blog/content/posts/using-wireguard-host-services-home.md

103 lines
3.4 KiB
Markdown
Raw Normal View History

+++
title = "Using WireGuard to host services at home"
author = ["Sergio Durigan Junior"]
date = 2023-05-23T00:56:00-04:00
tags = ["english", "howto", "selfhost", "wireguard", "debian"]
draft = false
+++
It's been a while since I had this idea to leverage the power of
[WireGuard](https://wireguard.org) to self-host stuff at home. Even though I pay for a proper
server somewhere in the world, there are some services that I don't
consider critical to put there, or that I consider **too** critical to
host outside my home.
## It's only NATural {#it-s-only-natural}
With today's ISP packages for end users, I find it very annoying the
amount of trouble they create when you try to host anything at home.
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
examples of methods or limitations that prevent users from making
local services reachable in a reliable way from outside.
## WireGuard comes to help {#wireguard-comes-to-help}
If you already pay for a VPS or a dedicated server somewhere, why not
use its existing infrastructure (and public availability) in your
favour? That's what I thought when I started this journey.
My initial idea was to use a reverse proxy to redirect external
requests to the service running at my home. But how could I make sure
that these requests reach my
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
tunnel! WireGuard is the perfect tool for that because of many
things: it's stateless, very performant, secure, and requires very
little configuration.
## Setting up on the server {#setting-up-on-the-server}
On the server side (i.e., VPS or dedicated server), you will create
the first endpoint. Something like the following should do:
2024-02-25 21:07:05 +00:00
```ini
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.1/32
ListenPort = 51821
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.2/32
PersistentKeepalive = 10
```
A few interesting points to note:
- The `Peer` section contains information about the home service that
will be configured below.
- I'm using `PersistentKeepalive` because I have a dynamic IP at my
home. If you have a static IP, you could get rid of
`PersistentKeepalive` and specify an `Endpoint` here (don't forget
to set a `ListenPort` **below**, in the `Interface` section).
- Now you have an IP where you can forward requests to. If we're
talking about HTTP traffic, Apache and nginx are absolutely capable
of doing it. If we're talking about other kind of traffic, you
might want to look into other utilities, like [HAProxy](https://www.haproxy.org/), [Traefik](https://traefik.io/traefik/) and
others.
## Setting up at your home {#setting-up-at-your-home}
At your home, you will configure the peer:
2024-02-25 21:07:05 +00:00
```ini
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.2/32
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.1/32
Endpoint = YOUR_SERVER:51821
PersistentKeepalive = 10
```
## A few notes about security {#a-few-notes-about-security}
I would be remiss if I didn't say anything about security, especially
because we're talking about hosting services at home. So, here are a
few recommendations:
- Make sure to put your services in a separate local network. Using
VLANs is also a good option.
- Don't run services on your personal (or work!) computer, even if
they'll be running inside a VM.
- Run a firewall on the WireGuard interface and make sure that you
only allow traffic over the required ports.
Have fun!