- A different device from your home server?
- On the same home server as the services but directly on the host?
- On the same home server as the services but inside some VM or container?
Do you configure it manually or do you use some helper/interface like WGEasy?
I have been personally using wgeasy but recently started locking down and hardening my containers and this node app running as root is kinda…
You must log in or register to comment.
Im mostly using a self hosted headscale on a remote vps and then tailscale on my clients.
Having the coordination server outside of my network helps quite a bit and things still communicate over the local lan when possible.
For just wireguard itself, I do have a few site to site connections set up at the router level (opnsense).
On my router
On my opnsense router
I have a vps (hetzner dedicated server auction) as well as my home servers. The vps has a fixed IP so ive setup wireguard endpoints to all point to it with forwarding on so can access every device indirectly through the vps. It allows them to work across DDNS or remotely.
I used this guide (https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04). Tried different tools gui’s and other methods but always came back to this to work the best
On my (OpenWrt) router, configured using the OpenWrt interface
On my router, my FritzBox came with WG support built in.
Always in the router if it supports it. If it does not support wireguard I would rather (if you are able and allowed to) replace the router instead of using something else.
Can you elaborate on why?
Maybe easier to setup because routers that support vpns come with nice-ish web uis.
That said, if you have a server (pc, pi, etc), setting up wireguard with wg-easy is mostly painless (comes with a nice web ui), so there is no reason to replace your router in this case!
Instead of replacing a router, I’d prefer buying a pi anyways.
Unless you want to route all outbound traffic through a vpn with zero config on devices, I can’t see why you’d replace a router.
Final note: most people prefer hosting a vpn on a server, even if their router supports it as far as I’m aware at least (edit: this might be erong judging from the rest of the comments saying they use their router).
It’s my outside device it allows things into my network might as well terminate the VPN there. I mean if my router is down I’m not getting to the VPN endpoint inside my network.
For me a similar tasks should be handled by the same device. Network routing and VPN are similar things for me, therefor they are handled by the router.
It also handles VPN connections to other remote locations. So again same things in the same device.
Another benefit (which you can also have on the Server with some additional effort): the router boots up without interaction after a power outage. The Server does not. Them I can connect and unlock (LUKS password) the servers.
I have a Raspberry Pi that runs pihole and Wireguard exclusively. My home server is a Kubernetes cluster running on an old desktop PC and 2 Intel NUCs.
The reason for the separate Pi was essentially because I only had the desktop PC initially, and for a while I had a faulty CPU, making the desktop PC crash or become unresponsive, so it helped a lot having DNS and VPN access separated from the instability.
I run the server on an old Pi. That’s its only job.
Runs in an extra locked-down container on one of my servers.
Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.
Mine runs on my router which is running openwrt
I run one on my firewall, but it’s IPv6 only because of CGNAT. The other one is running on a VPS in case I need IPv4 access. I just configured them manually.
One end is a local VPS with insanely good peering pretty much round the damn world, other end is my opnsense router. I actually pass a block of ipv6 through the vpn and my router hands it out to devices which is a nice little bonus
Who is your VPS provider, if you don’t mind telling?
https://spartanhost.org/ owner is super chill will make custom spec deployments and they actually have a really nice management panels with nice easy custom iso support
Thanks!
OPNsense
This is the way.
This is the way.
If router works, you got access to your lab. If it doesn’t, well redundancy was not a requirement / too much hassle to set up.
