MESSAGE
| DATE | 2025-12-08 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [Hangout - NYLXS] wireguard
|
On Mon, Dec 08, 2025 at 05:24:16AM -0500, Ruben Safir wrote:
> On Mon, Dec 08, 2025 at 09:45:15AM +0200, aqua wrote:
> > On 2025-12-08 04:33, Ruben Safir wrote:
> > >any experience with ANY VPN in artix?
> >
> > I self-host a wireguard instance to route traffic to/through my lan,
> > though my approach is to do it on the router level instead of the
> > hosts as
> > it makes it easier when you have multiple hosts. Still, the same
> > logic seems
> > to apply.
> >
>
>
> I need it to be specific to the client and I want the cryptography.
> So I need a VPN provider, I believe. As I understand it, a VPN client
> would create a new network device that you would set as the default gateway.
>
> The desktop is on the private internal space and the gateways currently
> use packet forwarding and MASQ. I don't want to disturb these systems.
>
>
> > Here are some notes I've written. It's mostly focused on the exact
> > setup I
> > have (opnsense on x86, with some cheapo and some less cheapo
> > mikrotiks). You
> > can also do this on openwrt, afaik it requires some additional
> > packages to be
> > installed so beware if your router has an 8/16MB flash and not much ram.
> >
> > Hope this helps. ^_^
> >
> > ## How wireguard works on a high level
> > To use wireguard you create an interface and assign peers to it.
> > Peers are
> > configurations for remote wireguard servers, and IP addresses and
> > subnets that
> > are routed by them.
> >
>
>
> I'll look at wiregaurd but I don't see how that will help route packets
> in an annonymous way. I want to annonymize my public bound internet
> connection and that requires an off site network relay and cryptrophing
> the packet loads
>
>
> > ## wireguard point-to-point bridge
> > I mostly use wireguard on routers to create bridges between LANs. To
> > give an
> > exmaple, here are two LANs we want to route traffic between:
> >
> > - LAN1: 192.168.0.0/24
> > - LAN2: 192.168.1.0/24
> >
> > On router1, wg0 would listen on `$WAN1IP:$port`, and needs to have a
> > config for
> > peer2 with `AllowedIPs=192.168.1.0/24`.
> >
> > On router2, wg0 needs to have a config for peer1 with
> > `EndpointAddress=$WAN1IP`,
> > `EndpointPort=$port`, and `AllowedIPs=192.168.0.0/24`.
> >
OK - looking over wireguard, it might be more useful than I thought but
you still need an external server to connect wireguard to and to be a
gateway for your traffic. Would it not be best to also randomize those
external gateways if you want to really be annonymnous?
Because of the recent court rulings against COX which is going to the
supreme court, I want to be annonymous and encrypted on the public
internet outside of just using a tor browser.
> > Depending on router software, you might also need to set up static
> > routes (ex:
> > mikrotik needs this, opnsense does it automatically for you), and
> > also firewall
> > rules to allow traffic between subnets.
> >
> > note: it is useful to set a keepalive on the peers if only one of
> > them has a
> > public IP, since the one behind NAT needs to initiate the connection.
> >
> > ### Rule notes
> > On mikrotik switches, you don't need anything because they don't
> > seem to drop
> > packets by default. Firewall to them seems to mean "door in the field".
> >
> > Mikrotik routers do a little better, so you need to allow incoming
> > packets from
> > LAN2 on router1 and from LAN1 on router2.
> >
> > OpnSense makes sense, and you need to do the same thing for your LAN
> > on your
> > wireguard interface (`IPv4/6 $wireguard_net allow dest *`).
> >
> > ### performance notes
> > Latency-wise, there is little to no noticeable impact in my use case.
> >
> > Bandwidth-wise: wireguard does encrypt traffic, and does have a
> > noticeable
> > impact on low-end hardware. A mikrotik hex poe lite (100mbps router)
> > with a
> > single core mipsbe cpu at 650MHz can handle about 60mbps at most.
> > Interestingly
> > enough, same cpu is also used on some of the 10g mikrotik switches,
> > with the
> > same resulting bandwidth (since it's a cpu bottleneck). A dual core
> > cpu at
> > about 700-800MHz can maintain 100mbps.
> >
> > Memory use: not much. I haven't really checked, but none of the
> > machines I've
> > tested this on experienced memory issues.
> >
> > Software used for bandwidth: iperf3.
> >
> > ## roadwarrior setup
> > Basically just the same thing as the point-to-point tunnel, just one
> > of the
> > endpoints is the actual device, and you route `0.0.0.0/0`, aka all
> > the packets,
> > through it. The opnsense wireguard peer generator outputs a config
> > for this:
> > ```
> > [Interface]
> > PrivateKey =
> > Address = 10.0.0.123/32
> > DNS = 192.168.0.1
> >
> > [Peer]
> > PublicKey =
> > Endpoint = $WAN1IP:$port
> > AllowedIPs = 0.0.0.0/0,::/0
> > ```
> >
> > ## Sources
> > -
> > -
> > -
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
