That is cool that pfSense can do wireguard!


On Thu, Dec 14, 2023 at 7:32 PM Althea Shaheen via WLUG <wlug@lists.wlug.org> wrote:
What I do is have the wireguard clients be on a different subnet than my other hosts, all behind the firewall. Then, in pfsense I made wireguard an interface like any other, and that allows me to make firewall policies, such as letting wireguard clients only to my DNS servers on port 53, or my web servers on 443. Also, since each wireguard client has a static IP reserved, I can make my phone access more than my cloud server, since I trust the security of my phone a tad more (but only a tad).

For routing, I have the config for the clients either as 0.0.0.0/0 to send all traffic over the tunnel, or my private networks only for the split tunnel, and let the firewall policy handle it from there.

So, you could certainly make it so that your VPS connects to your wireguard endpoint, and then send your backup traffic to it's client IP if you are going outbound to the VPS, and block the VPS from your internal network, or vice versa just open up the port you need to the host you need from the VPS to internal.

Hope this helps

On Thu, Dec 14, 2023, at 12:42, John Stoffel wrote:
>>>>>> "Althea" == Althea Shaheen via WLUG <wlug@lists.wlug.org> writes:
>
>> I run it on my pfSense firewall, but pivpn is also a great option if
>> you'd rather port forward to a different device.
>
> Do you have it so that if you have multiple internal devices behind
> your firewall, your external client can reach all those devices?
>
> I'ev been playing, but I'm sure I'm mssing something.  For example:
>
> Internal network:      192.168.1.0/24
>   host A             192.168.1.10/32
>   host B               192.168.1.20/32
>
> Firewall:            192.168.1.254
> WG:                  192.168.200.0/24
>
> Client:                      200.150.100.50  (made up)
>
>
> Ideally I'd like my client to be able to access host A or B from the
> road using the WG tunnel.  Would I need to assign WG addresses to
> these hosts?  Or would I just rounte 192.168.1.0/24 via wg0 on the
> client? 
>
> That's the trouble I'm having. 
>
> I also want to setup a Wireguard tunnel between home and my VPS in the
> cloud to make backups easier and simple.  I could just do an SSH
> tunnel, but I'd prefer not since it's a pain for this one application
> to setup. 
>
> So my VPS has both it's public IP, and then I have a WireGuard IP and
> route setup so that I can reach into the home network.  And possibly
> also allow connections to the VPS from other clients as well.  Very
> mesh like.
>
> John
>
>
>
>
>> On Wed, Dec 13, 2023, at 16:30, John Stoffel wrote:
>>>>>>>> "Althea" == Althea Shaheen via WLUG <wlug@lists.wlug.org> writes:
>>>
>>> I've been busy, so I'm coming back to this late...
>>>
>>>> I use a wireguard VPN on my phone anytime I leave my house, mainly
>>>> for ad blocking. I run pi-hole at home to block ads network wide,
>>>> and when I leave wifi, my phone automatically joins the VPN at home
>>>> and uses the same pi-hole servers for DNS. Internet traffic is still
>>>> directly through my carrier (so split tunnel) but my DNS is hidden
>>>> from them and ad free!
>>>
>>> Do you run wireguard on your firewall or do you pass it inside into a
>>> base host? 
>>>
>>>> -thea
>>>
>>>> On Sat, Dec 9, 2023, at 03:54, Jon "maddog" Hall via WLUG wrote:
>>>
>>>>> However, they still rely on the trust in the ownership/VPN service country's laws and
>>>> policies.
>>>>> A VPN service is effectively a 'man in the middle'.
>>>> This is why everyone should train their mother to offer a secure ISP/VPN service.
>>>> "Mom's VPN:  Do you trust your Mom?"
>>>> md
>>>
>>>> On Fri, Dec 8, 2023 at 11:44 AM Kevin Stratton via WLUG <wlug@lists.wlug.org> wrote:
>>>
>>>> VPN services are a good tool for privacy.  However, they they still rely
>>>> on the trust in the ownership/VPN service country's laws and policies.
>>>> A VPN service is effectively a 'man in the middle'.
>>>
>>>> On 12/8/2023 3:13 AM, Robert Schwein via WLUG wrote:
>>>>>
>>>>> You've pretty much hit the high points Chuck.  From my own experience
>>>>> when going overseas if I'm able to VPN to the country I'm going to,
>>>>> the rental car reservation is considerably less in cost to reserve
>>>>> that car than if I reserved it from state side. I'm assuming  there is
>>>>> a difference between a poor native and a rich American.
>>>>>
>>>>> Bob
>>>>>
>>>>> On 12/8/2023 12:56 AM, Chuck Anderson via WLUG wrote:
>>>>>> On Thu, Dec 07, 2023 at 09:08:00PM -0500, Doug Mildram via WLUG wrote:
>>>>>> So, maybe or maybe not, that's the kind of VPN I suspect they're selling,
>>>>>> but I don't see the value for normal folks....or maybe anyone. (educate
>>>>>> me!)
>>>>>> Unless their hosted-server-world-route network security is a win.
>>>>>> Thanks for listening, and my thursday's look better than usual this month,
>>>>>> so hoping for WLUG virtually dec 14.  -doug
>>>>>> Yes.  Those "modern" VPNs are used for many reasons.  Here are a couple:
>>>>>>
>>>>>> - To appear to servers/services that you are physically located in a
>>>>>> different geographical area.  This can help you bypass
>>>>>> geographically restricted content, such as watching sports programs
>>>>>> that content owners don't want you to see based on where you live
>>>>>> (local sports broadcast blackouts).  Or trick hotels into giving you
>>>>>> a better price--yes, hotels can hike the rates they present to you
>>>>>> if they think you are nearby--assuming you need last-minute
>>>>>> accomodations while you are away on vacation.
>>>>>>
>>>>>> - To hide your real IP address from servers and/or hide your browsing
>>>>>> from intermediaries (your ISP for example) for privacy.  This could
>>>>>> be so you can avoid being tracked and having your browsing habits
>>>>>> sold to advertisers (something your ISP can easily do--SSL does not
>>>>>> hide DNS queries although that is changing with the availability of
>>>>>> DNS-over-HTTPS and similar), to hide from authorities/copyright
>>>>>> enforcers, or for life-and-death reasons (hide from unfriendly
>>>>>> governments.)
>>>>>> _______________________________________________
>>>>>> WLUG mailing list --wlug@lists.wlug.org
>>>>>> To unsubscribe send an email towlug-leave@lists.wlug.org
>>>>>> Create Account:https://wlug.mailman3.com/accounts/signup/
>>>>>> Change Settings:https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>>>>>> Web Forum/Archive:
>>>> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/ZC4W3CWJBFFI2EFO24RKDX4RQ4RQQUUU/
>>>>>
>>>>> _______________________________________________
>>>>> WLUG mailing list -- wlug@lists.wlug.org
>>>>> To unsubscribe send an email to wlug-leave@lists.wlug.org
>>>>> Create Account: https://wlug.mailman3.com/accounts/signup/
>>>>> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>>>>> Web Forum/Archive:
>>>> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/TI4DEB2PJLR3FYMD2OX5EFXXIL5GSJNV/
>>>> _______________________________________________
>>>> WLUG mailing list -- wlug@lists.wlug.org
>>>> To unsubscribe send an email to wlug-leave@lists.wlug.org
>>>> Create Account: https://wlug.mailman3.com/accounts/signup/
>>>> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>>>> Web Forum/Archive:
>>>> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/2OD7QHC7N2VEA2O4KJJVJYED3A7SJI66/
>>>
>>>> _______________________________________________
>>>> WLUG mailing list -- wlug@lists.wlug.org
>>>> To unsubscribe send an email to wlug-leave@lists.wlug.org
>>>> Create Account: https://wlug.mailman3.com/accounts/signup/
>>>> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>>>> Web Forum/Archive:
>>>> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/E6KICZP5Q62MBV7O7KZXHDCT5L634X2X/
>>>
>>>> _______________________________________________
>>>> WLUG mailing list -- wlug@lists.wlug.org
>>>> To unsubscribe send an email to wlug-leave@lists.wlug.org
>>>> Create Account: https://wlug.mailman3.com/accounts/signup/
>>>> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>>>> Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/532CN4UFDMD7NURZJI5MUJ6NBHPJCJZL/
>> _______________________________________________
>> WLUG mailing list -- wlug@lists.wlug.org
>> To unsubscribe send an email to wlug-leave@lists.wlug.org
>> Create Account: https://wlug.mailman3.com/accounts/signup/
>> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
>> Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/NK7RYAWBJ47EAVMCAEXNT2UZC3JSQ2I5/
_______________________________________________
WLUG mailing list -- wlug@lists.wlug.org
To unsubscribe send an email to wlug-leave@lists.wlug.org
Create Account: https://wlug.mailman3.com/accounts/signup/
Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/
Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/7MG6IRD4DTYC2LWZRGXZAU74JJVLGAH2/


--
I am leery of the allegiances of any politician who refers to their constituents as "consumers".