This might help you: https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Thanks, that did the trick!
Cheers! 😉
Looks perfect, thanks!
Save yourself some trouble and use Ngnix proxy manger.
Another option is Netbird or Tailscale.
I am using NPM, that doesn't help with my issue.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
DNS | Domain Name Service/System |
IP | Internet Protocol |
NAT | Network Address Translation |
VPN | Virtual Private Network |
VPS | Virtual Private Server (opposed to shared hosting) |
5 acronyms in this thread; the most compressed thread commented on today has 30 acronyms.
[Thread #544 for this sub, first seen 25th Feb 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]
The allowed IP ranges on the server indicate what private addresses the clients can use, so you should have a separate one for each client. They can be /32 addresses as each client only needs one address and, I'm assuming, doesn't route traffic for anything else.
The allowed IP range on each client indicates what private address the server can use, but as the server is also routing traffic for other machines (the other client for example) it should cover those too.
Apologies that this isn't better formatted, but I'm away from my machine. For example, on your setup you might use:
On home server: AllowedIPs 192.168.178.0/24 Address 192.168.178.2
On phone: AllowedIPs 192.168.178.0/24 Address 192.168.178.3
On VPS: Address 192.168.178.1 Home server peer: AllowedIPs 192.168.178.2/32
Phone peer: AllowedIPs 192.168.178.3/32
Thanks, but I have configured a dedicated IP range for my Wireguard network, so the devices have IPs like 10.0.0.1. But I still want to access services in my home network in the IP range 192.168.178.0/24.
And in your example the AllowedIP = 192.168.178.2/32 of the VPS would still make it possible to route traffic from my smartphone via the VPS to my home server?
Ah, ok. You'll want to specify two allowedip ranges on the clients, 192.168.178.0/24 for your network, and 10.0.0.0/24 for the other clients. Then your going to need to add a couple of routes:
- On the phone, a route to 192.168.178.0/24 via the wireguard address of your home server
- On your home network router, a route to 10.0.0.0/24 via the local address of the machine that is connected to the wireguard vpn. (Unless it's your router/gateway that is connected)
You'll also need to ensure IP forwarding is enabled on both the VPS and your home machine.
I actually don't know. All I want to achieve is having access from my smartphone to my local network via the VPS, which is the only device with a public IP. So it's basically a point-to-site connection from my smartphone to my home server with the VPS in between.
And I just followed a tutorial and that's why I set up the 10.0.0.0/24 IP range.
The allowed IP range on each client indicates what private address the server can use
I really dislike this description - yet I see it everywhere. It caused me a ton of confusion initially.
It's the IP addresses that will be routed over the VPN. So if you wanted, say, all traffic to go through the VPN then you would use "0.0.0.0/0". Which is what I do for my phone.
Sort of. If you're using wg-quick then it serves two purposes, one, as you say, is to indicate what is routed over the link, and the second (and only if you're setting up the connection directly) is to limit what incoming packets are accepted.
It definitely can be a bit confusing as most people are using the wg-quick script to manage their connections and so the terminology isn't obvious, but it makes more sense if you're configuring the connection directly with wg.
I've always understood it as the x.x.x.0/x being the gateway designator and network identifier, followed by the range of allowable IP addresses
This doesn’t address your issue specifically because I haven’t tried personally to use wireguard on my home server. Personally however I’ve been using Tailscale to connect to my home network remotely for DNS redirects through Pihole and to connect to my self-hosted services. I found Tailscale pretty easy to setup. If you can’t get Wireguard figured out you might give it a look as an alternative.
Tailscale is WireGuard. Just a fancy one.
Tailscale does NAT hole punching which really helps when dealing with systems behind NAT or restrictive firewalls. Your phone can connect directly to your home network without having to go through a VPS if you use Tailscale, even if your home internet connection doesn't have a static IP.