102 lines
3.4 KiB
Markdown
102 lines
3.4 KiB
Markdown
+++
|
|
title = "Using WireGuard to host services at home"
|
|
author = ["Sergio Durigan Junior"]
|
|
date = 2023-05-23T00:56:00-04:00
|
|
tags = ["english", "howto", "selfhost", "wireguard", "debian"]
|
|
draft = false
|
|
+++
|
|
|
|
It's been a while since I had this idea to leverage the power of
|
|
[WireGuard](https://wireguard.org) to self-host stuff at home. Even though I pay for a proper
|
|
server somewhere in the world, there are some services that I don't
|
|
consider critical to put there, or that I consider **too** critical to
|
|
host outside my home.
|
|
|
|
|
|
## It's only NATural {#it-s-only-natural}
|
|
|
|
With today's ISP packages for end users, I find it very annoying the
|
|
amount of trouble they create when you try to host anything at home.
|
|
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
|
|
examples of methods or limitations that prevent users from making
|
|
local services reachable in a reliable way from outside.
|
|
|
|
|
|
## WireGuard comes to help {#wireguard-comes-to-help}
|
|
|
|
If you already pay for a VPS or a dedicated server somewhere, why not
|
|
use its existing infrastructure (and public availability) in your
|
|
favour? That's what I thought when I started this journey.
|
|
|
|
My initial idea was to use a reverse proxy to redirect external
|
|
requests to the service running at my home. But how could I make sure
|
|
that these requests reach my
|
|
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
|
|
tunnel! WireGuard is the perfect tool for that because of many
|
|
things: it's stateless, very performant, secure, and requires very
|
|
little configuration.
|
|
|
|
|
|
## Setting up on the server {#setting-up-on-the-server}
|
|
|
|
On the server side (i.e., VPS or dedicated server), you will create
|
|
the first endpoint. Something like the following should do:
|
|
|
|
```ini
|
|
[Interface]
|
|
PrivateKey = PRIVATE_KEY_HERE
|
|
Address = 10.0.0.1/32
|
|
ListenPort = 51821
|
|
|
|
[Peer]
|
|
PublicKey = PUBLIC_KEY_HERE
|
|
AllowedIps = 10.0.0.2/32
|
|
PersistentKeepalive = 10
|
|
```
|
|
|
|
A few interesting points to note:
|
|
|
|
- The `Peer` section contains information about the home service that
|
|
will be configured below.
|
|
- I'm using `PersistentKeepalive` because I have a dynamic IP at my
|
|
home. If you have a static IP, you could get rid of
|
|
`PersistentKeepalive` and specify an `Endpoint` here (don't forget
|
|
to set a `ListenPort` **below**, in the `Interface` section).
|
|
- Now you have an IP where you can forward requests to. If we're
|
|
talking about HTTP traffic, Apache and nginx are absolutely capable
|
|
of doing it. If we're talking about other kind of traffic, you
|
|
might want to look into other utilities, like [HAProxy](https://www.haproxy.org/), [Traefik](https://traefik.io/traefik/) and
|
|
others.
|
|
|
|
|
|
## Setting up at your home {#setting-up-at-your-home}
|
|
|
|
At your home, you will configure the peer:
|
|
|
|
```ini
|
|
[Interface]
|
|
PrivateKey = PRIVATE_KEY_HERE
|
|
Address = 10.0.0.2/32
|
|
|
|
[Peer]
|
|
PublicKey = PUBLIC_KEY_HERE
|
|
AllowedIps = 10.0.0.1/32
|
|
Endpoint = YOUR_SERVER:51821
|
|
PersistentKeepalive = 10
|
|
```
|
|
|
|
|
|
## A few notes about security {#a-few-notes-about-security}
|
|
|
|
I would be remiss if I didn't say anything about security, especially
|
|
because we're talking about hosting services at home. So, here are a
|
|
few recommendations:
|
|
|
|
- Make sure to put your services in a separate local network. Using
|
|
VLANs is also a good option.
|
|
- Don't run services on your personal (or work!) computer, even if
|
|
they'll be running inside a VM.
|
|
- Run a firewall on the WireGuard interface and make sure that you
|
|
only allow traffic over the required ports.
|
|
|
|
Have fun!
|