Private LAN VPN Access

The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network. It relates to private secure access and use from the public network. It does not consider public VPNs setup for public use.

There have been considered 3 different levels of access as described by the applications used:

• Wireguard - A VPN server
• Tailscale
• Headscale
• OpenVPN (Old)

These applications and their scope are described further below.

I previously successfully setup KPTree wireguard on my router. This was installed on “bare metal” as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers. I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules. Until recently I did not move Wireguard to a Docker container as I did not have the need or time.

Using Docker wireguard from linuxserver.io is much easier than the manual “bare-metal” setup on my router. The docker setup is below:

docker-compose.yml

---
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Australia/Perth
      - SERVERURL=kptree.net #optional
      - SERVERPORT=51820 #optional
      - PEERS=2 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS=all #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
      #- /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

The Wireguard container Server Mode documentation give some key points on usage:

• Variables SERVERURL, SERVERPORT, INTERNAL_SUBNET, PEERDNS, INTERFACE, ALLOWEDIPS and PERSISTENTKEEPALIVE_PEERS are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
• To add more peers/clients later on, you increment the PEERS environment variable or add more elements to the list and recreate the container.
• To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker exec -it wireguard /app/show-peer 1 4 5 or docker exec -it wireguard /app/show-peer myPC myPhone myTablet (Keep in mind that the QR codes are also stored as PNGs in the config folder).

• Wireguard
• xdeb.org Setting up a server firewall with nftables that support WireGuard VPN
• How To Set Up a WireGuard VPN Server on Ubuntu Linux
• Some Unofficial WireGuard Documentation
• How to setup your own VPN server using WireGuard on Ubuntu
• Archlinux Wireguard
• Wireguard VPN: Typical Setup
• OpenVPN FAQ
• A Tutorial for Controlling Network Traffic with iptables
• How To Set Up WireGuard Firewall Rules in Linux
• Gain flexibility & increase privacy with WireGuard VPN

See Headscale.

• Tailscale:
  • Tailscale quickstart
  • Using Tailscale with Docker
  • github Tailscale Community
    • tailscale-dev / docker-guide-code-examples

For my use case Headscale was too complicated to setup. I am also concerned about the effort to maintain. So I have decided not to use at this time.

https://github.com/juanfont/headscale/releases

• headscale
  • Running headscale in a container
• github headscale
• JimsGarage Headscale2
• Dockerhub headscale

—-