Share single service via WireGuard

Share single service via WireGuard
from syaochan@feddit.it to selfhosted@lemmy.world on 15 Sep 21:29
https://feddit.it/post/21750924

I wanted to share a service I’m hosting, but didn’t feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network. So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host’s. Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client’s network access. Initial tests seems to be ok, is there anything I may have overlooked? Please feel free to comment.

#selfhosted

threaded - newest

frankhe78@feddit.it on 15 Sep 21:48 next collapse

Seems fine with me. I have been playing around with some MikroTik devices doing exactly this. It should also be possible to achieve the same using OpenWRT. You do indeed have to isolate things using different subnets and route certain IP-adresses between those IPv4 subnets. Nothing too complicated.

litchralee@sh.itjust.works on 15 Sep 21:59 next collapse

Let me make sure I understand everything correctly. You have an OpenWRT router which terminates a Wireguard tunnel, which your phone will connect to from somewhere on the Internet. When the Wireguard tunnel lands within the router in the new subnet 192.168.2 0/24, you have iptable rules that will:

Reject all packets on the INPUT chain (from subnet to OpenWRT)
Reject all packets on the OUTPUT chain (from OpenWRT to subnet)
Route packets from phone to service on TCP port 8080, on the FORWARD chain
Allow established connections, on the FORWARD chain
Reject all other packets on the FORWARD chain

So far, this seems alright. But where does the service run? Is it on your LAN subnet or the isolated 192.168.2.0/24 subnet? The diagram you included suggests that the service runs on an existing machine on your LAN, so that would imply that the router must also do address translation from the isolated subnet to your LAN subnet.

That’s doable, but ideally the service would be homed onto the isolated subnet. But perhaps I misunderstood part of the configuration.

syaochan@feddit.it on 16 Sep 18:09 collapse

The service runs on another machine with address 192.168.1.10, so a different subnet than the WireGuard one, hence the port forward. I confirmed that this works, I can reach the service from phone on mobile data connected to WireGuard endpoint.<img alt="" src="https://feddit.it/pictrs/image/bea88178-c033-4a75-a22e-49c068ba7944.png"> wg1 is in zone dmz <img alt="" src="https://feddit.it/pictrs/image/045ff80f-7c67-40a6-a781-5b13e2e71a97.png"> this is the port forward

Lemmchen@feddit.org on 16 Sep 08:11 next collapse

OpenZiti allows to only allow predefined ports/services via VPN: netfoundry.io/docs/openziti

syaochan@feddit.it on 16 Sep 18:11 collapse

Thanks for the link, I did not know this service. I’m still a bit reluctant to use commercial solutions which may do a rug pull in the future.

signalsayge@infosec.pub on 16 Sep 10:30 next collapse

Tailscale would probably be easier for this. Install tailscale on the server and configure only that service available in the tailscale dashboard. I’ve used this method for ssh access to family members devices.

I’m sure you could run the same setup using headscale (tailscale self hosted), it would require a bit more setup though and dynamic dns would probably have to be working.

syaochan@feddit.it on 16 Sep 18:17 collapse

I know about Tailscale, but since it’s a commercial service I’m not keen to adopt it and then maybe they stop having a free tier. I’ll look into Headscale instead, I did not know about that before.

stratself@lemdro.id on 16 Sep 11:07 next collapse

Is there a way for a Wireguard peer to advertise AllowedIPs similar to Tailscale’s subnet routings? If that’s right, perhaps you can configure your host’s address as one of the AllowedIPs on the OpenWRT peer, and skip port forwarding too

non_burglar@lemmy.world on 16 Sep 13:55 next collapse

Yes, since Tailscale is based on wireguard.

Probably not the best practice, though, since any device that connects will be allowed to use the service if there is no authentication on the cert.

syaochan@feddit.it on 16 Sep 19:06 collapse

I’m not sure if I understood, but on the host there are other services I do not want to share outside my LAN. My goal was to share a single service.

bmcgonag@lemmy.world on 16 Sep 19:56 next collapse

I think this is exactly what Pangolin was designed for and does.

syaochan@feddit.it on 16 Sep 20:48 collapse

Isn’t Pangolin just a reverse proxy?

ChogChog@lemmy.world on 16 Sep 22:33 collapse

The connection between your Pangolin service (hosted outside your network) and your LAN is through a VPN. Essentially you’re creating a proxy that you can point your domain address at which isn’t your house’s IP address. Plus then everything inside your network is still secure behind your VPN.

So you connect to Pangolin, and Pangolin routes the traffic to your network.

foremanguy92_@lemmy.ml on 16 Sep 21:32 collapse

With firewall you could do it pretty properly