Is wire guard a service you pay for? Otherwise how does wire guard in your home machine not need your router to forward ports to it? And then the remote client need to be pointed at your home’s external IP?
Comment on What are your VPN recommendations for accessing self-hosted applications from the outside?
friend_of_satan@lemmy.world 2 days ago
Run WireGuard on some home machine.
Run WireGuard on your road warrior system.
There is no step 3.
I’m doing this right now from halfway around the world from my house and it’s been great.
jaybone@lemmy.zip 2 days ago
friend_of_satan@lemmy.world 2 days ago
.WireGuard is free. Obviously my instructions didn’t go into detail about specifically how to set everything up. Port forwarding is required. Knowing your servers external IP address is required. You also need electricity, an ISP subscription, a home server (preferably running Linux), so on and so forth. This is /c/selfhosted After all.
jaybone@lemmy.zip 1 day ago
Yeah that’s fine. The steps were so simple I figured they could work without router config changes if they made some kind of connection handshake in a third part service’s server.
But given all that, I wonder if it makes sense to look into if your router has its own vpn server (or flash the firmware with one that does.)
friend_of_satan@lemmy.world 1 day ago
Some servers even run WireGuard :) like for instance Ubiquiti. Personally I’d rather run it on my own server though because ubiquiti doesn’t have easy IAC features.
jobbies@lemmy.zip 1 day ago
Apologies for the dumb noob question, but if your iOS device is VPNed to your home server, how does it access the internet? Does it do this via the VPN to the home server?
eszidiszi@lemmy.world 1 day ago
Depends on the client configuration. If you route all the traffic through vpn (so, simplyfied, 0.0.0.0/0) then all their client device network traffic would go through their vpn server at home and is seen as coming from there; otherwise, if you only route specific addressess (like your home network private addressess only) then only those go to their home network and everything else works like it would without a vpn.
friend_of_satan@lemmy.world 1 day ago
WireGuard routes certain traffic from the client (your iPhone) through the server (the computer at your house). If you route all traffic, then when your iPhone accesses the internet, it’s as if you were at home. Since that WireGuard server is sitting on the
192.168.0.0/24subnet, it is able to route your phones traffic to anything else on that subnet.Wireguard clients have a setting called AllowedIPs that tells the client what IP subnets to route through the server. By default this is
0.0.0.0/0, ::/0, which means “all ipv4 and all ipv6 traffic”. Now, if all you want is to access your home network services, but some want all your traffic to go through your house, then you change that to192.168.0.0/24or whatever your home subnet is, and only that network will be routes to the server at your house.jobbies@lemmy.zip 1 day ago
Ahh. But what if you already used a VPN on the client for normal browsing etc - can you have two VPNs configured?
SpikesOtherDog@ani.social 1 day ago
No, think of a VPN as a network cable. You can only send out of one or the other.
Now, if you are connected to a device that has another VPN to somewhere you want to go, then technically yes you would be using 2 VPN connections.
friend_of_satan@lemmy.world 1 day ago
I don’t think iOS allows multiple VPNs to be enabled simultaneously. There appears to be only one VPN on/off toggle switch. From what I’ve seen you can have different vpn profiles but only enable one at a time. I could be wrong though.
Desktop operating systems like macOS, Linux (did I mention yet that I use arch Linux?), BSD, and um… that other one… oh yeah, Windows do allow this. I’m sure there are a variety of compatibility problems, but in general, multiple VPNs with the same or even different technologies can work together.
waterproof@sh.itjust.works 1 day ago
Okay, so that’s pretty much the setup I had in mind. Good to know there is not much need for an extra step for security, thanks for the answer !
Well, I guess that would still be vulnerable to DDOS attacks, but that would just prevent me from accessing my cinnamon apple-pie recipe from my self hosted recipe manager for some time. A bit mean, but not catastrophic.
I wondered if there would be some other attacks that could compromise my machine with only a wireguard setup, but that’s a good sign if there is nothing obvious.
non_burglar@lemmy.world 1 day ago
You wouldn’t be any more vulnerable to ddos attacks than without WG.
0_o7@lemmy.dbzer0.com 1 day ago
Doesn’t that need like a static IP address, port forwarding and dealing all kind of network annoyances?
Recommending wireguard to people feels like recommending Arch to first time Linux users.
cmnybo@discuss.tchncs.de 1 day ago
You don’t need a static IP address, but you do need a public IP address. You can use dynamic DNS to avoid having to keep track of your IP address. FreeDNS will work fine for a basic setup.
Wireguard is one of the easiest VPN servers to use. If you’re not using your ISP’s router, it may even have Wireguard built in.
dantheclamman@lemmy.world 11 hours ago
I use Wireguard via PiVPN and it’s pretty much foolproof. I don’t bother with Dynamic DNS but have in the past