PiVPN and Wireguard Questions

mowest · December 15, 2021, 4:45pm

I decided to dive into a new area of networking for me, a VPN. Here is the situation.

I have my home network, and my work network, both of which I administer to the best of my limited abilities. At work, I have a Debian server running a web based CMS that I don’t want to have on the open web because of the personal information in it. I would like to access this CMS from my home network when I’m working from home. I would also like to have a git server that I self host at work where I can have a versioned backup of all of my configuration files or dotfiles instead of hosting those on Github so that I avoid having those out on a public server, just in case I make a mistake one day and git commit a config file with a secret that shouldn’t be out on the Internet. I could easily run that on this Debian server at work as well.

I have a RPi that I have set up PiVPN on as my Wireguard server. All of this is working great, and using this article WireGuard in NetworkManager – Thomas Haller's Blog I got my wireguard profile for my home computer running Fedora 35 connected to the VPN using the nmcli connection import type wireguard file "$CONF_FILE" command that he highlighted. From home I can ssh into the RPi using its DHCP reserved IP address (which is a different subnet than my home network) so I should be able to access the web app CMS in my browser by just going to its DHCP reserved IP address in the address bar.

Here are my questions:

After running the above command my VPN tunnel was active and I could ssh into the RPi back at work that was running the Wireguard server using PiVPN. Does that mean that all of my internet surfing was going through the tunnel, so that if I wanted to surf to hulu.com it would go through my VPN tunnel and use the work internet connection so I could stream a show?
I only need the VPN to securely access the Debian server at work and the RPi (the only two computers that are running after work hours on that network anyway), can I configure my VPN connect on the Fedora 35 home computer (which is really just a client) to send only my ssh or use of the web app CMS through the tunnel and everything else through my home internet connection?
Is it best to just have the VPN tunnel active when I want to access those work computers and then shut it down afterwards? If so what is the command that I would use, to start and stop that connection? Something like nmcli connection down "$NameofVPNConnection" and then nmcli connection up "$NameofVPNConnection"?

If anyone has some articles or documentation I could read to gain a better understanding of this technology, I would appreciate those links as well. A couple attempts at Googling haven’t given me the clarity I was hoping for. Thanks everyone.

ThatGuyB · December 15, 2021, 8:58pm

I don’t really understand how you set your tunnel. Let me see if I understand:

At work, you have a Debian server running a CMS and it will potentially run GitLab / Gitea / *git* server
At work, you have a RPi that you have Wireguard (Pi-VPN) running on
At home, you have a laptop running Fedora 35 that you use to connect to the Pi at work

Am I correct?

In any case, to answer your other question: traffic will be redirected to your work only depending on how you set your “client” conf (the configuration on your home computer running Fedora). That can be easily changed by just switching:

AllowedIPs = 0.0.0.0/0
## this is the full traffic redirect through the tunnel ##

to

AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
## this is called a "split-tunnel," where only traffic going to ##
    ## the specified IPs or subnets above will be redirected ##
       ## through the tunnel, the rest of the traffic, to say, hulu, ##
           ## will go through your normal (default) gateway ##

To test what IP address hulu and Internet entities see from you, you can run in a terminal on both the RPi and on your home PC this command:

curl https://ifconfig.me/ip

If the IP address is the same on both computers, that means your tunnel on your Fedora client is set to encapsulate all traffic and send it through your work’s RPi internet connection. If you see 2 different IPs, that means the tunnel is split and the only traffic going through the Wireguard tunnel will be aimed at the CMS or whatever other IP or subnet you set in your wg tunnel conf.

mowest · December 16, 2021, 2:30am

@ThatGuyB, you are awesome! You got me most of the way there.

Before I sat down to work on your suggestion, I went for a walk and listened to the recent Homelab show where Jay and Tom talked about OpenVPN and Wireguard. That podcast helped me understand the idea behind a “full tunnel” and a “split-tunnel”. As you correctly surmised, I wanted to create a split tunnel connection where I could access at work just the computers on that network that I’m interested in, namely, the RPi and the Debian Server.

In my wireguard profile conf file, I changed the line:

[Peer]
...
AllowedIPs = 0.0.0.0/0, ::0/0

TO =
AllowedIPs = 10.0.1.0/24

I saved the file and started the new wireguard connection using the command:

nmcli connection import type wireguard file $NAMEOF.confFILE

I then used ssh to connect to the RPi at work from my homenetwork, and I connected. Yes! But then I ran the curl command you suggested on my home pc, and it couldn’t resolve the command which meant I didn’t have a connection to the Internet any more. I could access the computers at work, but I couldn’t go anywhere on the Internet. I found a reddit article that said that when you limit the IP addresses under [Peer] you need to eliminate the DNS configuration under [Interface]. So I deleted the following line under [Interface].

DNS = 9.9.9.9, 149.112.112.112

This did the trick. Honestly, I don’t know why this worked, but it does. Now I can surf the internet using my home connection verified by a different public IP than my work public IP, and I can still ssh into my boxes at work.

Thanks @ThatGuyB for putting me on the right track. I’m super excited to have this working now, and not being concerned that I have opened my work network up to the wilds of the Public Internet. I only have the port open that allows the Wireguard connection, and nothing else is open on the NAT firewall at work. Now I can enjoy my “homelab” stuff that I have on the work network when I’m at home.

ThatGuyB · December 16, 2021, 12:17pm

If it said it couldn’t resolve, yeah, it was a DNS issue. Usually the DNS conf in wireguard is to overwrite the local DNS on your computer with the DNS from the remote private network. That is used mostly when you have private IPs that you need resolved there. You most likely know the IPs on the Pi and the Debian server, so you can just place an entry in /etc/hosts and be done. Yeah, DNS setting in wg conf is not needed in this case.