Wireguard - Perfect Remote Access

What’s the hook?

You can self-host everything! You can self-host your own spotify. That’s part of our Ultimate Home Server series.

But will you have enough bandwidth? It takes a vanishingly small amount of bandwidth to stream music. If your upload is as little as 2 megabit you can do it!

But how can you safely connect back to your home sporify server? A VPN! With Wireguard.

What is Wireguard?

Wireguard is a fast, modern and secure VPN tunnel. As you build your Ultimate Home Server with Level1Techs resources, it is only natural to want access to everything on that server from everywhere.

In the past we’ve covered running a Proxy on your router or hosted provider like Linode to manage access to your home server, but this is not for the Level1 Techs among us :slight_smile:

Opening up services on the public internet is convenient, but over the longer term it isn’t secure unless you really keep up with the security updates of all the underlying software.

The alternative? a VPN. A VPN setup gives you a virtual and private network from specific devices back to your home network. Your home network, and services on it, is not on the public internet.

VPN software is generally pretty hardened against attackers and the “security lifetime” is generally much longer. You should still apply security updates to the software you’re using but the chances of a flaw that is remotely exploitable in Wireguard is much less than other things.

The good news is that Wireguard IS one of the newest AND easiest to setup options for self-hosting your own VPN.

What are the scenarios for setting this up?

  • Wireguard as a server or client on your Home Router (pfSense)
  • Wireguard, as a server or client, on your NAS (Truenas Scale or Core)

If you have done other Level1Techs tutorials going back to the beginning of time, you know we’re big fans of building your own router because of the flexibility and experience that gives you. It is a good learning exercise.

Tom at Lawrence systems did a more recent video on setting up pfSense with Wireguard and you should check that out:

The part we need is up to about the 10 minute mark.

The Networking End of Things for TrueNAS

If you don’t have pfsense that can be OK. If your ISP requires you use their router, or you have carrier-grade NAT (meaning your IP is not a public IP) it can still work.

If you have a public IP, this guide does require you to reconfigure your firewall or router to forward a port for Wireguard to an internal machine.

Your ISP probably gives you a public IP address only on your router and then translates all your internal devices to just that one IP when they need to make outbound requests.

Generally you don’t want your internal network “naked” on the public internet with public unfirewalled IPs, either.

Some ISPs don’t even hand out public IP addresses!

  • 10.0.0.0 to 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
  • 100.64.0.0 to 100.127.0.0 (100.64/10 prefix)

This is called Network Address Translation (NAT). When your ISP doesn’t even give you a public IP and there are multiple layers of NAT that is called carrier-grade nat.

A remote device on the internet cannot address your home server by its internal IP address ( such as 192.168.1.5 ) and so you must Forward a port on your home router to this internal address.

If you’re in the unfortunate position of not having a public IP on your router then you can still use a VPN from your home server out to a small Virtual Private Server (VPS) on a provider like Linode.

Ryan covered that eventuality here:

In this scenario, you would setup TrueNAS as a wireguard Client to linode, same as everything, and other Clients to Linode, like your mobile phone, can also connect as clients.

We’ll cover more about this in the context of a home server in a sec.

Dynamic DNS?

If your ISP gives you a real IP address, but one that changes periodically, you can use a dynamic DNS service that automatically updates a hostname to point to

This one seems pretty decent? I don’t use dynamic DNS personally – perhaps some other L1 community members can chime in with non-scammy ones? Dynamic DNS should be very-near-to-free (if not free). On the order of $5/year (or less).

The DuckDNS page explains it but, in a nutshell, you get a name from duckdns such as myhomeserver.duckdns.org. As your ISP changes your IP address, there is a little program that runs on your home server periodically and pings DuckDNS with your security key from DuckDNS.

Wherever that ping comes from, it updates the name myhomeserver.duckdns.org to point to the new IP.

That’s the address you use, rather than your IP address, with Wireguard when the time comes.

Our Setup

So if it seems like we’re jumping right in the good news is that we’ve covered the step-by-step in other videos and posts here up till now.

The setup we’re using for the server is TrueNAS Scale for our home server (and covered tha in past videos). It’ll work just fine on anything from a potato-class castoff PC from a business to high-end servers (and everything in between).

TrueNAS Scale is great because it is based on Linux under the hood (which has excellent Wireguard support and because we can run all sorts of containers and appliances on it to do things for us like manage media and the like.

It is important to understand that TrueNAS Core is built on FreeBSD under the hood, and so it works different than TrueNAS Scale. Core also has “native” wireguard support in the GUI, and there is good documentation:

… but TrueNAS Scale doesn’t have the same UI Options

Crowbaring Wireguard into TrueNAS Scale

Go to system > shell and do

apt update
apt install wireguard wireguard-tools

Verify that you have an /etc/wireguard folder:

ls -l /etc/wireguard 

In this directory is where we store our Wireguard configuration.

Next we’ll generate our keypairs for wireguard:

wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key
cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Next we need to decide what IPs to give Wireguard clients that connect here.

I’ve selected 172.16.16.1 - 172.16.16.254 this is a subnet mask of 255.255.255.0 and is sometimes written as 172.16.16.0/24 .

I picked this because it is different than anything I’m already running locally. You can’t re-use the same IP range for different networks in different contexts without a lot of headache.

Configure the Wireguard Client

In the video, we setup a phone to connect to Wireguard Server. It’s a little tricky because to setup the server, we should “at least” have the details we need for the first client, called [Peer] in the configuration.

Ryan covered this really well; we don’t need to rehash setting up wireguard. We’re essentially doing the same thing here, but with the phone as the client.

Next we configure the interface wg0:

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = base64_encoded_private_key_goes_here
Address = 172.16.16.1/24
ListenPort = 51820
SaveConfig = true


[Peer]
PublicKey = NtriTSUtGSXXk4JUkE35savYY72x9HSw8GUeSCI2fn4=
AllowedIPs = 172.16.16.0/24 192.168.1.0/24

The one difference is that we don’t have an endpoint. Phones and client devices could come from anywhere.

Also note that ListenPort – that’s the port you need to forward from your router and you can make it any arbitrary port you want. It maybe does make things slightly more secure to pick a random port between 2000 and 65000.

The AllowedIPs controls what IPs are accessible to that Peer. We have allowed the wireguard network (potentially you could have multiple peers!) as well as our internal/lan network.

Wait, there’s a big concept here that’s important

If you want to do something like use this wireguard connection to connect to an internal computer, for example, for remote control or steam streaming it won’t work right.

What is happening is your default gateway doesn’t know about this new 172.16.16.0/24 network. You must add a route on your router to get to 172.16.16.0/24 via 192.168.1.5 (IP of your truenas).

If you can’t add routes on your router, you can do it on windows with a command like:

route add 172.16.16.0 mask 255.255.255.0 192.168.1.5 -p

The -p makes it persist across reboots. I trust the rest is self explanitory?

The Rest of Networking

TrueNAS Scale comes setup for IP Forwarding (basically, the machine will route traffic) but double check:

sysctl -a |grep ip_for
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

The output should say net.ipv4.ip_forward = 1 meaning that the system will permit ip_forwarding.

What about Carrier Grade NAT??

In this case, we’ve got a bit of a 3-way relationship.

TrueNAS Scale connects to our Linode VPS and gets the IP 172.16.16.2

Our phone connects to our Linode VPS and gets the IP 172.16.16.3

From there, we can access services on the TrueNAS machine via the IP 172.16.16.2

It is possible to also access your home LAN via this 3-way wireguard, but that is a little more complicated. You have to setup the route on the wireguard box and allow the traffic.

Okay, now what?

Now we have a connection to our home server on our phone. We can connect to our internal self-hosted spotify clone. No more subscriptions for me!

Not just spotify – all our home server stuff. Anything running in our home lab!

8 Likes

4bRigger tells me to tell you: “dope”

1 Like

A post was split to a new topic: Wireguard – Doable with IPV6?

For the first time I had some WireGuard interfaces setup with OPNsense yesterday.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

  • ^ I had to reboot to see/get each interfaces auto listed for hybrid outbound NAT.
  • regenerate/reapply new ‘remote’ keys on initial setup seemed to help me twice to get the first handshake(on both WireGuard interfaces), I want to validate if this is bad luck, the case for every added endpoint or just when adding a new local peer.

For WIreGuard setups, the procustodibus website has some wonderful blogs for various variants of setups with WireGuard that helped me to understand more of it’s capabilities and troubleshoot my own connection setup* (Point to Point/Site to Site/Point to Site/Hub and Spoke, and some AllowedIPs calculator to be found in these blogs.)
*one of my WireGuard interfaces, is providing upstream for Nginx reverse-proxy at VPS(for both tcp/udp)
/
I still have to figure out how/if possible to blend the ngx_http_realip_module in, to obtain client IP info using the ngx_http_proxy_module, so instead of just seeing the WireGuard IP making port/fw filtered requests to LAN , my OPNsense can provide more detailed LAN resource access control from the VPS WireGuard source interface for public available services(that may also require to know the client IP).

2 Likes

lol @PhaseLockedLoop BTFO

2 Likes

nah Im glad there are a number of different posts on the forum. AFAICT wendell is using the wireguard as a requirement to access stuff. Avoiding the public service issue. He is also making a series of posts dedicated to making a central solution (ultimate home server) to sort ones digital world. As far as I know thats his goal from his videos. Mine was more notes and a path that I took and a perspective I left for others. :smiley: or at the very least me miniranting about slight annoyances.

3 Likes

Yeah, I’d rather let Wendell take care of the slight noobies and rant myself to death about how good the CLI is. I don’t know, I think I should rename my series from Easy to Follow to something else, since I always go very verbose on those.

2 Likes

Nothing wrong with verbose…it helps me…LOL Im a noob…lol I also like to learn cli as well as GUI. :slight_smile: I might try setting up this through my OPNsense Firewall. Benice to have and might cut off commercials from wifes’ streaming services I HATE…still adds from California because that’s where she set up the account lol.

2 Likes

so as i understand truenas actually bricked the apt commands now so i dont think you can do it? i cant have an application for it either

1 Like

Yep. Sigh. You can put it back but its kinda like… cmon… dont make it any harder than on freebsd where you can convert it to a stand alone freebsd install

2 Likes

guess im going the linode way then :crying_cat_face:

1 Like