1·
1 year agoHere’s an example of what I use across multiple networks, with roaming and static devices. They all use a common /24 subnet (that doesn’t overlap with any of the common LAN subnets), and each gets it’s one /32 address in that subnet. That way each one accepts traffic from any other WG clients in the same subnet as local traffic to the host device. Essentially each PC, server, or phone thinks it’s on the same local network as every other WG client.
[Interface]
PrivateKey = XXX
ListenPort = 51820
Address = 10.172.43.11/24
### Every client gets an address in the 10.172.43.x network
[Peer]
PublicKey = XXXX
AllowedIPs = 10.172.43.15/32
### This device is a roaming phone or laptop, so it will be able to talk to the server when it wants to, but must initiate all traffic.
[Peer]
PublicKey = XXXX
AllowedIPs = 10.172.43.11/32, 192.168.1.0/24
#### This device is a router which is configured to NAT any traffic from WG to the LAN, so any WG device can talk to the LAN as if it's local
Endpoint = my.dynamic.dns.addres:51820
#### Use dynamic dns for any device that has a semi-permanent public IP and hosts ANY amount of content, files, or needs to be accessible to SSH
WireGuard is **WAY ** faster than any other VPN I’ve tested, and much more flexible. But at the cost of a little extra setup.
I’ve been using Caddy instead of nginx for years now. As long as your port forwarding is already setup, it’ll pull TLS certs for every domain in the config automatically and keep it up-to-date forever.
It’s also super easy to use as a reverse proxy, so you can run one caddy server for all your sites on the same machine pretty easily.