MESSAGE
| DATE | 2025-12-08 |
| FROM | aqua
|
| SUBJECT | Re: [Hangout - NYLXS] [artix-general] Proton VPN
|
On 2025-12-08 04:33, Ruben Safir wrote: > any experience with ANY VPN in artix?
I self-host a wireguard instance to route traffic to/through my lan, though my approach is to do it on the router level instead of the hosts as it makes it easier when you have multiple hosts. Still, the same logic seems to apply.
Here are some notes I've written. It's mostly focused on the exact setup I have (opnsense on x86, with some cheapo and some less cheapo mikrotiks). You can also do this on openwrt, afaik it requires some additional packages to be installed so beware if your router has an 8/16MB flash and not much ram.
Hope this helps. ^_^
## How wireguard works on a high level To use wireguard you create an interface and assign peers to it. Peers are configurations for remote wireguard servers, and IP addresses and subnets that are routed by them.
## wireguard point-to-point bridge I mostly use wireguard on routers to create bridges between LANs. To give an exmaple, here are two LANs we want to route traffic between:
- LAN1: 192.168.0.0/24 - LAN2: 192.168.1.0/24
On router1, wg0 would listen on `$WAN1IP:$port`, and needs to have a config for peer2 with `AllowedIPs=192.168.1.0/24`.
On router2, wg0 needs to have a config for peer1 with `EndpointAddress=$WAN1IP`, `EndpointPort=$port`, and `AllowedIPs=192.168.0.0/24`.
Depending on router software, you might also need to set up static routes (ex: mikrotik needs this, opnsense does it automatically for you), and also firewall rules to allow traffic between subnets.
note: it is useful to set a keepalive on the peers if only one of them has a public IP, since the one behind NAT needs to initiate the connection.
### Rule notes On mikrotik switches, you don't need anything because they don't seem to drop packets by default. Firewall to them seems to mean "door in the field".
Mikrotik routers do a little better, so you need to allow incoming packets from LAN2 on router1 and from LAN1 on router2.
OpnSense makes sense, and you need to do the same thing for your LAN on your wireguard interface (`IPv4/6 $wireguard_net allow dest *`).
### performance notes Latency-wise, there is little to no noticeable impact in my use case.
Bandwidth-wise: wireguard does encrypt traffic, and does have a noticeable impact on low-end hardware. A mikrotik hex poe lite (100mbps router) with a single core mipsbe cpu at 650MHz can handle about 60mbps at most. Interestingly enough, same cpu is also used on some of the 10g mikrotik switches, with the same resulting bandwidth (since it's a cpu bottleneck). A dual core cpu at about 700-800MHz can maintain 100mbps.
Memory use: not much. I haven't really checked, but none of the machines I've tested this on experienced memory issues.
Software used for bandwidth: iperf3.
## roadwarrior setup Basically just the same thing as the point-to-point tunnel, just one of the endpoints is the actual device, and you route `0.0.0.0/0`, aka all the packets, through it. The opnsense wireguard peer generator outputs a config for this: ``` [Interface] PrivateKey = Address = 10.0.0.123/32 DNS = 192.168.0.1
[Peer] PublicKey = Endpoint = $WAN1IP:$port AllowedIPs = 0.0.0.0/0,::/0 ```
## Sources - - - _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|