this post was submitted on 25 Feb 2024
23 points (100.0% liked)

Selfhosted

40133 readers
500 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I got a bunch of self-hosted stuff and use a VPS that has a public IPv4 to access my services because my home network has only DS-Lite. My home server ist connected to the VPS using Wireguard.
Now I want to connect my Smartphone to my VPN to be able to access some local services remotely. I'm able to add a second peer to the Wireguard config on the VPS, but I'm struggeling to configure the AllowedIPs correctly.
The VPS apparently needs AllowedIPs 10.0.0.0/24 and 192.168.178.0/24, but the Smartphone as well for both to redirect request into my home network. But it's not possible to configure the same IP ranges for two peers. What do I do?

EDIT: Solved: https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/

top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 8 months ago (2 children)

The allowed IP ranges on the server indicate what private addresses the clients can use, so you should have a separate one for each client. They can be /32 addresses as each client only needs one address and, I'm assuming, doesn't route traffic for anything else.

The allowed IP range on each client indicates what private address the server can use, but as the server is also routing traffic for other machines (the other client for example) it should cover those too.

Apologies that this isn't better formatted, but I'm away from my machine. For example, on your setup you might use:

On home server: AllowedIPs 192.168.178.0/24 Address 192.168.178.2

On phone: AllowedIPs 192.168.178.0/24 Address 192.168.178.3

On VPS: Address 192.168.178.1 Home server peer: AllowedIPs 192.168.178.2/32

Phone peer: AllowedIPs 192.168.178.3/32

[–] [email protected] 7 points 8 months ago (2 children)

The allowed IP range on each client indicates what private address the server can use

I really dislike this description - yet I see it everywhere. It caused me a ton of confusion initially.

It's the IP addresses that will be routed over the VPN. So if you wanted, say, all traffic to go through the VPN then you would use "0.0.0.0/0". Which is what I do for my phone.

[–] [email protected] 4 points 8 months ago

Sort of. If you're using wg-quick then it serves two purposes, one, as you say, is to indicate what is routed over the link, and the second (and only if you're setting up the connection directly) is to limit what incoming packets are accepted.

It definitely can be a bit confusing as most people are using the wg-quick script to manage their connections and so the terminology isn't obvious, but it makes more sense if you're configuring the connection directly with wg.

[–] [email protected] 1 points 8 months ago

I've always understood it as the x.x.x.0/x being the gateway designator and network identifier, followed by the range of allowable IP addresses

[–] [email protected] 2 points 8 months ago (1 children)

Thanks, but I have configured a dedicated IP range for my Wireguard network, so the devices have IPs like 10.0.0.1. But I still want to access services in my home network in the IP range 192.168.178.0/24.

And in your example the AllowedIP = 192.168.178.2/32 of the VPS would still make it possible to route traffic from my smartphone via the VPS to my home server?

[–] [email protected] 4 points 8 months ago (1 children)

Ah, ok. You'll want to specify two allowedip ranges on the clients, 192.168.178.0/24 for your network, and 10.0.0.0/24 for the other clients. Then your going to need to add a couple of routes:

  • On the phone, a route to 192.168.178.0/24 via the wireguard address of your home server
  • On your home network router, a route to 10.0.0.0/24 via the local address of the machine that is connected to the wireguard vpn. (Unless it's your router/gateway that is connected)

You'll also need to ensure IP forwarding is enabled on both the VPS and your home machine.

[–] [email protected] 1 points 8 months ago

I actually don't know. All I want to achieve is having access from my smartphone to my local network via the VPS, which is the only device with a public IP. So it's basically a point-to-site connection from my smartphone to my home server with the VPS in between.

And I just followed a tutorial and that's why I set up the 10.0.0.0/24 IP range.

[–] [email protected] 4 points 8 months ago (2 children)
[–] [email protected] 2 points 8 months ago

Looks perfect, thanks!

[–] [email protected] 2 points 8 months ago (1 children)

Thanks, that did the trick!

[–] [email protected] 2 points 8 months ago

Cheers! 😉

[–] [email protected] 3 points 8 months ago (1 children)

This doesn’t address your issue specifically because I haven’t tried personally to use wireguard on my home server. Personally however I’ve been using Tailscale to connect to my home network remotely for DNS redirects through Pihole and to connect to my self-hosted services. I found Tailscale pretty easy to setup. If you can’t get Wireguard figured out you might give it a look as an alternative.

[–] [email protected] 6 points 8 months ago (1 children)

Tailscale is WireGuard. Just a fancy one.

[–] [email protected] 5 points 8 months ago* (last edited 8 months ago)

Tailscale does NAT hole punching which really helps when dealing with systems behind NAT or restrictive firewalls. Your phone can connect directly to your home network without having to go through a VPS if you use Tailscale, even if your home internet connection doesn't have a static IP.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 30 acronyms.

[Thread #544 for this sub, first seen 25th Feb 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] -3 points 8 months ago (1 children)

Save yourself some trouble and use Ngnix proxy manger.

Another option is Netbird or Tailscale.

[–] [email protected] 1 points 8 months ago

I am using NPM, that doesn't help with my issue.