This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
guides:wireguard_multilan_tunnels [2024/12/12 21:11] – [Route Services using NPM] techiem2 | guides:wireguard_multilan_tunnels [2024/12/17 08:20] (current) – [Route Services using NPM] techiem2 | ||
---|---|---|---|
Line 6: | Line 6: | ||
Why use a centralized server for connecting LANs rather than a site to site VPN?\\ | Why use a centralized server for connecting LANs rather than a site to site VPN?\\ | ||
- | 1. | + | - Not all routers/ |
- | 2. If your router is behind an ISP modem/ | + | |
Why use a centralized VPS to expose LAN services to the internet?\\ | Why use a centralized VPS to expose LAN services to the internet?\\ | ||
- | 1. | + | - As above, you may not have the ability to directly expose the ports on your home modem/ |
- | 2. Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ | + | |
- | 3. Your ISP may block ports on their side so even if you can expose on your modem/ | + | |
===== Basic Overview of Sample Setup ===== | ===== Basic Overview of Sample Setup ===== | ||
Line 59: | Line 59: | ||
==== Generate Key Pair ==== | ==== Generate Key Pair ==== | ||
Generate the public and private key for the machine:\\ | Generate the public and private key for the machine:\\ | ||
- | wg genkey | tee privatekey | wg pubkey > publickey\\ | + | < |
+ | wg genkey | tee privatekey | wg pubkey > publickey | ||
+ | </ | ||
==== Enable IP Forwarding ==== | ==== Enable IP Forwarding ==== | ||
Line 65: | Line 67: | ||
Edit / | Edit / | ||
Uncomment or add:\\ | Uncomment or add:\\ | ||
- | net.ipv4.ip_forward=1\\ | + | < |
+ | net.ipv4.ip_forward=1 | ||
+ | </ | ||
Reload the config:\\ | Reload the config:\\ | ||
- | sysctl --system\\ | + | < |
+ | sysctl --system | ||
+ | </ | ||
==== Create Config Files ==== | ==== Create Config Files ==== | ||
Line 165: | Line 171: | ||
You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.\\ | You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.\\ | ||
=== / | === / | ||
- | net eth0 dhcp, | + | < |
- | vpn wg0 | + | net eth0 dhcp, |
+ | vpn wg0 | ||
+ | </ | ||
=== / | === / | ||
< | < | ||
Line 190: | Line 198: | ||
==== Test the Setup ==== | ==== Test the Setup ==== | ||
Make sure you've restarted the firewall services if necessary, then start Wireguard: | Make sure you've restarted the firewall services if necessary, then start Wireguard: | ||
- | wg-quick up wg0\\ | + | < |
You should see it bring up the interface and add routes and whatnot.\\ | You should see it bring up the interface and add routes and whatnot.\\ | ||
To view the status run:\\ | To view the status run:\\ | ||
- | wg show\\ | + | < |
On clients this should show the connection information and stats.\\ | On clients this should show the connection information and stats.\\ | ||
On the server it should have a section for each client. | On the server it should have a section for each client. | ||
Line 200: | Line 208: | ||
Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ | Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ | ||
Once you have verified, you can configure the system to automatically start the connection on boot" | Once you have verified, you can configure the system to automatically start the connection on boot" | ||
- | systemctl enable wg-quick@wg0\\ | + | < |
==== Enable Cross LAN Routing ==== | ==== Enable Cross LAN Routing ==== | ||
Line 208: | Line 216: | ||
In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.\\ | In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.\\ | ||
=== LAN1 Routes === | === LAN1 Routes === | ||
- | 10.0.0.0/24 GW 192.168.100.4\\ | + | < |
- | 192.168.150.0/ | + | 10.0.0.0/24 GW 192.168.100.4 |
+ | 192.168.150.0/ | ||
+ | </ | ||
=== LAN2 Routes === | === LAN2 Routes === | ||
- | 10.0.0.0/24 GW 192.168.150.4\\ | + | < |
- | 192.168.100.0/ | + | 10.0.0.0/24 GW 192.168.150.4 |
+ | 192.168.100.0/ | ||
+ | </ | ||
If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN. | If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN. | ||
Line 222: | Line 234: | ||
Side Note: If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels. | Side Note: If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels. | ||
==== Install NPM, but with a twist ==== | ==== Install NPM, but with a twist ==== | ||
- | Pull up the [[Official Instructions|https:// | + | Pull up the [[https:// |
- | 1. | + | |
- | 2. In it's place add: network_mode: | + | |
This will cause the docker container to use the host network instead of the docker bridge network.\\ | This will cause the docker container to use the host network instead of the docker bridge network.\\ | ||
If you use the docker bridge network, you'll have to:\\ | If you use the docker bridge network, you'll have to:\\ | ||
- | 1. | + | - Figure out how to get it working properly with your firewall.\\ |
- | 2. Stop the container, edit the configuration.yml file, and recompose every time you want to add a new port.\\ | + | |
==== Route Services using NPM ==== | ==== Route Services using NPM ==== | ||
Line 243: | Line 255: | ||
2. Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ | 2. Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ | ||
In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ | In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ | ||
- | The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate | + | The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate |
The LetsEncrypt client supports a number of verification methods, including DNS based verification. | The LetsEncrypt client supports a number of verification methods, including DNS based verification. | ||
Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ | Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ | ||
3. For non-http/ | 3. For non-http/ | ||
So for our example lets create a Proxy host using the domain home.mydomain.com, | So for our example lets create a Proxy host using the domain home.mydomain.com, | ||
- | 1. | + | - Login to the NPM web interface. |
- | 2. Click Proxy Hosts\\ | + | |
- | 3. Click Add Proxy Host\\ | + | |
- | 4. | + | |
- | 5: | + | |
- | 6. | + | |
- | 7. | + | |
- | 8. Turn on Block Common Exploits, and if needed, Websockets Support\\ | + | |
- | 9. | + | |
- | 10. | + | |
- | 11. Check Force SSL and HSTS Enabled.\\ | + | |
- | 12. If requesting a new cert, select Use DNS Challenge if you are using that, otherwise it will use the http verification method.\\ | + | |
- | 13. If requesting a new cert, agree to the LetsEncrypt terms.\\ | + | |
- | 14. Hit Save.\\ | + | |
You can also manage and request certs from the SSL Certificates section.\\ | You can also manage and request certs from the SSL Certificates section.\\ | ||
If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\ | If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\ | ||
Now for the OpenVPN connection: | Now for the OpenVPN connection: | ||
Let's say our OpenVPN server is on Lan1 at 192.168.100.15.\\ | Let's say our OpenVPN server is on Lan1 at 192.168.100.15.\\ | ||
- | 1. | + | - Go to Hosts -> Streams (or Dashboard -> Streams).\\ |
- | 2. Click Add Stream.\\ | + | |
- | 3. | + | |
- | 4. | + | |
- | 5. | + | |
- | 6. | + | |
- | 7. Click Save.\\ | + | |
If everything is configured correctly, your OpenVPN client should now be able to connect from outside your network by pointing it to the VPS IP address (or an associated hostname).\\ | If everything is configured correctly, your OpenVPN client should now be able to connect from outside your network by pointing it to the VPS IP address (or an associated hostname).\\ | ||
===== Wrapup ===== | ===== Wrapup ===== |