User Tools

Site Tools


guides:wireguard_multilan_tunnels

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
guides:wireguard_multilan_tunnels [2024/12/12 21:08] techiem2guides:wireguard_multilan_tunnels [2024/12/17 08:20] (current) – [Route Services using NPM] techiem2
Line 6: Line 6:
  
 Why use a centralized server for connecting LANs rather than a site to site VPN?\\ Why use a centralized server for connecting LANs rather than a site to site VPN?\\
-1.  Not all routers/modems support site to site VPNs.\\ +  - Not all routers/modems support site to site VPNs.\\ 
-2.  If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\+  If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\
  
 Why use a centralized VPS to expose LAN services to the internet?\\ Why use a centralized VPS to expose LAN services to the internet?\\
-1.  As above, you may not have the ability to directly expose the ports on your home modem/router.\\ +  - As above, you may not have the ability to directly expose the ports on your home modem/router.\\ 
-2.  Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ +  Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ 
-3.  Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\+  Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\
  
 ===== Basic Overview of Sample Setup ===== ===== Basic Overview of Sample Setup =====
Line 59: Line 59:
 ==== Generate Key Pair ==== ==== Generate Key Pair ====
 Generate the public and private key for the machine:\\ Generate the public and private key for the machine:\\
-wg genkey | tee privatekey | wg pubkey > publickey\\+<code> 
 +wg genkey | tee privatekey | wg pubkey > publickey 
 +</code>
  
 ==== Enable IP Forwarding ==== ==== Enable IP Forwarding ====
Line 65: Line 67:
 Edit /etc/sysctl.conf\\ Edit /etc/sysctl.conf\\
 Uncomment or add:\\ Uncomment or add:\\
-net.ipv4.ip_forward=1\\+<code> 
 +net.ipv4.ip_forward=1 
 +</code>
  
 Reload the config:\\ Reload the config:\\
-sysctl --system\\+<code> 
 +sysctl --system 
 +</code>
  
 ==== Create Config Files ====  ==== Create Config Files ==== 
Line 79: Line 85:
 PrivateKey = <server private key> PrivateKey = <server private key>
  
-# LAN1 WG PC (home)\\ +# LAN1 WG PC (home) 
-[Peer]\\ +[Peer] 
-PublicKey = <LAN1 WG PC Public Key>\\ +PublicKey = <LAN1 WG PC Public Key> 
-AllowedIPs = 10.0.0.2/32, 192.168.100.0/24\\+AllowedIPs = 10.0.0.2/32, 192.168.100.0/24
  
-# LAN2 WG PC (work)\\ +# LAN2 WG PC (work) 
-[Peer]\\ +[Peer] 
-PublicKey = <LAN2 WG PC Public Key>\\ +PublicKey = <LAN2 WG PC Public Key> 
-AllowedIPs = 10.0.0.3/32, 192.168.150.0/24\\+AllowedIPs = 10.0.0.3/32, 192.168.150.0/24
  
-# VPS2\\ +# VPS2 
-[Peer]\\ +[Peer] 
-PublicKey = <VPS2 Public Key>\\ +PublicKey = <VPS2 Public Key> 
-AllowedIPs = 10.0.0.10/32\\+AllowedIPs = 10.0.0.10/32
  
-# VPS3\\ +# VPS3 
-[Peer]\\ +[Peer] 
-PublicKey = <VPS3 Public Key>\\ +PublicKey = <VPS3 Public Key> 
-AllowedIPs = 10.0.0.11/32\\+AllowedIPs = 10.0.0.11/32
 </code> </code>
 === LAN1 WG PC === === LAN1 WG PC ===
Line 165: Line 171:
 You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.\\ You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.\\
 === /etc/shorewall/interfaces === === /etc/shorewall/interfaces ===
-net  eth0  dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0\\ +<code> 
-vpn  wg0   routeback\\+net  eth0  dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 
 +vpn  wg0   routeback 
 +</code>
 === /etc/shorewall/zones === === /etc/shorewall/zones ===
 <code> <code>
Line 190: Line 198:
 ==== Test the Setup ==== ==== Test the Setup ====
 Make sure you've restarted the firewall services if necessary, then start Wireguard:\\ Make sure you've restarted the firewall services if necessary, then start Wireguard:\\
-wg-quick up wg0\\+<code>wg-quick up wg0</code>
  
 You should see it bring up the interface and add routes and whatnot.\\ You should see it bring up the interface and add routes and whatnot.\\
 To view the status run:\\ To view the status run:\\
-wg show\\+<code>wg show</code>
 On clients this should show the connection information and stats.\\ On clients this should show the connection information and stats.\\
 On the server it should have a section for each client.  It will show configured clients that aren't connected as well, but with minimal information.\\ On the server it should have a section for each client.  It will show configured clients that aren't connected as well, but with minimal information.\\
Line 200: Line 208:
 Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\
 Once you have verified, you can configure the system to automatically start the connection on boot"\\ Once you have verified, you can configure the system to automatically start the connection on boot"\\
-systemctl enable wg-quick@wg0\\+<code>systemctl enable wg-quick@wg0</code>
  
 ==== Enable Cross LAN Routing ==== ==== Enable Cross LAN Routing ====
Line 208: Line 216:
 In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.\\ In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.\\
 === LAN1 Routes === === LAN1 Routes ===
-10.0.0.0/24 GW 192.168.100.4\\ +<code> 
-192.168.150.0/24 GW 192.168.100.4\\+10.0.0.0/24 GW 192.168.100.4 
 +192.168.150.0/24 GW 192.168.100.4 
 +</code>
 === LAN2 Routes === === LAN2 Routes ===
-10.0.0.0/24 GW 192.168.150.4\\ +<code> 
-192.168.100.0/24 GW 192.168.150.4\\+10.0.0.0/24 GW 192.168.150.4 
 +192.168.100.0/24 GW 192.168.150.4 
 +</code>
  
 If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN. If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN.
Line 222: Line 234:
 Side Note:  If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels.  They are fairly simple to setup and in my small amount of testing seem to work well.  However, they do not support non-http/https services - to do that you apparently need their WARP client on every machine exposing a non-http/https service, so I didn't explore that option much due to the number of servers I needed to expose, some of which I can't install anything on anyway.\\ Side Note:  If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels.  They are fairly simple to setup and in my small amount of testing seem to work well.  However, they do not support non-http/https services - to do that you apparently need their WARP client on every machine exposing a non-http/https service, so I didn't explore that option much due to the number of servers I needed to expose, some of which I can't install anything on anyway.\\
 ==== Install NPM, but with a twist ==== ==== Install NPM, but with a twist ====
-Pull up the [[Official Instructions|https://nginxproxymanager.com/guide/]] to follow, but with a couple key changes to the docker-compoose.yml file:\\ +Pull up the [[https://nginxproxymanager.com/guide/|Official Guide]] to follow, but with a couple key changes to the docker-compoose.yml file:\\ 
-1.  Remove the ports: section.\\ +  Remove the ports: section.\\ 
-2.  In it's place add: network_mode: "host"\\+  In it's place add: network_mode: "host"\\
 This will cause the docker container to use the host network instead of the docker bridge network.\\ This will cause the docker container to use the host network instead of the docker bridge network.\\
 If you use the docker bridge network, you'll have to:\\ If you use the docker bridge network, you'll have to:\\
-1.  Figure out how to get it working properly with your firewall.\\ +  - Figure out how to get it working properly with your firewall.\\ 
-2.  Stop the container, edit the configuration.yml file, and recompose every time you want to add a new port.\\+  Stop the container, edit the configuration.yml file, and recompose every time you want to add a new port.\\
  
 ==== Route Services using NPM ==== ==== Route Services using NPM ====
Line 236: Line 248:
 Another would be opening an OpenVPN server on your LAN for remote connections by your phone/laptop/etc.\\ Another would be opening an OpenVPN server on your LAN for remote connections by your phone/laptop/etc.\\
 Shorewall example rules:\\ Shorewall example rules:\\
-ACCEPT net fw tcp 80\\ +<code> 
-ACCEPT net fw tcp 443\\ +ACCEPT net fw tcp 80 
-ACCEPT net fw udp 1194\\+ACCEPT net fw tcp 443 
 +ACCEPT net fw udp 1194 
 +</code>
 2.  Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ 2.  Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\
 In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\
-The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate and SSL certificate for it.\\+The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate an SSL certificate for it.\\
 The LetsEncrypt client supports a number of verification methods, including DNS based verification.  If you are using a supported DNS manager this makes things fairly easy.\\ The LetsEncrypt client supports a number of verification methods, including DNS based verification.  If you are using a supported DNS manager this makes things fairly easy.\\
 Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\
 3.  For non-http/https services, you configure Streams - these are tied only to the port, not to a specific hostname, so any hostname pointing at the VPS will work (or just use the public IP).\\ 3.  For non-http/https services, you configure Streams - these are tied only to the port, not to a specific hostname, so any hostname pointing at the VPS will work (or just use the public IP).\\
 So for our example lets create a Proxy host using the domain home.mydomain.com, that points to our home web on LAN1 at IP 192.168.100.10.\\ So for our example lets create a Proxy host using the domain home.mydomain.com, that points to our home web on LAN1 at IP 192.168.100.10.\\
-1.  Login to the NPM web interface.  In our example that would be http://10.0.0.1:81/\\ +  - Login to the NPM web interface.  In our example that would be http://10.0.0.1:81/\\ 
-2.  Click Proxy Hosts\\ +  Click Proxy Hosts\\ 
-3.  Click Add Proxy Host\\ +  Click Add Proxy Host\\ 
-4.  Domain Name: home.mydomain.com\\ +  Domain Name: home.mydomain.com\\ 
-5:  Scheme: http or https, whichever your internal server is running on.\\ +  Scheme: http or https, whichever your internal server is running on.\\ 
-6.  Forward Hostname/IP: 192.168.100.10\\ +  Forward Hostname/IP: 192.168.100.10\\ 
-7.  Forward Port:  Port your server listens on, so likely 80 (http) or 443 (https)\\ +  Forward Port:  Port your server listens on, so likely 80 (http) or 443 (https)\\ 
-8.  Turn on Block Common Exploits, and if needed, Websockets Support\\ +  Turn on Block Common Exploits, and if needed, Websockets Support\\ 
-9.  Switch to the SSL Tab\\ +  Switch to the SSL Tab\\ 
-10.  Select an existing certificate that covers that hostname or Request a new SSL Certificate.\\ +  Select an existing certificate that covers that hostname or Request a new SSL Certificate.\\ 
-11.  Check Force SSL and HSTS Enabled.\\ +  Check Force SSL and HSTS Enabled.\\ 
-12.  If requesting a new cert, select Use DNS Challenge if you are using that, otherwise it will use the http verification method.\\ +  If requesting a new cert, select Use DNS Challenge if you are using that, otherwise it will use the http verification method.\\ 
-13.  If requesting a new cert, agree to the LetsEncrypt terms.\\ +  If requesting a new cert, agree to the LetsEncrypt terms.\\ 
-14.  Hit Save.\\+  Hit Save.\\
 You can also manage and request certs from the SSL Certificates section.\\ You can also manage and request certs from the SSL Certificates section.\\
 If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\ If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\
 Now for the OpenVPN connection:\\ Now for the OpenVPN connection:\\
 Let's say our OpenVPN server is on Lan1 at 192.168.100.15.\\ Let's say our OpenVPN server is on Lan1 at 192.168.100.15.\\
-1.  Go to Hosts -> Streams (or Dashboard -> Streams).\\ +  - Go to Hosts -> Streams (or Dashboard -> Streams).\\ 
-2.  Click Add Stream.\\ +  Click Add Stream.\\ 
-3.  Incoming Port: 1194\\ +  Incoming Port: 1194\\ 
-4.  Forward Host: 192.168.100.15\\ +  Forward Host: 192.168.100.15\\ 
-5.  Forward Port: 1194\\ +  Forward Port: 1194\\ 
-6.  Uncheck TCP and check UDP.\\ +  Uncheck TCP and check UDP.\\ 
-7.  Click Save.\\+  Click Save.\\
 If everything is configured correctly, your OpenVPN client should now be able to connect from outside your network by pointing it to the VPS IP address (or an associated hostname).\\ If everything is configured correctly, your OpenVPN client should now be able to connect from outside your network by pointing it to the VPS IP address (or an associated hostname).\\
 ===== Wrapup ===== ===== Wrapup =====
guides/wireguard_multilan_tunnels.1734055704.txt.gz · Last modified: 2024/12/12 21:08 by techiem2