Private LAN VPN Access
The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network. It relates to private secure access and use from the public network. It does not consider public VPNs setup for public use.
There have been considered 3 different levels of access as described by the applications used:
- Wireguard - A VPN server
- Tailscale
- Headscale
- OpenVPN (Old)
These applications and their scope are described further below.
Wireguard
I previously successfully setup KPTree wireguard on my router. This was installed on “bare metal” as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers. I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules. Until recently I did not move Wireguard to a Docker container as I did not have the need or time.
Using Docker wireguard from linuxserver.io is much easier than the manual “bare-metal” setup on my router. The docker setup is below:
The Wireguard container Server Mode documentation give some key points on usage:
- Variables
SERVERURL
,SERVERPORT
,INTERNAL_SUBNET
,PEERDNS
,INTERFACE, ALLOWEDIPS
andPERSISTENTKEEPALIVE_PEERS
are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs. - To add more peers/clients later on, you increment the
PEERS
environment variable or add more elements to the list and recreate the container. - To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments:
docker exec -it wireguard /app/show-peer 1 4 5
ordocker exec -it wireguard /app/show-peer myPC myPhone myTablet
(Keep in mind that the QR codes are also stored as PNGs in the config folder).
References
Tailscale
See Headscale.
Reference
Headscale
For my use case Headscale was too complicated to setup. I am also concerned about the effort to maintain. So I have decided not to use at this time.