WireGuard topologies for self-hosting at home
a day ago
- #VPN
- #Self-Hosting
- #WireGuard
- The author migrated self-hosted services from a VPS to a home server for better hardware and network control.
- WireGuard is used to establish a VPN for secure communication among devices at home, though it's not strictly necessary for self-hosting.
- First-order constraints include no external dependencies, Zero Trust principles, and optional external connectivity without compromising the core design.
- Second-order constraints favor native WireGuard use without a control plane, avoiding solutions like Tailscale or Netbird.
- Non-constraints include mesh networking and automatic discovery, as manual configuration is acceptable.
- A connection matrix defines which devices connect to each other, informing WireGuard peer configurations and firewall rules.
- The initial topology uses point-to-point networking, with each device listing peers it connects to directly.
- Static IP addresses are recommended to avoid issues with DHCP-assigned dynamic IPs.
- For external access, a VPS with a public IP acts as a relay (hub-and-spoke topology) due to the home network being behind CGNAT.
- The home network later adopts a hub-and-spoke topology with the server (or router) as the hub, simplifying configurations and centralizing access control.
- The final design includes VLANs for traffic isolation, with the router as the WireGuard hub, ensuring seamless communication across VLANs.
- The author highlights WireGuard's simplicity and effectiveness but acknowledges the need for networking knowledge to deploy it properly.
- Future topics may include DNS configuration and detailed access control within the WireGuard setup.