I’m just starting out with self-hosting, so unfamiliar with a lot of wireguard things.
I want to create my own wireguard server for family clients to connect to so we can access all of the LAN services easily, but also access the internet though a mullvad connection so there’s privacy.
I dont want to just put the wg client/mullvad on the host, because one of the things I want to host is a web server, so my public ip needs to be available to some containers (but not my family vpn).
So ideally I’d have everything on my 192 network available within my private vpn, but any www traffic is through a client to mullvad.
What’s the best approach? I was trying two containers with a docker network, but traffic keeps ‘leaking’ via the public ip.
Any advice on the best direction is welcome, I’m not really sure of the terminology to be searching for to get started. Do I need two containers, or just one? Do I need to setup custom routing rules? Are there any tools or resources to understand this side of things?
So there is a container image called gluetun that sounds like it will do most of the heavy lifting for you https://github.com/qdm12/gluetun
To do internal routing in your network though is a little extra work, assuming your hosting private services you want to use in a docker compose you can run wireguard in front of a traefik server or something a kin to that.
As some have mentioned here tailscale/headscale or similart products can be an option but you need to spend a little time reasearching those to understand what they do and not do.
Sounds like you’ll need to be playing with routers. Ideally you’d setup a site-to-site link. But to do that you’ll need to admin your router and your extended family members router. Doing this will allow all devices on the family member’s LAN access to your service - like giving a simple device like a chromecast or TV access to your jellyfin server. Otherwise, just the laptop with the wireguard (or tailscale) client will have access.
To further extend the ideal scenario, you wouldn’t run the wiregurd servers on the routers, so you would stand them up in a container or vm, then build the routes accordingly. But that is an extra step almost nobody does.
Doing any of the above is a lot of work. If you want to get this job done in minutes instead of hours or days, I’d just selectively allow the public IP addresses of your family/friends through your firewall. This isn’t ideal, but it gets the job done with very infrequent intervention. And the risks are far smaller than most people assume.
So gluetun and wg-easy on your vps, with the gluetun connecting to mullvad and exposing the outbound traffic via that. Wg-easy will use your public ip and a high udp port for wg tunnels and another tcp port for management interface. I recommend using dockge or pertained to manage these.
Alternatively tailscale on all devices, set the vps as exit node and use wg mullvad for the vps outbound traffic.
I don’t follow why the container/vms are ideal? I pay for a static residential ip and use asus router at that location and another asus portable router wired to my work laptop off cell hot spot or off starlink. Goal is work not flagging my ip and friend suggested cloud VM but i dont follow why? Thanks
Regarding the containers/vms, I was just making the point that running services like this is always better with some layer of separation from the host os. Most people click a few buttons on their router’s web GUI to stand up a wg server. This is easy, but far from ideal. I imagine the reasons are obvious.
For your situation, if you have a wg server at home that you connect to remotely, then this should do you fine. Not sure why you would need a cloud vm. It’s nice to have a static IP at home, but I have found it isn’t as necessary as you might think. I don’t have a static IP and my IP changes maybe once every year or so. Changing that in the config (or DNS entry) isn’t a big deal, but to each his own.