The Reality of Hybrid Work in Australian SMBs
Hybrid work is not a temporary adjustment — it is the settled operating model for most Australian small and medium businesses. Staff connect from home NBN connections in the morning, switch to 4G when they visit a client, and dial in from a co-working space desk in the afternoon. The office network does not change; the location of the people who need to reach it does.
A remote access VPN is the bridge between those workers and the internal resources they depend on: file servers, accounting software, on-premises applications, and IP phone systems. Without it, staff either cannot access what they need or — worse — they find workarounds that your IT policy never anticipated.
The problem is that most Australian SMBs are running one of three things: outdated VPN software that was configured years ago and never properly maintained, a consumer-grade VPN that was never designed for business remote access, or nothing at all.
WireGuard is worth knowing about because it solves the specific problems that make traditional remote access VPNs painful for hybrid teams — without requiring specialist network engineering skills to operate.
Why WireGuard for Remote Access
WireGuard is a modern VPN protocol that has been part of the Linux kernel since version 5.6 and is available as an official client on Windows, macOS, iOS, and Android. Its entire codebase is roughly 4,000 lines — compared to approximately 200,000 for OpenVPN — which means it is simpler to audit, faster to load, and has a smaller attack surface.
For remote access specifically, three properties make WireGuard a strong fit for Australian SMBs.
Seamless Roaming Between Networks
When a laptop moves from home Wi-Fi to a 4G mobile connection, the device's IP address changes. OpenVPN treats this as a disconnection and requires the tunnel to be re-established — users see a dropped connection and have to wait for it to come back up, sometimes requiring manual intervention.
WireGuard handles this differently. It updates the peer endpoint automatically as soon as it receives authenticated traffic from a new IP address. From the worker's perspective, the tunnel simply keeps working. For staff who move between networks multiple times a day, this is a meaningful difference in experience.
Performance Over Australian Connections
WireGuard uses UDP exclusively. UDP has lower overhead than the TCP used by many traditional VPN configurations, which reduces latency. In a country where physical distance from international data centres already adds latency, and where NBN connections can have asymmetric upload speeds that constrain tunnelled traffic, lower protocol overhead matters. The difference is most noticeable in real-time applications like VoIP calls over the VPN and remote desktop sessions.
Simple Peer Management
WireGuard authenticates entirely through cryptographic keypairs. There is no certificate authority to maintain, no expiry dates to track, and no complex revocation infrastructure. Adding a new remote worker involves generating a keypair and adding their public key to the server configuration. Revoking access when someone leaves the business takes approximately 30 seconds: remove their public key from the server config and the tunnel stops working immediately.
For businesses without a dedicated IT team, this operational simplicity is significant.
For a direct protocol comparison, see WireGuard vs OpenVPN for Australian Businesses.
What the Remote Worker Actually Gets
Once WireGuard is running on a device, the worker is on the office network. That statement is not marketing language — it is a description of what the tunnel actually does. Traffic that is routed through the VPN arrives at its destination as though it originated from inside the office.
In practice, this means access to:
- Internal file servers and NAS devices — mapped network drives work as normal
- Accounting software — MYOB and Xero have cloud versions, but many businesses still run server-hosted versions of industry-specific accounting tools that require a local network connection; WireGuard restores that access
- On-premises applications — any software that requires a local network connection or a specific internal IP address works without modification
- Network printers — workers can print to office printers as though they are sitting at a desk
- IP phone system extensions — where a business runs an on-premises PBX or SIP server, staff can register their softphone or desk phone extension over the VPN and receive calls on their office extension from anywhere
No changes are required to the applications or the server-side configuration. The VPN makes the network boundary transparent.
Split Tunnelling: What It Is and When to Use It
How Split Tunnelling Works
By default, a VPN can be configured to send all traffic from the remote device through the tunnel — including general web browsing, video streaming, and everything else. Split tunnelling changes this: only traffic destined for the office network (specific IP ranges) is sent through the VPN. Everything else goes directly to the internet from the worker's local connection.
In WireGuard, this is controlled by the AllowedIPs field in the client configuration. Setting AllowedIPs = 0.0.0.0/0 routes all traffic through the tunnel. Setting specific internal subnets — for example, AllowedIPs = 192.168.1.0/24 — routes only office-bound traffic.
Benefits of Split Tunnelling
The advantages are practical. Workers browsing the web or streaming a video are not consuming the office internet connection's upload bandwidth. Their general internet performance is not constrained by the VPN tunnel. The office firewall is not processing traffic that has nothing to do with the business.
For businesses where the office internet connection has limited upload capacity — common on NBN plans with asymmetric speeds — split tunnelling can make a meaningful difference to VPN performance for workers who need frequent access to internal resources.
When Not to Use Split Tunnelling
If your business operates under a compliance framework that requires all staff internet traffic to exit from a known, auditable IP address, split tunnelling is not appropriate. This applies to businesses aligning with the Australian Signals Directorate's Essential Eight framework at higher maturity levels, and to regulated industries where traffic logging requirements extend to general browsing.
If you are unsure whether your compliance obligations require full-tunnel routing, that is a question to resolve with your IT provider before configuring the VPN.
Platform Support
WireGuard has official clients for every platform your staff are likely to be using. All are free.
| Platform | Client | Where to Get It |
|---|---|---|
| Windows | WireGuard for Windows | wireguard.com — installs as a system tray application with a straightforward configuration interface |
| macOS | WireGuard | Mac App Store — integrates with macOS system preferences as a standard VPN connection |
| macOS (alternative) | WireGuard via Homebrew | brew install wireguard-tools — command-line option for those who prefer it |
| iOS | WireGuard | Apple App Store — supports QR code import for simple configuration distribution |
| Android | WireGuard | Google Play Store — supports QR code and file import |
The QR code import feature on iOS and Android is practically useful for businesses distributing configurations to staff devices: generate the client config, display the QR code, and the worker scans it with the app. The configuration is imported in seconds without the worker needing to understand what is in the file.
What the Office Needs
Setting up WireGuard for remote access requires two things on the office side. Both are worth understanding before you start planning.
A WireGuard-Capable Server or Router
WireGuard needs somewhere to run at the office end. The options include:
- pfSense or OPNsense — open-source firewall/router distributions that both support WireGuard natively. OPNsense in particular has a straightforward WireGuard configuration interface. These run on dedicated hardware or a virtual machine.
- OpenWRT — Linux-based firmware for embedded routers, suitable for businesses comfortable with more hands-on configuration.
- A Linux server — WireGuard is built into the Linux kernel. Any Linux server already on the network can serve as the WireGuard endpoint with minimal setup.
- Modern commercial routers — a growing number of business-grade routers include native WireGuard support.
If your business already has a capable firewall or router from your IT provider, there is a reasonable chance it either supports WireGuard already or can be updated to do so.
A Publicly Reachable IP Address
This is where many businesses run into a problem they did not know they had.
For a remote worker to connect to the WireGuard server at the office, their device needs to be able to reach the office IP address from the internet. If the office internet connection does not have a publicly reachable IP address, inbound connections cannot be established and the VPN cannot work.
The problem is CGNAT — Carrier Grade Network Address Translation. When an ISP runs out of public IPv4 addresses, it may assign multiple customers to share a single public IP using a private address range in the 100.64.x.x block. Your router's WAN IP looks like an internet address, but it is actually a private address behind the ISP's own NAT layer. No inbound connections can reach you through it.
CGNAT is common in Australia. It appears on many consumer NBN plans and, depending on the provider, on some plans marketed as business-grade. If your router's WAN IP address starts with 100.x.x.x, you are behind CGNAT.
For more on static IP requirements for business internet, see Business NBN Static IP Addresses in Australia.
How Pickle's Internet Removes the CGNAT Problem
Pickle's business internet products are built around the assumption that businesses need reliable inbound connectivity — for remote access, for hosted services, and for VoIP. CGNAT is not part of any Pickle service.
Business Broadband (NBN)
Pickle's Business Broadband includes a static IP address as standard. The WireGuard server configuration uses this IP as the endpoint, and it never changes. Remote workers configure their clients once and connect without needing to know or track the office IP address. Static IP also allows port forwarding rules and firewall policies to be set up once and maintained reliably over time.
Enterprise Ethernet
Enterprise Ethernet provides dedicated fibre with symmetrical speeds and includes static IP addressing. For businesses with more complex requirements — multiple server endpoints, segmented staff groups with separate VPN tunnels for different departments, or hosted services alongside remote access — Pickle can provide routed IP subnets. This allows multiple public IP addresses to be assigned to different services or servers at the same site.
Fixed Wireless Gen 3
Fixed Wireless Gen 3 connections include a public IP address rather than a CGNAT address, combined with Pickle's own DDNS (Dynamic DNS) service. Unlike a wired connection, the public IP on a fixed wireless service may change periodically. The DDNS service handles this automatically: the office's WireGuard endpoint is configured using a hostname rather than a raw IP address. When the IP changes, Pickle's DDNS updates the hostname record within minutes. Remote workers connecting to the hostname always resolve to the current IP, and the tunnel continues working without any manual intervention.
View all Pickle business internet products at thinkpickle.com.au/products/business-internet.
For businesses that need a separate 4G backup connection alongside their primary internet service, see 4G Failover and Backup Internet in Australia.
MFA Alongside WireGuard
WireGuard authenticates using cryptographic keypairs. The private key stays on the worker's device; the public key is registered on the server. Possession of the private key is the credential. This is cryptographically strong authentication — a compromised password does not grant access to the tunnel.
WireGuard does not natively support multi-factor authentication, and this is a deliberate design decision. The keypair exchange itself functions as the authentication mechanism.
For businesses working toward Essential Eight compliance or operating in regulated industries, the appropriate approach is to layer MFA at the application level rather than at the VPN protocol:
- Remote Desktop connections requiring MFA before a session is established
- Microsoft 365 and other cloud applications requiring MFA for every sign-in
- Any on-premises application with an MFA-capable login
The VPN provides network access; MFA on the applications controls what a worker can do once they have that access. For guidance on the broader compliance picture, see Essential Eight Cybersecurity for Small Business in Australia.
Who Manages the Setup
WireGuard configuration is not especially complex, but it requires someone who understands network addressing, firewall rules, and key management. For most Australian SMBs, this falls into one of two categories.
Your existing IT provider can configure and maintain the WireGuard setup if they have experience with the router or firewall platform already in use at the office. The core tasks are:
- Generating the server keypair and configuring the WireGuard interface on the office router or server
- Defining the internal IP ranges that remote workers should be able to reach
- Generating individual client keypairs for each remote worker
- Creating and distributing client configuration files to staff devices (or providing QR codes for mobile devices)
- Testing roaming behaviour and split tunnel configuration
- Documenting the process for ongoing management
Pickle's managed IT team can handle the complete setup, including the network-side configuration, client distribution, and ongoing key management. This is particularly relevant for businesses that are adopting Pickle internet services at the same time as setting up remote access, since the static IP or DDNS configuration and the WireGuard setup can be handled together.
Ongoing management is straightforward. Adding a new remote worker takes a few minutes. Revoking access for a leaver requires removing their public key from the server configuration — the next connection attempt from that device fails immediately. There are no accounts to disable, no passwords to change, and no certificate revocations to process.
For more on what a managed IT relationship covers, see Managed IT Services for Small Business in Australia.
Is WireGuard Right for Your Remote Workforce?
The following comparison covers the scenarios where WireGuard is and is not a strong fit.
| Situation | WireGuard fit |
|---|---|
| 2 or more staff working remotely or in hybrid arrangements | Strong fit |
| Staff frequently moving between Wi-Fi and 4G during the day | Strong fit |
| Currently running OpenVPN with regular reconnection problems | Strong fit |
| Business internet with a static IP (e.g. Pickle Business Broadband) | Strong fit |
| Business internet with CGNAT and no DDNS alternative | Not viable without changing internet service |
| Compliance framework mandating a specific VPN protocol | Verify compatibility before proceeding |
| On-premises UTM or firewall hardware with no WireGuard support | Requires hardware assessment first |
WireGuard is not a universal answer. If your existing firewall platform does not support it and cannot be updated, or if a specific compliance framework in your industry mandates a different protocol, those constraints need to be assessed first. But for most Australian SMBs with hybrid or remote staff and a business internet connection that includes a static or publicly reachable IP, WireGuard delivers reliable, low-maintenance remote access that performs better than the alternatives most businesses are currently using.
For a broader introduction to WireGuard in the Australian business context, see WireGuard VPN: An Australian Business Guide.
Frequently Asked Questions
Q: Does WireGuard work on NBN connections?
A: Yes. WireGuard works on any internet connection where the office has a publicly reachable IP address. On NBN, the critical requirement is that your business internet plan includes a static IP or is not behind CGNAT. Pickle's Business Broadband on NBN includes a static IP as standard.
Q: How many remote workers can connect simultaneously?
A: WireGuard supports multiple concurrent peers. The practical limit depends on the hardware running the WireGuard server and the available upload bandwidth on the office internet connection. For most SMBs with up to 20 remote workers, a standard business NBN connection and a capable router or firewall are sufficient.
Q: What happens to the VPN connection when a staff member's laptop goes to sleep?
A: WireGuard is stateless by design — it does not maintain a persistent session that needs to be actively kept alive. When the laptop wakes up and the worker is on a different network, WireGuard re-establishes the tunnel automatically without requiring the worker to reconnect manually.
Q: Can WireGuard replace a site-to-site VPN between two office locations?
A: Yes. WireGuard supports site-to-site configurations where two office routers create a permanent tunnel between locations. This is a separate use case from remote worker access but uses the same protocol and client software.
Q: Is WireGuard free?
A: The WireGuard protocol and all official clients are open source and free to use. There is no licensing cost for the software itself. Costs associated with WireGuard are the time to configure and manage it, and the internet service requirements (static IP or DDNS).
Q: Our current VPN requires a username and password to connect. Is WireGuard less secure without that?
A: No. Keypair authentication is cryptographically stronger than username and password authentication. The private key never leaves the worker's device and cannot be guessed or phished the way a password can. The security trade-off is in key management: if a device is lost or stolen, the keypair should be revoked promptly, which takes approximately 30 seconds.
Q: Does WireGuard work with Windows Hello or Touch ID for device authentication?
A: WireGuard itself does not integrate with biometric device authentication. However, the WireGuard client application on Windows and macOS can be configured to require the user to be logged in, which indirectly ties VPN access to the device's authentication. For stricter device controls, this is a topic for your IT provider.
Talk to Pickle
If you are ready to set up WireGuard remote access for your team, or if you want to understand what internet service your current setup requires, Pickle's team can walk you through it.
Call 1300 688 588 or email [email protected]