Thanks Jim, I found tailscale, which uses wire guard as backbone work more seamless. It can bypass blocked udp firewalls, doesn’t require port forwarding (udp hole punching), easier ACL and user management. Granted you’re handing the handshaking to tailscale but you can run the server locally
@@Jims-Garage thanks a lot, that’d be interesting to watch, I’d be grateful if part of the video is on ACLs please, I don’t know how to restrict a user of the network to a single internal ip
@@drreality1 sure, I'll cover that. One way you could do it using traditional methods is to put the container on a macvlan and then set granular rules based on IP in your firewall (there's like a better approach with code though, let me investigate).
@@Jims-Garage I’ve not thought of this actually, firewalling the container to certain ips only, brilliant idea that’s brilliant The only drawback is that everyone on the mesh network will be restrained by these rules
I love Wireguard, I use it literally everyday to remotely connect to my network for admin/tinkering. And it's 100% self hosted, unlike some other solutions
@@chrisumali9841 yes, WireGuard is fundamentally different to openvpn. It won't even respond unless you're authenticated so the attack surface is pretty much non-existent.
But what about the fact that several different devices can use one QR code, is it possible to somehow limit the possibility that when connected using the QR code of the device, it ceases to be valid
Hi Jim, bit of an odd request, but is it possible to run NPM in parallel with WG-Easy. I was really struggling to get NPM to have visibility of the WG network interface and because it's all dockerised I couldn't get the npm container to play ball. I've tried bridging networks with each contain but still no luck and sadly the wg-easy is tied into docker so a bit stuck! Any advice would be appreciated.
Hi, I've deployed WireGuard and I'm able to access my internal network over my mobile (5G network). However I can only access it directly to the IP. If I try to connect through the DNS I'm getting DNS_PROBE_FINISHED_NO_INTERNET or DNS_PROBE_FINISHED_BAD_CONFIG. Either for the DNS configured at cloudflare or the ones configured local in my PiHole. At the wireguard docker-compose file I've WG_ALLOWED_IP my entire local/24, and in WG_DEFAULT_DNS I've my internal PiHole IP. At Sophos I have configured a DNAT between WAN and my docker-proxy IP, port 51820 udp. Any clue?
@@Jims-Garage I've done that and the problem persists. Something is missing me. I'll post an update as soon as I sorted out. Thank you and keep posting videos. Very helpfull.
@@Jims-Garage One thing I found out, my Chinese OPPO doesn't like custom DNS servers. It tends to prefer his onw kind of hardcoded DNS servers... guess why... Nevertheless I'm now testing it with another laptop and something still not OK, but for sure I'll sort it out. It's a matter of time and persistence.
Hey Jim, love your work. could you please go into depth about MTU... i am so scratching my head around this part. Few days ago, my vpn tunnel was doing 320 ish Mbps download and 50 ish upload while WG TUNNEL is active... but recently it drops for no reasons to 100 ish downloads and upload is still the same around 50 ish upload speed. I already did the fragment test using cmd and it is always at 1392 the last biggest MTU with zero loss. My router is behind O.N.U. and the router is connected to the wan with PPPoE at 1492 MTU. Note : My router is Asus RT-AX82u My ISP Based package is 300 d / 50 u
I port forward mine through Traefik albeit it's not necessary. You need to add an entrypoint on Traefik on the correct port and protocol. Then it should be the same process as normal (UDP in this case).
Hi Jim, thank you so much for this video, once again! I have an issue currently that you might be able to help me with. I can connect successfully to my local network but i can only access my services via their IP. I have Nginx setup with domain names and certificates but when i try to access them via their domain name when connected via wireguard i just can't, could it be a DNS issue or something ? Thanks in advance
@@Jims-Garage at the moment I don't have a local DNS server setup. Basically what I did was setup a record in duckdns pointing to the internal IP of my pi running nginx then proxy the hosts. I would need a pihole for it to work with wireguard ?
@@hugotorres9863ahh okay. No, you don't need an internal if you're doing it that way. You should just need to make sure that "Allowed IPs" includes the services you want to access, and that your docker host has access to them (i.e., there isn't a firewall rule blocking it).
Do you think either this, or a Tailscale video, could show how you could use your Pi-hole on the run also? I'm very tired of adds, when I'm away from home.
Hey there Jim, thank you again for your video. I have a question, is it possible to configure a tunnel to access only certain ports? (I'd like to access only certain app and not the entire server) thank you :)
for android-wireguard-app ... you can specifically choose what app can go through the wg tunnel ... (it is exactly like a split tunnel situation but on software/app level 🙂
Very handy. Thanks for putting me onto this. Cheers, Bernie
Great video, good breakdown on the choice of VPN. Very handy toolset and nice setup guide
Much appreciated!
Thanks Jim, I found tailscale, which uses wire guard as backbone work more seamless. It can bypass blocked udp firewalls, doesn’t require port forwarding (udp hole punching), easier ACL and user management.
Granted you’re handing the handshaking to tailscale but you can run the server locally
Thanks. Yep, tailscale (or headscale the opensource alternative) are on my to-do list. Wanted to start with the basics for people first.
@@Jims-Garage thanks a lot, that’d be interesting to watch, I’d be grateful if part of the video is on ACLs please, I don’t know how to restrict a user of the network to a single internal ip
@@drreality1 sure, I'll cover that. One way you could do it using traditional methods is to put the container on a macvlan and then set granular rules based on IP in your firewall (there's like a better approach with code though, let me investigate).
@@Jims-Garage I’ve not thought of this actually, firewalling the container to certain ips only, brilliant idea that’s brilliant
The only drawback is that everyone on the mesh network will be restrained by these rules
@@drreality1 it's a lot easier in Kubernetes with networkPolicy but Docker doesn't have those advanced features.
I love Wireguard, I use it literally everyday to remotely connect to my network for admin/tinkering. And it's 100% self hosted, unlike some other solutions
Totally agree, it's an awesome tool. I'd struggle without it!
@@Jims-Garage I agree, but do you feel secure port forwarding, since you are using the Sophos XG? Just wondering from your security point of view.
@@chrisumali9841 yes, WireGuard is fundamentally different to openvpn. It won't even respond unless you're authenticated so the attack surface is pretty much non-existent.
@@Jims-Garage yeah, you are right, the cryptographic key and trust are solid. Thanks for your thought and insight.
Thanks for sharing this video and your experiences !
My pleasure!
Thanks for the demo and info, have a great day
Thanks, glad it was useful.
Thanks again Jim ..works like a charm ...
Good to hear, glad it's still up to date.
Dobrze wytłumaczone, dziekuje.
Thanks, you're welcome
Just found ur channel and subbed thanks love content
Thanks, Kevin. I appreciate the feedback.
But what about the fact that several different devices can use one QR code, is it possible to somehow limit the possibility that when connected using the QR code of the device, it ceases to be valid
Hi Jim, what traefik labels did you use if any? Cheers
Hi Jim, bit of an odd request, but is it possible to run NPM in parallel with WG-Easy. I was really struggling to get NPM to have visibility of the WG network interface and because it's all dockerised I couldn't get the npm container to play ball. I've tried bridging networks with each contain but still no luck and sadly the wg-easy is tied into docker so a bit stuck! Any advice would be appreciated.
Hi, I've deployed WireGuard and I'm able to access my internal network over my mobile (5G network). However I can only access it directly to the IP. If I try to connect through the DNS I'm getting DNS_PROBE_FINISHED_NO_INTERNET or DNS_PROBE_FINISHED_BAD_CONFIG. Either for the DNS configured at cloudflare or the ones configured local in my PiHole. At the wireguard docker-compose file I've WG_ALLOWED_IP my entire local/24, and in WG_DEFAULT_DNS I've my internal PiHole IP. At Sophos I have configured a DNAT between WAN and my docker-proxy IP, port 51820 udp. Any clue?
Edit the config on the mobile app and set your DNS IP to your internal DNS resolver.
@@Jims-Garage I've done that and the problem persists. Something is missing me. I'll post an update as soon as I sorted out. Thank you and keep posting videos. Very helpfull.
@@FilipeNeto616 thanks for the feedback. Keep going, you must be close.
@@Jims-Garage One thing I found out, my Chinese OPPO doesn't like custom DNS servers. It tends to prefer his onw kind of hardcoded DNS servers... guess why... Nevertheless I'm now testing it with another laptop and something still not OK, but for sure I'll sort it out. It's a matter of time and persistence.
@@FilipeNeto616 I have the same issue, did you manage to get it to work?
How do I allow users to use the internet of where the server is hosted
Set allowedIP to 0.0.0.0/0 on the client and make sure that the server has access to the internet
@Jims-Garage cool... Do you have any pointers on how to secure the login page on open internet. Like let's say you hosting it on a cloud server
@bitferret-rx5rn don't port forward the UI port. Only allow access once you're on the VPN
Hey Jim, love your work. could you please go into depth about MTU... i am so scratching my head around this part. Few days ago, my vpn tunnel was doing 320 ish Mbps download and 50 ish upload while WG TUNNEL is active... but recently it drops for no reasons to 100 ish downloads and upload is still the same around 50 ish upload speed. I already did the fragment test using cmd and it is always at 1392 the last biggest MTU with zero loss.
My router is behind O.N.U. and the router is connected to the wan with PPPoE at 1492 MTU.
Note :
My router is Asus RT-AX82u
My ISP Based package is 300 d / 50 u
How do you port forward it to a proxy? That's something I am trying to do and can't really find.
I port forward mine through Traefik albeit it's not necessary. You need to add an entrypoint on Traefik on the correct port and protocol. Then it should be the same process as normal (UDP in this case).
how about ipv6? that wireguard only for ipv4, can u please help make for ipv6 please..
Thanks, I know ipv6 is becoming increasingly common. I'll look into it and do an update later.
Hi Jim, thank you so much for this video, once again! I have an issue currently that you might be able to help me with. I can connect successfully to my local network but i can only access my services via their IP. I have Nginx setup with domain names and certificates but when i try to access them via their domain name when connected via wireguard i just can't, could it be a DNS issue or something ? Thanks in advance
Thanks! Have you set your DNS IP in the WireGuard config? Make sure it points to the IP address of your internal DNS server.
@@Jims-Garage at the moment I don't have a local DNS server setup. Basically what I did was setup a record in duckdns pointing to the internal IP of my pi running nginx then proxy the hosts. I would need a pihole for it to work with wireguard ?
@@hugotorres9863ahh okay. No, you don't need an internal if you're doing it that way. You should just need to make sure that "Allowed IPs" includes the services you want to access, and that your docker host has access to them (i.e., there isn't a firewall rule blocking it).
Do you think either this, or a Tailscale video, could show how you could use your Pi-hole on the run also? I'm very tired of adds, when I'm away from home.
Make sure you set DNS to the PiHole IP and don't split tunnel (set allowed IP to 0.0.0.0/0)
@@Jims-Garage that should be enough?
@@JGNiDKThat's how I have it.
@@Jims-Garage so follow your video, and set the DNS IP to my PiHoles?
Then accessible outside of your network?
Once created, do I need to do any type of maintenance on my VPN?
No, should remain static
@@Jims-Garage thx
Hey there Jim, thank you again for your video. I have a question, is it possible to configure a tunnel to access only certain ports? (I'd like to access only certain app and not the entire server) thank you :)
Put WireGuard on its own vlan and control it with firewall rules would be one option. It's the same process I follow in my Cloudflare Tunnels video.
@@Jims-Garage thank you! I ll need to build a firewall then lol
for android-wireguard-app ... you can specifically choose what app can go through the wg tunnel ... (it is exactly like a split tunnel situation but on software/app level 🙂
@@redpurple1035 thank you sir! :)