How I Learned to Stop Worrying and Love the VPN (wireguard)


binhex

Recommended Posts

So a long long time ago in a galaxy far far away i started using port forwarding on my router, after a while i heard about reverse proxying and thought i would give the then very active LSIO Let's Encrypt docker image a go, after fiddling with it and finding it rather hard to wrap my head around due to the number of moving parts (no offense meant LSIO) i settled on Nginx Proxy Manager, which although missing some of the features that the Let's Encrypt docker image and the later (and current) SWAG image has, it worked for me and i was relatively happy, it worked well enough and it was secure enough to let me sleep at night, although it did make me a little uncomfortable that i was relying on a single docker container for most of my incoming connections, and the lack of including fail2ban was a disappointment (something SWAG does have).

 

So now in the present day i decided to finally update my trusty pfSense router from the battle hardened version of 2.4.5-p1 up to the current release 2.5.2, i had been holding out watching the noise of people upgrading to 2.5.0 and then 2.5.1 (better but still had nasty bugs) and having their routers services crashing and do all number of bad things, so yes i did have a smug face on at that time :-).

 

I was also aware of the pfsense freebsd wireguard kernel shenanigans and the later removal of wireguard from the kernel, so i was a little nervous about installing the wireguard package on my router, especially as its marked as EXPERIMENTAL, but i pressed the button and.....well.....it just worked!, i configured my phone via the wireguard app, connected it and voila i now have access to my lan whilst out and about, no need for port forwarding, no need for reverse proxy tricky nginx configurations for each app, no need for let's encrypt renewal of certs, it simply worked!, i had reservations about this initially thinking it would be clunky and difficult to do, imagining me having to click a button to active the vpn whenever i want to do stuff, but no, it runs completely silently, if data signal drops then it re-establishes the vpn when the data connections reconnects, if i switch to wi-fi it switches efficiently over, i can even control which apps use the vpn tunnel to reduce latency, in short for me this is hands down the fastest, least hassle and most secure experience i have had to date.

 

So there ya have it, i wanted to post this to see if anybody else is doing this also and are reverse proxy/port forward converts over to wireguard, if anybody wants the steps i went through to get this running on pfsense then let me know, i havent tried the unraid implementation of wireguard, simply because for me i feel running wireguard on unraid is the wrong place but i get why some people may want to do this and kudos for the unraid team in including it.

 

  • Like 1
  • Thanks 1
Link to comment
5 minutes ago, wgstarks said:

Do you think wireguard is better (easier) than OpenVPN? I’m using OpenVPN now but that means I’m usually having to enable it on my iPhone every time I want to connect to my home network.

this is a tricky one as i havent really played with setting up openvpn server side (plenty of experience on the client side as you know ;-) ), but what i can say is i can pretty much ignore wireguard (android app) and it takes care of itself, reconnecting and switching when required, so its been completely hands off for me, been running like this for a week so far with zero issues.

Link to comment
2 hours ago, wgstarks said:

Ok, I might give it a shot then. What are the steps?

 

Wireguard client setup (assuming wireguard android app)

 

Interface

1. download wireguard app

2. start app and click on +

3. name = give it a name

4. private key = click on arrows to generate private and public key

4. address = put in ip for wireguard interface, this should NOT be in your lan range, so something else, e.g. assuming lan is 192.168.1.0/24 then use something like 192.168.10.2/32

5. listen port = 51820

 

Peer

1. Public Key = this is the key from your pfsense router in WireGuard/Tunnels/Edit/Interface keys/public keys (leave for now)

2. endpoint = <public ip address of your connection>:51820

3. allowed ips = 0.0.0.0/0 (this allows all traffic to flow to vpn, restrict if you dont want this).

 

Wireguard pfSense setup (assuming 2.5.2 with pfsense package)

 

1. follow these steps starting from 'tunnel configuration':- https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html 

2. copying the key generated on your phone to WireGuard/Peers/Edit/Public key

3. copying the key generated on pfsense WireGuard/Tunnels/Edit/Interface keys/public keys to phone app peer/public key (see above 'Peer' step 1.)

4. check status/show peers on pfsense, if everything goes to plan then the 'handshake' symbol should go green once your phone and pfsense exchange keys.

 

bonus:- if you want to route internet traffic from your phone over the vpn then you will need to go to Firewall/NAT/Outbound:-

1. add and select interface WAN

2. select source as network and type in vpn network range, e.g. 192.168.10.0/24

3. click on save

 

Link to comment

Pretty sure my UnRAID server would suck as a firewall device.😁

 

I know UnRAID can run pfsense. I did it that way for a while just to try it out. I’m really not big on the all-in-one philosophy though. All it takes is one bad power supply and you lose everything. I think I’ll keep my pfsense box.

Link to comment
4 minutes ago, wgstarks said:

Pretty sure my UnRAID server would suck as a firewall device.😁

 

I know UnRAID can run pfsense. I did it that way for a while just to try it out. I’m really not big on the all-in-one philosophy though. All it takes is one bad power supply and you lose everything. I think I’ll keep my pfsense box.

im with you on this one, i uderstand most people dont want the expense and hassle of pfsense, but for me i would not be comfortable running core home infrastructure on my server, if im out and about and my unraid server goes down i want to know why or at least be able to recover the server, if im using unraid for vpn access then im scuppered. 

Link to comment
On 8/9/2021 at 11:26 AM, trurl said:

And, of course, with Wireguard builtin to Unraid, you don't even need pfsense

 

While this is true, i don't feel as safe letting my unraid box be a firewall.

I rather let my pfSense box handle the incoming connections since that what's for.

 

I rather wait until it moves from experimental to a fully support addon package.

 

But its nice to see people like binhex who created dockers with privacy in mind give it a good review.

 

 

  • Like 1
Link to comment
17 hours ago, binhex said:

Quick update, the guy who developed the pfsense wireguard package has done a video detailing how to set it up, well worth a watch if you get stuck:-

 


Sent from my iPlay_40 using Tapatalk
 

 

 

 

That's so great to see that he made such an impact that netgate hired him and I hope he got paid.

Link to comment
53 minutes ago, ijuarez said:

That's so great to see that he made such an impact that netgate hired him and I hope he got paid.

yeah impressive hu, he obviously knows what he's doing, well im going away for a week as of tomorrow and im going to be completely relying on wireguard running on pfsense for remote access to my server and apps, so this will be a good test, i shall let you know how i get on 🙂

  • Like 1
Link to comment
  • 2 weeks later...
On 8/12/2021 at 4:11 PM, binhex said:

well im going away for a week as of tomorrow and im going to be completely relying on wireguard running on pfsense for remote access to my server and apps, so this will be a good test, i shall let you know how i get on

im going to make this short and sweet, the week long test went extremely well, no dropouts whatsoever, it simply worked and allowed me full access to my LAN whilst hundreds of miles away, love it!.

  • Like 4
Link to comment
  • 4 months later...

I read this a while back and a few weeks ago finally decided to give it a try. I’m the main user of my server and don’t plan on sharing Dockers to people outside of my home (except for Plex). I used reverse proxy for my own convenience. So it did make me wonder why am I opening more ports and adding more steps, more points of failure, and an increased security risk for convenience? How convenient is reverse proxy, really?

 

After over a month of ditching reverse proxy and using exclusively WireGuard outside of network to access my server I can confidently say its been barely a thought. I would definitely recommend others consider giving it a try if your situation is similar. It’s not at all annoying the few times I need to right click > activate on an icon in my taskbar or open up the WireGuard app > toggle on.

 

Hopefully one day I can add a pfSense router to my home network to add another level of convenience but for now I’m very happy simplifying my set up. I’ve even ditched Nextcloud and use SyncThing because of it and have been very happy. So much less maintenance between ditching the two. I remember I used to s waste entire afternoons debugging reverse proxy on a few especially difficult Dockers and never succeeding.

 

Thanks for this post!

  • Like 2
Link to comment
2 hours ago, s449 said:

I read this a while back and a few weeks ago finally decided to give it a try. I’m the main user of my server and don’t plan on sharing Dockers to people outside of my home (except for Plex). I used reverse proxy for my own convenience. So it did make me wonder why am I opening more ports and adding more steps, more points of failure, and an increased security risk for convenience? How convenient is reverse proxy, really?

 

After over a month of ditching reverse proxy and using exclusively WireGuard outside of network to access my server I can confidently say its been barely a thought. I would definitely recommend others consider giving it a try if your situation is similar. It’s not at all annoying the few times I need to right click > activate on an icon in my taskbar or open up the WireGuard app > toggle on.

 

Hopefully one day I can add a pfSense router to my home network to add another level of convenience but for now I’m very happy simplifying my set up. I’ve even ditched Nextcloud and use SyncThing because of it and have been very happy. So much less maintenance between ditching the two. I remember I used to s waste entire afternoons debugging reverse proxy on a few especially difficult Dockers and never succeeding.

 

Thanks for this post!

Thanks for posting this!, im glad you are enjoying the experience of wireguard, i do hope more people join the revolution and free themselves from the hassle of reverse proxies -  viva la revolution! 🙂 

Link to comment
  • 2 weeks later...
  • 2 weeks later...

Ive been using tailscale for a few weeks. Love it. I can access my  server and containers from any of my devices, use pihole via my phone anywhere....etc.

Why do most use reverse proxies with all the trimmings like f2b authelia etc? Am I missing something in regards to security or is it just a case of preferance?

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.