My primary scare is wg being another potential single point of software failure, preventing remote access
Comment on Using Fail2ban to protect exposed services
redlemace@lemmy.world 19 hours ago
Exposing services to the internet is a whole other game. Try wireguard first, i never had issues and use it mostly from my tablet.
30p87@feddit.org 17 hours ago
TBi@lemmy.world 16 hours ago
You can run it on two servers at once. I have WireGuard running on my router (which can’t give full speed) and my server (which can run at full speed). Also running on another machine for fun.
paequ2@lemmy.today 19 hours ago
I am kinda interested in WireGuard, but how does it work with multiple non-PC devices on different home networks? Tailscale runs seamlessly on my Arch laptop, but Android, TVs, and streaming sticks have hiccups from time to time.
I have services that I want to share with my non-techie family. If a service stops working, they suck at debugging and fixing the issue on their own.
Creat@discuss.tchncs.de 17 hours ago
Tailscale is WireGuard under the hood, if you didn’t know. It’s an overlay network that uses WireGuard to make the actual connections, and has some very clever “stuff” to get the clients actually to connect, even if behind firewalls without needing port forwarding.
Using WireGuard directly basically just changes the app you use, which may or may not help with your issues. But the connecting technology is the exact same.
null_dot@lemmy.dbzer0.com 18 hours ago
I’ve never used tailscale but use wireguard extensively.
There’s not much of a learning curve for you as the administrator. You have to discard some misconceptions you might bring from other VPNs but really after 30 minutes of looking at configs you’ll get it.
I use wireguard for my small team of 5 people to access self hosted services. You install wireguard, load the config, and then it just works.
The trick, if it can be called that, is using public dns for private services.
On your server, suppose you have service-a service-b and service-c in containers with ip addresses in the 10.0.2.0/24 range. Then you’d have a reverse proxy like traefik at 10.0.2.1. You’d also create a wireguard container with an IP in that same 10.0.2.0/24 range, and configure it’s wireguard adapter to be 10.0.12.1 or soomething so you have “2” for the containers and “12” for the wireguard clients.
Then in wireguard configurations you direct all traffic for 10.0.2.0/24 through the tunnel but everything else just uses their devices normal internet connection.
Finally create a public dns record pointing to the reverse proxy like *.mydomain.com > 10.0.12.1
now whatever.mydomain.com will resolve to your reverse proxy but is still only available to devices connected to the wireguard container on your server.
watson387@sopuli.xyz 16 hours ago
DuckDNS is great for this. Been using it for years.
Fedegenerate@lemmynsfw.com 18 hours ago
I use tailscale for my non-tech family.
I run a rPi with tailscale, pihole and nginx on it in their house. They connect to the their WiFi, get adblocking for free. They go to “homarr.sever” pihole captures this sends it to nginx and gets reverse proxies to a homarr LXC on my server. From their they can click links to the services which are at on “service/.######.xyz”. Again pihole captures the request, sends it to nginx which reverse proxies it over tailscale to the appropriate LXC.
CocaineShrimp@sh.itjust.works 18 hours ago
Bookmarked this to try this setup next weekend!
Fedegenerate@lemmynsfw.com 18 hours ago
Honestly, I wouldn’t.
I only run it this way because a VPS had 0 WAF, and I’m terrified of opening ports. VPS is the well trodden ground, there’s tonnes of guides. Mines a hack job borne of necessity, it works though, and I am proud of what I cobbled together.
It was my first time solving my own problems. I had my meager skill set, a basic idea of what I wanted, some vague notion of how I was going to achieve it, and a thick forehead to smash against the problem till it gave way for me.