- A different device from your home server?
- On the same home server as the services but directly on the host?
- On the same home server as the services but inside some VM or container?
Do you configure it manually or do you use some helper/interface like WGEasy?
I have been personally using wgeasy but recently started locking down and hardening my containers and this node app running as root is kinda…
You must log in or register to comment.
On my (OpenWrt) router, configured using the OpenWrt interface
I run one on my firewall, but it’s IPv6 only because of CGNAT. The other one is running on a VPS in case I need IPv4 access. I just configured them manually.
On my router
I run the server on an old Pi. That’s its only job.
Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.
Mine runs on my router which is running openwrt
Why would you run a WG Client and WG Server on the same host? Am I reading that second mark wrong?
There’s no such thing as a client or server with Wireguard. All systems with Wireguard installed are “nodes”. Wireguard is peer-to-peer, not client-server.
You can configure nftables rules to route through a particular node, but that doesn’t really make it a server. You could configure all nodes to allow routing traffic through them if you wanted to.
If you run Wireguard on every device, you can configure a mesh VPN, where every device can directly reach any other device, without needing to route through an intermediary node. This is essentially what Tailscale does.
Uhhh, nooooo. Why are all these new kids all in these threads saying this crazy uninformed stuff lately? 🤣
https://www.wireguard.com/protocol/ https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-a-wireguard-vpn
And, in fact, for those of us that have been doing this a long time, anything with a control point or protocol always refers to said control point as the server in a PTP connection sense.
In this case, a centralized VPN routing node that connects like a Hub and Spoke is the server. Everything else is a client of that server because they can’t independently do much else in this configuration.
You are, second point means running WG on say, a proxmox root, and using it to access the containers.
Uhhhh…that is…not how you do that. Especially if you’re describing routing out from a container to an edge device and back into your host machine instead of using bridged network or another virtual router on the host.
Like if you absolutely had to have a segmented network between hosts a la datacenter/cloud, you’d still create a virtual fabric or SDLAN/WAN to connect them, and that’s like going WAY out of your way.
Wireguard for this purpose makes even less sense.
I have a vps (hetzner dedicated server auction) as well as my home servers. The vps has a fixed IP so ive setup wireguard endpoints to all point to it with forwarding on so can access every device indirectly through the vps. It allows them to work across DDNS or remotely.
I used this guide (https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04). Tried different tools gui’s and other methods but always came back to this to work the best
Runs in an extra locked-down container on one of my servers.
On the home server on the host. I couldn’t figure out how to make it work in a container and still have ssh access to the host, which was my goal…
