MESSAGE
| DATE | 2025-12-08 |
| FROM | aqua
|
| SUBJECT | Re: [Hangout - NYLXS] [artix-general] Proton VPN
|
On 2025-12-08 04:33, Ruben Safir wrote:
> any experience with ANY VPN in artix?
I self-host a wireguard instance to route traffic to/through my lan,
though my approach is to do it on the router level instead of the hosts
as
it makes it easier when you have multiple hosts. Still, the same logic
seems
to apply.
Here are some notes I've written. It's mostly focused on the exact setup
I
have (opnsense on x86, with some cheapo and some less cheapo mikrotiks).
You
can also do this on openwrt, afaik it requires some additional packages
to be
installed so beware if your router has an 8/16MB flash and not much ram.
Hope this helps. ^_^
## How wireguard works on a high level
To use wireguard you create an interface and assign peers to it. Peers
are
configurations for remote wireguard servers, and IP addresses and
subnets that
are routed by them.
## wireguard point-to-point bridge
I mostly use wireguard on routers to create bridges between LANs. To
give an
exmaple, here are two LANs we want to route traffic between:
- LAN1: 192.168.0.0/24
- LAN2: 192.168.1.0/24
On router1, wg0 would listen on `$WAN1IP:$port`, and needs to have a
config for
peer2 with `AllowedIPs=192.168.1.0/24`.
On router2, wg0 needs to have a config for peer1 with
`EndpointAddress=$WAN1IP`,
`EndpointPort=$port`, and `AllowedIPs=192.168.0.0/24`.
Depending on router software, you might also need to set up static
routes (ex:
mikrotik needs this, opnsense does it automatically for you), and also
firewall
rules to allow traffic between subnets.
note: it is useful to set a keepalive on the peers if only one of them
has a
public IP, since the one behind NAT needs to initiate the connection.
### Rule notes
On mikrotik switches, you don't need anything because they don't seem to
drop
packets by default. Firewall to them seems to mean "door in the field".
Mikrotik routers do a little better, so you need to allow incoming
packets from
LAN2 on router1 and from LAN1 on router2.
OpnSense makes sense, and you need to do the same thing for your LAN on
your
wireguard interface (`IPv4/6 $wireguard_net allow dest *`).
### performance notes
Latency-wise, there is little to no noticeable impact in my use case.
Bandwidth-wise: wireguard does encrypt traffic, and does have a
noticeable
impact on low-end hardware. A mikrotik hex poe lite (100mbps router)
with a
single core mipsbe cpu at 650MHz can handle about 60mbps at most.
Interestingly
enough, same cpu is also used on some of the 10g mikrotik switches, with
the
same resulting bandwidth (since it's a cpu bottleneck). A dual core cpu
at
about 700-800MHz can maintain 100mbps.
Memory use: not much. I haven't really checked, but none of the machines
I've
tested this on experienced memory issues.
Software used for bandwidth: iperf3.
## roadwarrior setup
Basically just the same thing as the point-to-point tunnel, just one of
the
endpoints is the actual device, and you route `0.0.0.0/0`, aka all the
packets,
through it. The opnsense wireguard peer generator outputs a config for
this:
```
[Interface]
PrivateKey =
Address = 10.0.0.123/32
DNS = 192.168.0.1
[Peer]
PublicKey =
Endpoint = $WAN1IP:$port
AllowedIPs = 0.0.0.0/0,::/0
```
## Sources
-
-
-
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
