Differences

This shows you the differences between two versions of the page.

--- guides:wireguard_multilan_tunnels [2024/12/12 15:59] – techiem2
+++ guides:wireguard_multilan_tunnels [2024/12/17 08:20] (current) – [Route Services using NPM] techiem2
@@ Line 6: / Line 6: @@
 Why use a centralized server for connecting LANs rather than a site to site VPN?\\
-.  Not all routers/modems support site to site VPNs.\\
+  - Not all routers/modems support site to site VPNs.\\
-.  If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\
+  - If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\
 Why use a centralized VPS to expose LAN services to the internet?\\
-.  As above, you may not have the ability to directly expose the ports on your home modem/router.\\
+  - As above, you may not have the ability to directly expose the ports on your home modem/router.\\
-.  Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\
+  - Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\
-.  Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\
+  - Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\
 ===== Basic Overview of Sample Setup =====
@@ Line 59: / Line 59: @@
 ==== Generate Key Pair ====
 Generate the public and private key for the machine:\\
-wg genkey | tee privatekey | wg pubkey > publickey\\
+<code>
+wg genkey | tee privatekey | wg pubkey > publickey
+</code>
 ==== Enable IP Forwarding ====
@@ Line 65: / Line 67: @@
 Edit /etc/sysctl.conf\\
 Uncomment or add:\\
-net.ipv4.ip_forward=1\\
+<code>
+net.ipv4.ip_forward=1
+</code>
 Reload the config:\\
-sysctl --system\\
+<code>
+sysctl --system
+</code>
 ==== Create Config Files ====
 Create /etc/wireguard/wg0.conf on each machine:\\
 === VPS1 (Server) ===
+<code>
+[Interface]
+Address = 10.0.0.1/32
+ListenPort = 51820
+PrivateKey = <server private key>
-[Interface]\\
+# LAN1 WG PC (home)
-Address = 10.0.0.1/32\\
+[Peer]
-ListenPort = 51820\\
+PublicKey = <LAN1 WG PC Public Key>
-PrivateKey = <server private key>\\
+AllowedIPs = 10.0.0.2/32, 192.168.100.0/24
-# LAN1 WG PC (home)\\
+# LAN2 WG PC (work)
-[Peer]\\
+[Peer]
-PublicKey = <LAN1 WG PC Public Key>\\
+PublicKey = <LAN2 WG PC Public Key>
-AllowedIPs = 10.0.0.2/32, 192.168.100.0/24\\
+AllowedIPs = 10.0.0.3/32, 192.168.150.0/24
-# LAN2 WG PC (work)\\
+# VPS2
-[Peer]\\
+[Peer]
-PublicKey = <LAN2 WG PC Public Key>\\
+PublicKey = <VPS2 Public Key>
-AllowedIPs = 10.0.0.3/32, 192.168.150.0/24\\
+AllowedIPs = 10.0.0.10/32
-# VPS2\\
-[Peer]\\
-PublicKey = <VPS2 Public Key>\\
-AllowedIPs = 10.0.0.10/32\\
-# VPS3\\
-[Peer]\\
-PublicKey = <VPS3 Public Key>\\
-AllowedIPs = 10.0.0.11/32\\
+# VPS3
+[Peer]
+PublicKey = <VPS3 Public Key>
+AllowedIPs = 10.0.0.11/32
+</code>
 === LAN1 WG PC ===
-[Interface]\\
+<code>
-Address = 10.0.0.2/32\\
+[Interface]
-PrivateKey = <LAN1 WG PC Private Key>\\
+Address = 10.0.0.2/32
-PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE\\
+PrivateKey = <LAN1 WG PC Private Key>
-PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE\\
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
-# Server\\
+# Server
-[Peer]\\
+[Peer]
-PublicKey = <VPS1 Public Key>\\
+PublicKey = <VPS1 Public Key>
-Endpoint = <VPS1 Public IP>:51820\\
+Endpoint = <VPS1 Public IP>:51820
-AllowedIPs = 10.0.0.0/24, 192.168.150.0/24\\
+AllowedIPs = 10.0.0.0/24, 192.168.150.0/24
-PersistentKeepalive = 25\\
+PersistentKeepalive = 25
+</code>
 === LAN2 WG PC ===
-[Interface]\\
+<code>
-Address = 10.0.0.3/32\\
+[Interface]
-PrivateKey = <LAN2 WG PC Private Key>\\
+Address = 10.0.0.3/32
-PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE\\
+PrivateKey = <LAN2 WG PC Private Key>
-PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE\\
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
-# Server\\
-[Peer]\\
-PublicKey = <VPS1 Public Key>\\
-Endpoint = <VPS1 Public IP>:51820\\
-AllowedIPs = 10.0.0.0/24, 192.168.100.0/24\\
-PersistentKeepalive = 25\\
+# Server
+[Peer]
+PublicKey = <VPS1 Public Key>
+Endpoint = <VPS1 Public IP>:51820
+AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
+PersistentKeepalive = 25
+</code>
 === VPS2 ===
-[Interface]\\
+<code>
-Address = 10.0.0.10/32\\
+[Interface]
-PrivateKey = <VPS2 Private Key>\\
+Address = 10.0.0.10/32
+PrivateKey = <VPS2 Private Key>
-# Server\\
-[Peer]\\
-PublicKey = <VPS1 Public Key>\\
-Endpoint = <VPS1 Public IP>:51820\\
-AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24\\
-PersistentKeepalive = 25\\
+# Server
+[Peer]
+PublicKey = <VPS1 Public Key>
+Endpoint = <VPS1 Public IP>:51820
+AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
+PersistentKeepalive = 25
+</code>
 === VPS3 ===
-[Interface]\\
+<code>
-Address = 10.0.0.11/32\\
+[Interface]
-PrivateKey = <VPS3 Private Key>\\
+Address = 10.0.0.11/32
+PrivateKey = <VPS3 Private Key>
-# Server\\
-[Peer]\\
-PublicKey = <VPS1 Public Key>\\
-Endpoint = <VPS1 Public IP>:51820\\
-AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24\\
-PersistentKeepalive = 25\\
+# Server
+[Peer]
+PublicKey = <VPS1 Public Key>
+Endpoint = <VPS1 Public IP>:51820
+AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
+PersistentKeepalive = 25
+</code>
 === A Note on AllowedIPs ===
 The AllowedIPs directive specifies what networks the machine will allow to enter the Wireguard interface.\\
@@ Line 155: / Line 166: @@
 For SERVERS you want the Wireguard IP of the client (So 10.0.0.2/32 for LAN1 WG PC) and any networks that will route THROUGH that client (So 192.168.100.0/24 for LAN1 WG PC).\\
-==== Configure VPS1 (Server) Firewall ====
+==== Configure VPS Firewalls ====
 The basic principle here is to allow the Wireguard network and local server to communicate with each other so traffic will actually flow and so you can forward services to the Wireguard network.\\
-I use the Shorewall firewall on my VPS, so that's the examples I'll have here.  You should be able to accomplish the same thing with the appropriate UFW or IPTABLES commands.
+I use the Shorewall firewall on my VPS, so that's the examples I'll have here.  You should be able to accomplish the same thing with the appropriate UFW or IPTABLES commands.\\
+You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.\\
 === /etc/shorewall/interfaces ===
-net  eth0  dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0\\
+<code>
-vpn  wg0   routeback\\
+net  eth0  dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+vpn  wg0   routeback
+</code>
 === /etc/shorewall/zones ===
-fw    firewall\\
+<code>
-net   ipv4\\
+fw    firewall
-vpn   ipv4\\
+net   ipv4
+vpn   ipv4
+</code>
 === /etc/shorewall/policy ===
-$FW   net   ACCEPT\\
+<code>
-$FW   vpn   ACCEPT\\
+$FW   net   ACCEPT
-vpn   all   ACCEPT\\
+$FW   vpn   ACCEPT
-net   all   DROP     info\\
+vpn   all   ACCEPT
-all   all   REJECT   info\\
+net   all   DROP     info
-=== /etc/shorewall/rules ===
+all   all   REJECT   info
-?SECTION NEW\\
+</code>
-# Wireguard\\
+=== /etc/shorewall/rules (Only needed on VPS1 - Server)===
-ACCEPT  net  fw  udp  51820\\
+<code>
+?SECTION NEW
+# Wireguard
+ACCEPT  net  fw  udp  51820
+</code>
+==== Test the Setup ====
+Make sure you've restarted the firewall services if necessary, then start Wireguard:\\
+<code>wg-quick up wg0</code>
+You should see it bring up the interface and add routes and whatnot.\\
+To view the status run:\\
+<code>wg show</code>
+On clients this should show the connection information and stats.\\
+On the server it should have a section for each client.  It will show configured clients that aren't connected as well, but with minimal information.\\
+Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\
+Once you have verified, you can configure the system to automatically start the connection on boot"\\
+<code>systemctl enable wg-quick@wg0</code>
+==== Enable Cross LAN Routing ====
+To enable proper cross LAN routing, and access to the Wireguard network from machines other than the gateway PCs, you need to add the appropriate static routes.\\
+I'm using UniFi USG Pro's on my home and work LANs, so I just added the routes there.\\
+You need a route for each remote network (including the Wireguard network) that the machines on your LAN will be accessing.\\
+In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.\\
+=== LAN1 Routes ===
+<code>
+.0.0.0/24 GW 192.168.100.4
+.168.150.0/24 GW 192.168.100.4
+</code>
+=== LAN2 Routes ===
+<code>
+.0.0.0/24 GW 192.168.150.4
+.168.100.0/24 GW 192.168.150.4
+</code>
+If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN.
+===== Exposing External Services =====
+Now that we have a nice hub and spoke Wireguard network, we want to expose some services on LAN1 to the outside world.\\
+We will do this using Nginx Proxy Manager (NPM).\\
+This is a relatively easy to setup and use reverse proxy program.\\
+Side Note:  If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels.  They are fairly simple to setup and in my small amount of testing seem to work well.  However, they do not support non-http/https services - to do that you apparently need their WARP client on every machine exposing a non-http/https service, so I didn't explore that option much due to the number of servers I needed to expose, some of which I can't install anything on anyway.\\
+==== Install NPM, but with a twist ====
+Pull up the [[https://nginxproxymanager.com/guide/|Official Guide]] to follow, but with a couple key changes to the docker-compoose.yml file:\\
+  - Remove the ports: section.\\
+  - In it's place add: network_mode: "host"\\
+This will cause the docker container to use the host network instead of the docker bridge network.\\
+If you use the docker bridge network, you'll have to:\\
+  - Figure out how to get it working properly with your firewall.\\
+  - Stop the container, edit the configuration.yml file, and recompose every time you want to add a new port.\\
+==== Route Services using NPM ====
+NPM is fairly straightforward to use, but there's a few things to be aware of in this use case.\\
+.  Each port you want NPM to handle needs to be open on the firewall, so you need to add the appropriate rules.\\
+Web hosting is the obvious example (and primary focus of NPM)\\
+Another would be opening an OpenVPN server on your LAN for remote connections by your phone/laptop/etc.\\
+Shorewall example rules:\\
+<code>
+ACCEPT net fw tcp 80
+ACCEPT net fw tcp 443
+ACCEPT net fw udp 1194
+</code>
+.  Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\
+In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\
+The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate an SSL certificate for it.\\
+The LetsEncrypt client supports a number of verification methods, including DNS based verification.  If you are using a supported DNS manager this makes things fairly easy.\\
+Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\
+.  For non-http/https services, you configure Streams - these are tied only to the port, not to a specific hostname, so any hostname pointing at the VPS will work (or just use the public IP).\\
+So for our example lets create a Proxy host using the domain home.mydomain.com, that points to our home web on LAN1 at IP 192.168.100.10.\\
+  - Login to the NPM web interface.  In our example that would be http://10.0.0.1:81/\\
+  - Click Proxy Hosts\\
+  - Click Add Proxy Host\\
+  - Domain Name: home.mydomain.com\\
+  - Scheme: http or https, whichever your internal server is running on.\\
+  - Forward Hostname/IP: 192.168.100.10\\
+  - Forward Port:  Port your server listens on, so likely 80 (http) or 443 (https)\\
+  - Turn on Block Common Exploits, and if needed, Websockets Support\\
+  - Switch to the SSL Tab\\
+  - Select an existing certificate that covers that hostname or Request a new SSL Certificate.\\
+  - Check Force SSL and HSTS Enabled.\\
+  - If requesting a new cert, select Use DNS Challenge if you are using that, otherwise it will use the http verification method.\\
+  - If requesting a new cert, agree to the LetsEncrypt terms.\\
+  - Hit Save.\\
+You can also manage and request certs from the SSL Certificates section.\\
+If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\
+Now for the OpenVPN connection:\\
+Let's say our OpenVPN server is on Lan1 at 192.168.100.15.\\
+  - Go to Hosts -> Streams (or Dashboard -> Streams).\\
+  - Click Add Stream.\\
+  - Incoming Port: 1194\\
+  - Forward Host: 192.168.100.15\\
+  - Forward Port: 1194\\
+  - Uncheck TCP and check UDP.\\
+  - Click Save.\\
+If everything is configured correctly, your OpenVPN client should now be able to connect from outside your network by pointing it to the VPS IP address (or an associated hostname).\\
+===== Wrapup =====
+So that's a general guide to how I set this up for myself.  Most of it is fairly straightforward once you figure it out.\\
+It took me a few days and lots of searching and testing and pestering friends to get it all working how I wanted, so I thought a write up would be helpful.

TechieM2net Wiki

User Tools

Site Tools

Differences

Page Tools