Over the weekend I spent some time messing around with Wireguard you can find their official site here I had wanted to look into this previously but never found the time until now. I wanted to configure this on a standalone RPi for the time being so I could learn and not break other things within my environment also I had a few spare laying around . My intent was to replace/upgrade from my existing USG L2TP VPN. After spending some time reading many articles online including trial n error I found this which worked well.
I have since decommissioned my Unifi L2TP VPN and replaced with this Wireguard system. What I have found is itās significantly faster, offers me both a full or split tunnel VPN options, uses significantly less battery when run as always on VPN, simple to use and only requires a single black hole (UDP) port to be opened through my firewall.
Anyways I figured I would pass it on for anyone that is looking to truly isolate everything like cloud platform dashboards, IP cameras and anything else that they would prefer to communicate with locally.
Note, for anyone that doesnāt know what a split tunnel VPN offers. It offers a way for you to be on your mobile phoneās cellular or even work network e.g your away from your home but when for example you load your local HE IP http://192.168.1.1 it will split only that specific traffic over to your local network via the VPN tunnel but all other browsing etc will be handled on your cellular or work network so for example YouTube, Facebook, O365 and whatever else you do etc.
btw, DrZzs talked about it sometime ago here as well.
Been using Wireguard for about a year now. I found this website to be very useful in setting it up.
I should also mention that Wireguard is a peer-to-peer Level 2 VPN. So if you set it up from work to home (as an example), it makes it very easy to securely access your work computer from home, which is useful in this covid-19 work-from-home era.
Being level 2, multicast traffic is not passed over the VPN. Although, Avahi can be used as a multicast-reflector to get some multicast traffic through the VPN. This seems to work for some things (eg. Airprint), but not others (eg. Sonos).
I actually went one step further with this and put Tasker back on my android phone and configured NodeRed to send me silent (low priority) Pushover notifications as to enable or disable the VPN on my phone if Iām home (present) or away (not present). It wasnāt necessary to operate when at home (somewhere I am a lot these days) so it just turns it off which is neat
Thats a neat idea!
I have wire guard setup on my unraid server but as of late I have been using nginx proxy manager with duckdns to resolve back to a handful of internal addresses!
Thanks man. Yes I really like it. Whatās impressive is the performance of my dashboard while I am away from the house or when I access my Reolink cameras itās insanely fastā¦ way quicker than when I used to use cloud dashboards or the Reolink app via their cloud portal and way more secure now too
Interesting use of tasker, I use a similar setup to activate various things via silent notification according to hubitatās current mode but I hadnāt considered integrating my VPN.
Great write up on VPN and explanation of āsplitā vs āfullā VPN tunnels. For anyone looking for a GUI based firewall I run Untangle at several locations. The basic version is free, and they have a VERY affordable āhomeā version. The free version includes OpenVPN which has a mobile app with split/full tunneling options as well. It also includes the firewall and IPS (intrusion protection service) modules at no cost (just need to install them). For the Linux CLI challenged, like myself, itās another good solution.
It also supports multiple VLANās. I highly recommend everyone segment their network using VLANās for security. Plus the amount of traffic I cut down was staggering (6000 session per minute to 200-300), from not allow devices to āchatterā among themselves.
With great reporting and other some other added functions I think Untangle is a great firewall solution for both home and small businesses. And of course it does play nice with Unifi as long as you know how to work with Unifiās version of VLANs (switch profiles) Iām currently running 5 VLANs via Untangle/Unifi for both wired and wireless devices. Happy to help if any try that route.
Been doing some additional research on this and found this link quite useful: How to easily configure WireGuard - Stavros' Stuff - similar information to what has already been shared but goes into a bit more detail in some areas. Thought Iād shareā¦
Iāve been using wireguard for a while. I havenāt had any troubles with it. You can set up split tunneling, so to think that it would interfere with things would be tough. Set up the firewall port for it and youāre off and running. My stuff is blazing fast when I connect up to see whatās happening at home when Iām away.
Yeah, I also have had a Wireguard personal VPN for remote access setup via PiVPN for about 6 months now with little to no issue. Only issues have been with the RPi hosting it not the software itself. Recently I also upgraded my VPN I use for privacy to Mullvad, which supports Wireguard as well and it has been great. I do not see any great degradation in speed and loading up and initializing the VPN takes less than a second which is amazing compared to prior experiences using OpenVPN.