Skip to content

Instantly share code, notes, and snippets.

@gdesatrigraha

gdesatrigraha/exposing home network through wireguard.md

Last active June 7, 2024 16:59
Show Gist options
  • Save gdesatrigraha/2a7d3bc333670fb107ebcb80968f2981 to your computer and use it in GitHub Desktop.
Save gdesatrigraha/2a7d3bc333670fb107ebcb80968f2981 to your computer and use it in GitHub Desktop.
Download ZIP
exposing home network through wireguard
Raw
exposing home network through wireguard.md

exposing home network with wireguard

home network:

  • opnsense router
  • lan subnet: 192.168.101.0/24
  • wireguard subnet: 192.168.102/24

vps:

  • 1 public ip

steps

vps

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y wireguard openresolv
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf > /dev/null
sudo sysctl -p
wg genkey | tee wg0.privatekey | wg pubkey > wg0.publickey
wg genkey | tee wg1.privatekey | wg pubkey > wg1.publickey
wg genkey | tee opnsense.privatekey | wg pubkey > opnsense.publickey

file: /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <server private key from file wg0.privatekey>
Address = 192.168.102.2/24
ListenPort = 51820

# ADJUST THE NETWORK INTERFANCE ens3 WITH YOUR VPS NETWORK INTERFACE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = <client public key from file opnsense.publickey>
AllowedIPs = 192.168.102.1/32, 192.168.101.0/24
PersistentKeepalive = 10

[Peer]
PublicKey = <client public key from file wg1.publickey>
PersistentKeepalive = 10

file: /etc/wireguard/wg1.conf

[Interface]
Address = 192.168.102.3/32
PrivateKey = <client private key from file wg1.privatekey>
DNS = 192.168.101.1

[Peer]
PublicKey = <server public key from file wg0.publickey>
Endpoint = 127.0.0.1:51820

systemctl enable wg-quick@wg0
systemctl enable wg-quick@wg1

opnsense router

  • install wireguard plugin
  • go to vpn > wireguard
  • go to endpoints tab, then create new endpoint
    • name:
    • public key:
    • allowed IPs: 192.168.102.0/24
    • endpoint address: vps public ip
    • endpoint port: 51820
    • keepalive: 10
  • go to local tab, then create new local
    • name:
    • private key:
    • tunnel address: 192.168.102.1
    • peers:
  • go to interfaces > assignments
    • create new assignment for interface wg0 with name wg0
    • ipv4 = none, ipv6 = none
    • save
  • go to system > gateways > single
    • create new gateway
    • name: wan_gw0
    • interface: wg0
    • ip address: 192.168.102.2
  • go to vpn > wireguard
    • go to general tab
    • enable wireguard
  • go to services > unbound dns, then restart the service
  • go to firewall > rules > wg0
    • add new rule
      • action: pass
      • protocol: tcp/udp
      • destination: this firewall
      • destination port: 53
    • add new rule
      • action: pass
      • protocol: icmp
      • source: wg0 net
      • destination: this firewall
    • add new rule
      • action: pass
      • source: wg0 net
      • destination: lan net
  • go to firewall > rules > lan
    • add new rule (adjust the priority properly)
      • action: pass
      • source: lan net
      • destination: wg0 net
      • gateway: wan_wg0

final steps

  • vps
    • systemctl restart wg-quick@wg0
    • systemctl restart wg-quick@wg1
    • test ping to 192.168.101.1
    • test ping to other lan devices
    • nc -zv 192.168.101.1 80
  • lan devices
    • test ping to 192.168.102.1
    • test ping to 192.168.102.2
    • test ping to 192.168.102.3
    • nc -zv 192.168.102.2 22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment