this post was submitted on 31 Dec 2025
51 points (100.0% liked)

Selfhosted

54185 readers
903 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
51
Where are you running your wireguard endpoint? (lemmy.fromshado.ws)
submitted 5 days ago* (last edited 5 days ago) by eskuero@lemmy.fromshado.ws to c/selfhosted@lemmy.world
45 comments fedilink hide all child comments
 
  • A different device from your home server?
  • On the same home server as the services but directly on the host?
  • On the same home server as the services but inside some VM or container?

Do you configure it manually or do you use some helper/interface like WGEasy?

I have been personally using wgeasy but recently started locking down and hardening my containers and this node app running as root is kinda...

top 45 comments
sorted by: hot top controversial new old
[–] K3can@lemmy.radio 23 points 5 days ago

On my router

[–] ikidd@lemmy.world 3 points 3 days ago (1 children)

OPNsense

[–] antsu@discuss.tchncs.de 0 points 3 days ago (1 children)

This is the way.

[–] utjebe@reddthat.com 1 points 2 days ago

This is the way.

If router works, you got access to your lab. If it doesn't, well redundancy was not a requirement / too much hassle to set up.

[–] ThunderLegend@sh.itjust.works 2 points 3 days ago

I run a wireguard container on my old desktop server and wgeasy in a pi2 as backup.

[–] zueski@lemmy.zip 15 points 4 days ago

On my opnsense router

[–] Localhorst86@feddit.org 8 points 4 days ago

On my router, my FritzBox came with WG support built in.

[–] brewery@feddit.uk 10 points 5 days ago

I have a vps (hetzner dedicated server auction) as well as my home servers. The vps has a fixed IP so ive setup wireguard endpoints to all point to it with forwarding on so can access every device indirectly through the vps. It allows them to work across DDNS or remotely.

I used this guide (https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04). Tried different tools gui's and other methods but always came back to this to work the best

[–] sakphul@discuss.tchncs.de 6 points 4 days ago (1 children)

Always in the router if it supports it. If it does not support wireguard I would rather (if you are able and allowed to) replace the router instead of using something else.

[–] piyuv@lemmy.world 7 points 4 days ago (3 children)

Can you elaborate on why?

[–] Auli@lemmy.ca 1 points 3 days ago

It's my outside device it allows things into my network might as well terminate the VPN there. I mean if my router is down I'm not getting to the VPN endpoint inside my network.

[–] dogs0n@sh.itjust.works 2 points 3 days ago* (last edited 3 days ago)

Maybe easier to setup because routers that support vpns come with nice-ish web uis.

That said, if you have a server (pc, pi, etc), setting up wireguard with wg-easy is mostly painless (comes with a nice web ui), so there is no reason to replace your router in this case!

Instead of replacing a router, I'd prefer buying a pi anyways.

Unless you want to route all outbound traffic through a vpn with zero config on devices, I can't see why you'd replace a router.

Final note: most people prefer hosting a vpn on a server, even if their router supports it as far as I'm aware at least (edit: this might be erong judging from the rest of the comments saying they use their router).

[–] sakphul@discuss.tchncs.de 1 points 3 days ago

For me a similar tasks should be handled by the same device. Network routing and VPN are similar things for me, therefor they are handled by the router.

It also handles VPN connections to other remote locations. So again same things in the same device.

Another benefit (which you can also have on the Server with some additional effort): the router boots up without interaction after a power outage. The Server does not. Them I can connect and unlock (LUKS password) the servers.

[–] AtariDump@lemmy.world 1 points 3 days ago (1 children)

One instance runs on the router (Unifi USG) and the other on a Pi3 (as a backup) using PiVPN.

Usually, if I need to set it up, I’ll use PiVPN and either a Pi or Debian/Ubuntu host.

[–] Auli@lemmy.ca 1 points 3 days ago (1 children)

If your router is down how do you get to your pi backup?

[–] AtariDump@lemmy.world 1 points 3 days ago

My concern is that the WireGuard portion of the router fails for some reason but still routes.

It also allows me to choose another port

[–] kalleboo@lemmy.world 8 points 5 days ago* (last edited 5 days ago)

On my (OpenWrt) router, configured using the OpenWrt interface

[–] FrederikNJS@sopuli.xyz 5 points 4 days ago

I have a Raspberry Pi that runs pihole and Wireguard exclusively. My home server is a Kubernetes cluster running on an old desktop PC and 2 Intel NUCs.

The reason for the separate Pi was essentially because I only had the desktop PC initially, and for a while I had a faulty CPU, making the desktop PC crash or become unresponsive, so it helped a lot having DNS and VPN access separated from the instability.

[–] Jaybird@lemmy.world 1 points 3 days ago (1 children)

That's the fun part. I'm creating a mesh where multiple things are server and client.

K8s, mikrotik, home assistant, frigate, pangolin, etc.

[–] Auli@lemmy.ca 1 points 3 days ago (1 children)

I don't get the mesh if everything is behind your router or firewall what is the point.

[–] Jaybird@lemmy.world 1 points 1 day ago

Ah yes, those things are not all in 1 "home network". I have multiple vlan's, multiple ISP's and multiple locations. Including some rented VM's.

[–] possiblylinux127@lemmy.zip 2 points 4 days ago

What are you wanting to use Wireguard for?

[–] LordKitsuna@lemmy.world 3 points 4 days ago (1 children)

One end is a local VPS with insanely good peering pretty much round the damn world, other end is my opnsense router. I actually pass a block of ipv6 through the vpn and my router hands it out to devices which is a nice little bonus

[–] eleitl@lemmy.zip 1 points 4 days ago (1 children)

Who is your VPS provider, if you don't mind telling?

[–] LordKitsuna@lemmy.world 2 points 4 days ago (1 children)

https://spartanhost.org/ owner is super chill will make custom spec deployments and they actually have a really nice management panels with nice easy custom iso support

[–] eleitl@lemmy.zip 1 points 4 days ago

Thanks!

[–] prenatal_confusion@feddit.org 2 points 4 days ago

Vps with public ipv4 v6. Avoids all the dyndns mess.

[–] cmnybo@discuss.tchncs.de 3 points 5 days ago

I run one on my firewall, but it's IPv6 only because of CGNAT. The other one is running on a VPS in case I need IPv4 access. I just configured them manually.

[–] watson387@sopuli.xyz 3 points 5 days ago

I run the server on an old Pi. That's its only job.

[–] i_am_not_a_robot@discuss.tchncs.de 3 points 5 days ago

Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you're running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn't Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.

[–] superglue@lemmy.dbzer0.com 3 points 5 days ago

Mine runs on my router which is running openwrt

[–] non_burglar@lemmy.world 3 points 5 days ago

Runs in an extra locked-down container on one of my servers.

[–] 30p87@feddit.org 2 points 4 days ago* (last edited 4 days ago) (1 children)

Home 1's Routers, Home 2's Router, public IPv4/v6 VPS. All as the native arch package.

[–] Cyber@feddit.uk 2 points 4 days ago (1 children)

The routers are running Arch? What hardware are they?

I'm running pfSense as edge firewalls with a Fritzbox router as a bridge - no issues there, but would be interesting to replace that part too, if possible.

[–] 30p87@feddit.org 1 points 4 days ago

Old small desktop towers. Powerful, very open (so I can run my NS infra and WG server and bridge on there, and easily have them redundant), and very extendable (need a 10G NIC or SFP+? Plug in a PCIe card!), and easily replaceable. I now have some old Cisco APs, which will be for my 2nd Home, so I can use my FritzBox as only a modem. In my 1st Home, I'll hopefully soon actually have fibre in addition to using my dads FritzBox as uplink. And I could add a Mobile Modem too. There, I don't need a wireless network, as in contrast to my 2nd Home, that infra is only for servers, to which I can just connect from my dads network/FB.

[–] bananabread@lemmy.zip 1 points 4 days ago

wg-easy on a nuc

[–] spaghettiwestern@sh.itjust.works 1 points 4 days ago

Started with it on a server but moved it to my Openwrt router. If the router's up the tunnel's up.

[–] jol@discuss.tchncs.de 1 points 5 days ago

On the home server on the host. I couldn't figure out how to make it work in a container and still have ssh access to the host, which was my goal...

[–] just_another_person@lemmy.world 0 points 5 days ago (2 children)

Why would you run a WG Client and WG Server on the same host? Am I reading that second mark wrong?

[–] aBundleOfFerrets@sh.itjust.works 5 points 5 days ago* (last edited 5 days ago) (1 children)

You are, second point means running WG on say, a proxmox root, and using it to access the containers.

[–] just_another_person@lemmy.world 0 points 5 days ago

Uhhhh...that is...not how you do that. Especially if you're describing routing out from a container to an edge device and back into your host machine instead of using bridged network or another virtual router on the host.

Like if you absolutely had to have a segmented network between hosts a la datacenter/cloud, you'd still create a virtual fabric or SDLAN/WAN to connect them, and that's like going WAY out of your way.

Wireguard for this purpose makes even less sense.

[–] dan@upvote.au 3 points 5 days ago* (last edited 5 days ago) (1 children)

There's no such thing as a client or server with Wireguard. All systems with Wireguard installed are "nodes". Wireguard is peer-to-peer, not client-server.

You can configure nftables rules to route through a particular node, but that doesn't really make it a server. You could configure all nodes to allow routing traffic through them if you wanted to.

If you run Wireguard on every device, you can configure a mesh VPN, where every device can directly reach any other device, without needing to route through an intermediary node. This is essentially what Tailscale does.

[–] just_another_person@lemmy.world -5 points 5 days ago* (last edited 5 days ago) (1 children)

Uhhh, nooooo. Why are all these new kids all in these threads saying this crazy uninformed stuff lately? 🤣

https://www.wireguard.com/protocol/ https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-a-wireguard-vpn

And, in fact, for those of us that have been doing this a long time, anything with a control point or protocol always refers to said control point as the server in a PTP connection sense.

In this case, a centralized VPN routing node that connects like a Hub and Spoke is the server. Everything else is a client of that server because they can't independently do much else in this configuration.

[–] dan@upvote.au 5 points 5 days ago* (last edited 5 days ago) (1 children)

Both of those documents agree with me? RedHat are just using the terms "client" and "server" to make it easier for people to understand, but they explicitly say that all hosts are "peers".

Note that all hosts that participate in a WireGuard VPN are peers. This documentation uses the terms client to describe hosts that establish a connection and server to describe the host with the fixed hostname or IP address that the clients connect to and, optionally, route all traffic through this server.

--

Everything else is a client of that server because they can't independently do much else in this configuration.

All you need to do is add an extra peer to the WireGuard config on any one of the "clients", and it's no longer just a client, and can connect directly to that peer without using the "server".

[–] just_another_person@lemmy.world -4 points 5 days ago* (last edited 5 days ago)

They do no such thing.

The first link explains the protocol.

The second explains WHY one would refer to client and server with regards to Wireguard.

My point ties both together to explain why people would use client and server with regards to the protocol itself, and a common configuration where this would be necessary for clarification. Ties both of them together, and makes my point from my original comment, which also refers to OP's comment.

I'm not digging you, just illustrating a correction so you're not running around misinformed.

It wasn't clear where OP was trying to make a point, just that the same host would be running running Wireguard for some reason, which one would assume means virtualization of some sort, meaning the host machine is the primary hub/server.