Wireguard, an update
Wed, Apr 1, 2020 · 3 minute readlinuxwireguard
I last wrote about Wireguard in May 2019.
At that time the author, Jason Donenfeld, described Wireguard as Work In progress.
Since then Jason has been very busy to the extent that Linux kernel 5.6 now includes Wireguard.
I too have been busy with Wireguard, using it for 3 quite different purposes.
Remote workers
Windows, Mac and Linux machines connecting back to the office.
Wireguard installs as a new network interface which is available before login.
On Windows this is very useful as it means domain login works even when PC is out of the office.
Self hosted web server
The heading doesn’t quite do this justice.
I have several websites running on a Raspberry Pi, all of which are available on the internet, see The Bespoke engineer which was our original POC.
That particular Pi sites behind two routers, both doing NAT.
This is simple to achieve:
- A cheap VPS from any hosting provider.
Spec is unimportant, cheapest available will work.
Take great care to harden this VPS as much as possible. - Wireguard installed on VPS and Pi
- Caddy reverse proxy installed on VPS pointing to the Pi
Caddy provides SSL from Letsencrypt so the website (running on the Pi) is secure.
As a bonus, some of our sites use static pages generated by Hugo.
These websites are connected by a webhook to a Git repository.
Sites are automatically updated after every git push courtesy of a git module for Caddy.
Self hosted email server
This is a very similar setup to the self hosted web server except this time the Pi is a Virtualbox VM running Modoboa mail server.
Mail sent from and received by this server is, as far as I can tell, indistinguishable from any other mail server.
With all the benefits of Modoboa including; DMARC, DKIM, SSL protected webmail and IMAP accounts (again courtesy of Caddy and Letsencrypt).
The self hosted web and mail servers are only accessible from the internet by the ports they need, e.g. 443, 25, 143 and 587. SSH to these servers from the internet is not possible as the local SSH server does not listen on the Wireguard interface.
If anyone in interested in the details or have questions, just send an email to alan@252.uk (hosted on the above VM).
Or, we can provide a Wireguard VPN to your server as a service (WVaaS):
- Point your domain to our Wireguard VPN server.
Configure your Wireguard to point to our Peer (swap our public keys) and we will handle the routing for £2/month - Or, register (or transfer) your domain with us (https://252.uk) and we will provide the Wireguard routing for free.