- A different device from your home server?
- On the same home server as the services but directly on the host?
- On the same home server as the services but inside some VM or container?
Do you configure it manually or do you use some helper/interface like WGEasy?
I have been personally using wgeasy but recently started locking down and hardening my containers and this node app running as root is kinda…
You must log in or register to comment.
On my router
On my (OpenWrt) router, configured using the OpenWrt interface
A virtual machine on my LAN that runs Fedora Server
I run a wireguard container on my old desktop server and wgeasy in a pi2 as backup.
Im mostly using a self hosted headscale on a remote vps and then tailscale on my clients.
Having the coordination server outside of my network helps quite a bit and things still communicate over the local lan when possible.
For just wireguard itself, I do have a few site to site connections set up at the router level (opnsense).
I have a Raspberry Pi that runs pihole and Wireguard exclusively. My home server is a Kubernetes cluster running on an old desktop PC and 2 Intel NUCs.
The reason for the separate Pi was essentially because I only had the desktop PC initially, and for a while I had a faulty CPU, making the desktop PC crash or become unresponsive, so it helped a lot having DNS and VPN access separated from the instability.
OPNsense
This is the way.
This is the way.
If router works, you got access to your lab. If it doesn’t, well redundancy was not a requirement / too much hassle to set up.
On my opnsense router
deleted by creator
I don’t get the mesh if everything is behind your router or firewall what is the point.
deleted by creator
One instance runs on the router (Unifi USG) and the other on a Pi3 (as a backup) using PiVPN.
Usually, if I need to set it up, I’ll use PiVPN and either a Pi or Debian/Ubuntu host.
If your router is down how do you get to your pi backup?
My concern is that the WireGuard portion of the router fails for some reason but still routes.
It also allows me to choose another port
Always in the router if it supports it. If it does not support wireguard I would rather (if you are able and allowed to) replace the router instead of using something else.
Can you elaborate on why?
It’s my outside device it allows things into my network might as well terminate the VPN there. I mean if my router is down I’m not getting to the VPN endpoint inside my network.
For me a similar tasks should be handled by the same device. Network routing and VPN are similar things for me, therefor they are handled by the router.
It also handles VPN connections to other remote locations. So again same things in the same device.
Another benefit (which you can also have on the Server with some additional effort): the router boots up without interaction after a power outage. The Server does not. Them I can connect and unlock (LUKS password) the servers.
Why would you run a WG Client and WG Server on the same host? Am I reading that second mark wrong?
There’s no such thing as a client or server with Wireguard. All systems with Wireguard installed are “nodes”. Wireguard is peer-to-peer, not client-server.
You can configure nftables rules to route through a particular node, but that doesn’t really make it a server. You could configure all nodes to allow routing traffic through them if you wanted to.
If you run Wireguard on every device, you can configure a mesh VPN, where every device can directly reach any other device, without needing to route through an intermediary node. This is essentially what Tailscale does.
Uhhh, nooooo. Why are all these new kids all in these threads saying this crazy uninformed stuff lately? 🤣
https://www.wireguard.com/protocol/ https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-a-wireguard-vpn
And, in fact, for those of us that have been doing this a long time, anything with a control point or protocol always refers to said control point as the server in a PTP connection sense.
In this case, a centralized VPN routing node that connects like a Hub and Spoke is the server. Everything else is a client of that server because they can’t independently do much else in this configuration.
Both of those documents agree with me? RedHat are just using the terms “client” and “server” to make it easier for people to understand, but they explicitly say that all hosts are “peers”.
Note that all hosts that participate in a WireGuard VPN are peers. This documentation uses the terms client to describe hosts that establish a connection and server to describe the host with the fixed hostname or IP address that the clients connect to and, optionally, route all traffic through this server.
–
Everything else is a client of that server because they can’t independently do much else in this configuration.
All you need to do is add an extra peer to the WireGuard config on any one of the “clients”, and it’s no longer just a client, and can connect directly to that peer without using the “server”.
They do no such thing.
The first link explains the protocol.
The second explains WHY one would refer to client and server with regards to Wireguard.
My point ties both together to explain why people would use client and server with regards to the protocol itself, and a common configuration where this would be necessary for clarification. Ties both of them together, and makes my point from my original comment, which also refers to OP’s comment.
I’m not digging you, just illustrating a correction so you’re not running around misinformed.
It wasn’t clear where OP was trying to make a point, just that the same host would be running running Wireguard for some reason, which one would assume means virtualization of some sort, meaning the host machine is the primary hub/server.
You are, second point means running WG on say, a proxmox root, and using it to access the containers.
Uhhhh…that is…not how you do that. Especially if you’re describing routing out from a container to an edge device and back into your host machine instead of using bridged network or another virtual router on the host.
Like if you absolutely had to have a segmented network between hosts a la datacenter/cloud, you’d still create a virtual fabric or SDLAN/WAN to connect them, and that’s like going WAY out of your way.
Wireguard for this purpose makes even less sense.
