restrictive firewalls and improving mobility.

Benefits

QUIC-based tunneling over port 443 (looks like normal HTTPS/3)
Improved resilience to packet loss and network switching
Simplified NAT traversal
Strong encryption via WireGuard and TLS

2. Architecture Diagram

+----------------------+        +----------------------+        +----------------------+
|  WireGuard Client    | <-->   |  QUIC Proxy (Caddy)  | <-->   |  WireGuard Server    |
|  wg0 (UDP 51820)     |        |  Port 443 (HTTP/3)   |        |  wg0 (UDP 51820)     |
+----------------------+        +----------------------+        +----------------------+
         Local VPN                        HTTPS/3 QUIC Tunnel                 Remote VPN Backend

3. Prerequisites

Ubuntu 22.04+ or Debian 12+ on both client and server
Public domain name (e.g., vpn.example.com)
Valid TLS certificates (Let’s Encrypt or self-signed)
Root or sudo privileges

4. Server Configuration

Step 1: Install Required Packages

apt update && apt install -y wireguard caddy ufw

Step 2: Configure WireGuard

File: /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Generate keys:

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

Enable and start:

systemctl enable wg-quick@wg0 --now

Step 3: Configure Firewall

ufw allow 443/tcp
ufw allow 443/udp
ufw enable

Step 4: Configure Caddy as QUIC Proxy

Edit /etc/caddy/Caddyfile:

vpn.example.com {
    reverse_proxy 127.0.0.1:51820 {
        transport http {
            versions h3
        }
    }
}

Caddy automatically enables QUIC and HTTP/3. Restart:

systemctl restart caddy

Step 5: Verify QUIC Support

Use curl with HTTP/3:

curl -I --http3 https://vpn.example.com

Expected response: HTTP/3 502 (or similar proxy message). This confirms QUIC is working.

5. Client Configuration

Step 1: Install WireGuard and Caddy

apt update && apt install -y wireguard caddy

Step 2: Run Local Caddy QUIC Proxy

File: /etc/caddy/Caddyfile

:51820 {
    reverse_proxy vpn.example.com:443 {
        transport http {
            versions h3
        }
    }
}

Start Caddy:

systemctl restart caddy

Step 3: Configure WireGuard Client

File: /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = <CLIENT_PRIVATE_KEY>

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = 127.0.0.1:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Generate keys:

wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

Bring up interface:

wg-quick up wg0

6. Testing & Verification

Step 1: Ping the Server

ping 10.0.0.1

Should respond.

Step 2: Check WireGuard Status

wg show

Look for increasing data counters under transfer:.

Step 3: Verify QUIC Transport

Use tcpdump or ss:

ss -u -n | grep 443

You should see UDP traffic on port 443.

7. Illustration – Packet Flow

[Client App]
   ↓ (IP packet)
[WireGuard (UDP 51820)]
   ↓
[Caddy QUIC Proxy :51820]
   ↓ encapsulated in QUIC (HTTP/3)
⇢ Internet ⇢
   ↓
[Caddy QUIC Proxy :443]
   ↓ (decoded UDP packet)
[WireGuard Server :51820]
   ↓
[Remote Network]

8. Troubleshooting

Problem Cause Solution No connection QUIC not enabled in Caddy Ensure versions h3 in Caddyfile Connection drops MTU too high Set MTU = 1350 in WireGuard config No data transfer Firewall blocking UDP 443 Allow UDP/443 on both ends TLS errors Certificate mismatch Confirm correct domain in Caddy config

9. Performance Tuning

MTU Optimization: Set MTU = 1350 on both WireGuard interfaces.
Keepalive: Set PersistentKeepalive = 25 to maintain NAT mappings.
Congestion Control: QUIC natively handles congestion using BBR or CUBIC.

10. Security Considerations

Use strong TLS (ECDHE + AES-GCM) for QUIC.
Enable automatic certificate renewal in Caddy (default).
Restrict access to Caddy logs and WireGuard keys.

11. Summary

Component Function WireGuard Provides VPN encryption and routing Caddy Implements QUIC/HTTP3 proxy layer QUIC Provides UDP-based transport with encryption

Result: A fast, stealthy, and resilient VPN tunnel disguised as HTTPS/3 traffic.

Shiv4x6c’s Substack

Discussion about this post

Ready for more?