Firewalled Dashboards using Wireguard

Over the weekend I spent some time messing around with Wireguard you can find their official site here I had wanted to look into this previously but never found the time until now. I wanted to configure this on a standalone RPi for the time being so I could learn and not break other things within my environment also I had a few spare laying around :stuck_out_tongue:. My intent was to replace/upgrade from my existing USG L2TP VPN. After spending some time reading many articles online including trial n error I found this which worked well.

I have since decommissioned my Unifi L2TP VPN and replaced with this Wireguard system. What I have found is it’s significantly faster, offers me both a full or split tunnel VPN options, uses significantly less battery when run as always on VPN, simple to use and only requires a single black hole (UDP) port to be opened through my firewall.

Anyways I figured I would pass it on for anyone that is looking to truly isolate everything like cloud platform dashboards, IP cameras and anything else that they would prefer to communicate with locally.

Note, for anyone that doesn’t know what a split tunnel VPN offers. It offers a way for you to be on your mobile phone’s cellular or even work network e.g your away from your home but when for example you load your local HE IP http://192.168.1.1 it will split only that specific traffic over to your local network via the VPN tunnel but all other browsing etc will be handled on your cellular or work network so for example YouTube, Facebook, O365 and whatever else you do etc.

btw, DrZzs talked about it sometime ago here as well.

4 Likes

Been using Wireguard for about a year now. I found this website to be very useful in setting it up.

I should also mention that Wireguard is a peer-to-peer Level 2 VPN. So if you set it up from work to home (as an example), it makes it very easy to securely access your work computer from home, which is useful in this covid-19 work-from-home era.

Being level 2, multicast traffic is not passed over the VPN. Although, Avahi can be used as a multicast-reflector to get some multicast traffic through the VPN. This seems to work for some things (eg. Airprint), but not others (eg. Sonos).

3 Likes

I actually went one step further with this and put Tasker back on my android phone and configured NodeRed to send me silent (low priority) Pushover notifications as to enable or disable the VPN on my phone if I’m home (present) or away (not present). It wasn’t necessary to operate when at home (somewhere I am a lot these days) so it just turns it off which is neat :slight_smile:

1 Like

Thats a neat idea!
I have wire guard setup on my unraid server but as of late I have been using nginx proxy manager with duckdns to resolve back to a handful of internal addresses!

1 Like

Thanks man. Yes I really like it. What’s impressive is the performance of my dashboard while I am away from the house or when I access my Reolink cameras it’s insanely fast… way quicker than when I used to use cloud dashboards or the Reolink app via their cloud portal and way more secure now too :slight_smile:

1 Like

Update. I ended up pushing Wireguard into Docker and it works a treat. Anyways if anyone is interested the Docker container I used is this one.

2 Likes

Interesting use of tasker, I use a similar setup to activate various things via silent notification according to hubitat’s current mode but I hadn’t considered integrating my VPN.

Good call.

1 Like

Great write up on VPN and explanation of ‘split’ vs ‘full’ VPN tunnels. For anyone looking for a GUI based firewall I run Untangle at several locations. The basic version is free, and they have a VERY affordable “home” version. The free version includes OpenVPN which has a mobile app with split/full tunneling options as well. It also includes the firewall and IPS (intrusion protection service) modules at no cost (just need to install them). For the Linux CLI challenged, like myself, it’s another good solution.

It also supports multiple VLAN’s. I highly recommend everyone segment their network using VLAN’s for security. Plus the amount of traffic I cut down was staggering (6000 session per minute to 200-300), from not allow devices to “chatter” among themselves.

With great reporting and other some other added functions I think Untangle is a great firewall solution for both home and small businesses. And of course it does play nice with Unifi as long as you know how to work with Unifi’s version of VLANs (switch profiles) I’m currently running 5 VLANs via Untangle/Unifi for both wired and wireless devices. Happy to help if any try that route.

4 Likes

Been doing some additional research on this and found this link quite useful: How to easily configure WireGuard - Stavros' Stuff - similar information to what has already been shared but goes into a bit more detail in some areas. Thought I’d share…

3 Likes

Hi Guys, I have pfsense running my network and saw wireguard is now available as a plugin.
Anyone using it like this? what’s the performance like?

Since everyone is WFH, when I mess with the network I have 4 people complaining, so I have to carefully plan my implementation

I’ve been using wireguard for a while. I haven’t had any troubles with it. You can set up split tunneling, so to think that it would interfere with things would be tough. Set up the firewall port for it and you’re off and running. My stuff is blazing fast when I connect up to see what’s happening at home when I’m away.

1 Like

Yeah, I also have had a Wireguard personal VPN for remote access setup via PiVPN for about 6 months now with little to no issue. Only issues have been with the RPi hosting it not the software itself. Recently I also upgraded my VPN I use for privacy to Mullvad, which supports Wireguard as well and it has been great. I do not see any great degradation in speed and loading up and initializing the VPN takes less than a second which is amazing compared to prior experiences using OpenVPN.

2 Likes