User Tools

Site Tools


guides:wireguard_multilan_tunnels

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
guides:wireguard_multilan_tunnels [2024/12/12 21:22] – [Route Services using NPM] techiem2guides:wireguard_multilan_tunnels [2024/12/17 08:20] (current) – [Route Services using NPM] techiem2
Line 6: Line 6:
  
 Why use a centralized server for connecting LANs rather than a site to site VPN?\\ Why use a centralized server for connecting LANs rather than a site to site VPN?\\
-1.  Not all routers/modems support site to site VPNs.\\ +  - Not all routers/modems support site to site VPNs.\\ 
-2.  If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\+  If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT.  (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)\\
  
 Why use a centralized VPS to expose LAN services to the internet?\\ Why use a centralized VPS to expose LAN services to the internet?\\
-1.  As above, you may not have the ability to directly expose the ports on your home modem/router.\\ +  - As above, you may not have the ability to directly expose the ports on your home modem/router.\\ 
-2.  Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ +  Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.\\ 
-3.  Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\+  Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.\\
  
 ===== Basic Overview of Sample Setup ===== ===== Basic Overview of Sample Setup =====
Line 198: Line 198:
 ==== Test the Setup ==== ==== Test the Setup ====
 Make sure you've restarted the firewall services if necessary, then start Wireguard:\\ Make sure you've restarted the firewall services if necessary, then start Wireguard:\\
-wg-quick up wg0\\+<code>wg-quick up wg0</code>
  
 You should see it bring up the interface and add routes and whatnot.\\ You should see it bring up the interface and add routes and whatnot.\\
 To view the status run:\\ To view the status run:\\
-wg show\\+<code>wg show</code>
 On clients this should show the connection information and stats.\\ On clients this should show the connection information and stats.\\
 On the server it should have a section for each client.  It will show configured clients that aren't connected as well, but with minimal information.\\ On the server it should have a section for each client.  It will show configured clients that aren't connected as well, but with minimal information.\\
Line 208: Line 208:
 Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\ Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.\\
 Once you have verified, you can configure the system to automatically start the connection on boot"\\ Once you have verified, you can configure the system to automatically start the connection on boot"\\
-systemctl enable wg-quick@wg0\\+<code>systemctl enable wg-quick@wg0</code>
  
 ==== Enable Cross LAN Routing ==== ==== Enable Cross LAN Routing ====
Line 234: Line 234:
 Side Note:  If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels.  They are fairly simple to setup and in my small amount of testing seem to work well.  However, they do not support non-http/https services - to do that you apparently need their WARP client on every machine exposing a non-http/https service, so I didn't explore that option much due to the number of servers I needed to expose, some of which I can't install anything on anyway.\\ Side Note:  If all you want to expose are http/https services, you may want to explore Cloudflare Tunnels.  They are fairly simple to setup and in my small amount of testing seem to work well.  However, they do not support non-http/https services - to do that you apparently need their WARP client on every machine exposing a non-http/https service, so I didn't explore that option much due to the number of servers I needed to expose, some of which I can't install anything on anyway.\\
 ==== Install NPM, but with a twist ==== ==== Install NPM, but with a twist ====
-Pull up the [[Official Instructions|https://nginxproxymanager.com/guide/]] to follow, but with a couple key changes to the docker-compoose.yml file:\\+Pull up the [[https://nginxproxymanager.com/guide/|Official Guide]] to follow, but with a couple key changes to the docker-compoose.yml file:\\
   - Remove the ports: section.\\   - Remove the ports: section.\\
   - In it's place add: network_mode: "host"\\   - In it's place add: network_mode: "host"\\
Line 255: Line 255:
 2.  Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\ 2.  Web services (Proxy Hosts) need a hostname and ideally an SSL Certificate.\\
 In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\ In my case I have a specific domain that I use for external access services, but you could just use subdomains of any domain you control.\\
-The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate and SSL certificate for it.\\+The general process is to point a subdomain to the IP of the VPS, create the forwarding host in NPM, and have NPM use LetsEncrypt to generate an SSL certificate for it.\\
 The LetsEncrypt client supports a number of verification methods, including DNS based verification.  If you are using a supported DNS manager this makes things fairly easy.\\ The LetsEncrypt client supports a number of verification methods, including DNS based verification.  If you are using a supported DNS manager this makes things fairly easy.\\
 Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\ Since I use a dedicated domain for my public access hosts, I moved the DNS management of that domain to Cloudflare and had NPM use DNS verification with LetsEncrypt via the Cloudflare API plugin to generate a wildcard cert for my domain so I don't have to generate a new cert for each subdomain - I just add the DNS entry for the new subdomain then configure the host in NPM using the existing certificate.\\
guides/wireguard_multilan_tunnels.1734056566.txt.gz · Last modified: 2024/12/12 21:22 by techiem2