WireGuard suggested config?

[electromagnetic.jolt]

Ok so when it comes to VPNs and networking, I can't get it. I just can't. I especially don't want some isolated VPN network because it defeats the purpose of what I'm trying to do. I want my VPN clients on the same network as the NAS. It's to be able to access my home network when I'm away.

My router's address is 192.168.86.1, the subnet mask is 255.255.255.0, DHCP pool is from .20 to .250. My FreeNAS IP is 192.168.86.115 and that's where I'm going to be running WireGuard. I want the VPN clients on this network, honestly I would rather they get assigned IPs by my router's DHCP.

So this is what I threw together so far in the wg0.conf file. It's the only config that actually came online so far, I thought the address would be the FreeNAS IP? It wouldn't work with that so I made it some random .168 IP. I also don't know if I should specify 24? I guess that explains the subnet, I hope that's the right one? Do I forward the listen port to the FreeNAS IP or this IP I'm putting here?

I also don't get what AllowedIPs is doing? And the tutorial had a 32, I don't know what that line is there for. Is AllowedIPs literally the only IP a client can get assigned or what their WAN IP can be? I don't know what the client's WAN IP is if they are on an LTE network.

[Interface]
PrivateKey = privatekey
Address = 192.168.86.168/24
ListenPort = 51820
SaveConfig = true
[Peer]
PublicKey = publickey
AllowedIPs = 192.168.86.170/32

 

[Kcaj]

I have not used WireGuard, though while its of course possible to run your VPN server on your FreeNAS, to do it properly you really should have it on a separated network e.g a DMZ and use a device like a firewall to allow traffic between for VPN network and internal network IMO.

I always default to having my VPNs terminated on my firewall, as it seems like a logical barrier to me. Most decent firewall solutions would have the ability to do this. Then its easy to setup granular rules to allow traffic inside your private network.

/32 is CIDR notation, basically saying its only a single host.

 

[sretalla]

Since Wireguard is layer 3 only, you need to route, so it's not as simple as ZeroTier's layer 2 where you could just bridge the ZeroTier interface and use the same subnet at both ends.

In order to route, you need to manage a route (probably on your router) to point all traffic for the Wireguard subnet back to the Wireguard server (FreeNAS). If you don't do this, packets from your other jails or local machines on the LAN won't find the gateway and will never go through the tunnel.

Make sure you change the AllowedIPs to add (like this: 192.168.87.0/24) the additional subnet you will use on the remote side and likewise on the other side define the allowed subnet for your LAN (192.168.86.0/24).