This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
guides:wireguard_multilan_tunnels [2024/12/12 21:21] – [Route Services using NPM] techiem2 | guides:wireguard_multilan_tunnels [2024/12/17 08:20] (current) – [Route Services using NPM] techiem2 | ||
---|---|---|---|
Line 6: | Line 6: | ||
Why use a centralized server for connecting LANs rather than a site to site VPN?\\ | Why use a centralized server for connecting LANs rather than a site to site VPN?\\ | ||
- | 1. | + | - Not all routers/ |
- | 2. If your router is behind an ISP modem/ | + | |
Why use a centralized VPS to expose LAN services to the internet?\\ | Why use a centralized VPS to expose LAN services to the internet?\\ | ||
- | 1. | + | - As above, you may not have the ability to directly expose the ports on your home modem/ |
- | 2. Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ | + | |
- | 3. Your ISP may block ports on their side so even if you can expose on your modem/ | + | |
===== Basic Overview of Sample Setup ===== | ===== Basic Overview of Sample Setup ===== | ||
Line 198: | Line 198: | ||
==== Test the Setup ==== | ==== Test the Setup ==== | ||
Make sure you've restarted the firewall services if necessary, then start Wireguard: | Make sure you've restarted the firewall services if necessary, then start Wireguard: | ||
- | wg-quick up wg0\\ | + | < |
You should see it bring up the interface and add routes and whatnot.\\ | You should see it bring up the interface and add routes and whatnot.\\ | ||
To view the status run:\\ | To view the status run:\\ | ||
- | wg show\\ | + | < |
On clients this should show the connection information and stats.\\ | On clients this should show the connection information and stats.\\ | ||
On the server it should have a section for each client. | On the server it should have a section for each client. | ||
Line 208: | Line 208: | ||
Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ | Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ | ||
Once you have verified, you can configure the system to automatically start the connection on boot" | Once you have verified, you can configure the system to automatically start the connection on boot" | ||
- | systemctl enable wg-quick@wg0\\ | + | < |
==== Enable Cross LAN Routing ==== | ==== Enable Cross LAN Routing ==== | ||
Line 234: | Line 234: | ||
Side Note: If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels. | Side Note: If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels. | ||
==== Install NPM, but with a twist ==== | ==== Install NPM, but with a twist ==== | ||
- | Pull up the [[Official Instructions|https:// | + | Pull up the [[https:// |
- Remove the ports: section.\\ | - Remove the ports: section.\\ | ||
- In it's place add: network_mode: | - In it's place add: network_mode: | ||
Line 255: | Line 255: | ||
2. Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ | 2. Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ | ||
In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ | In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ | ||
- | The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate | + | The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate |
The LetsEncrypt client supports a number of verification methods, including DNS based verification. | The LetsEncrypt client supports a number of verification methods, including DNS based verification. | ||
Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ | Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ | ||
3. For non-http/ | 3. For non-http/ | ||
So for our example lets create a Proxy host using the domain home.mydomain.com, | So for our example lets create a Proxy host using the domain home.mydomain.com, | ||
- | 1. | + | - Login to the NPM web interface. |
- | 2. Click Proxy Hosts\\ | + | |
- | 3. Click Add Proxy Host\\ | + | |
- | 4. | + | |
- | 5: | + | |
- | 6. | + | |
- | 7. | + | |
- | 8. Turn on Block Common Exploits, and if needed, Websockets Support\\ | + | |
- | 9. | + | |
- | 10. | + | |
- | 11. Check Force SSL and HSTS Enabled.\\ | + | |
- | 12. If requesting a new cert, select Use DNS Challenge if you are using that, otherwise it will use the http verification method.\\ | + | |
- | 13. If requesting a new cert, agree to the LetsEncrypt terms.\\ | + | |
- | 14. Hit Save.\\ | + | |
You can also manage and request certs from the SSL Certificates section.\\ | You can also manage and request certs from the SSL Certificates section.\\ | ||
If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\ | If everything worked correctly and is configured correctly, you should be able to browse to home.mydomain.com from outside your LAN.\\ |