For the guy asking about firewalld

https://www.redhat.com/sysadmin/how-to-configure-firewalld

( disclaimer: i dont use it. I dont even have a firewall enabled on my servers. Only 2 ports are open on my external facing router and I have a upstream ngnix proxy that does all the incoming for me.

Still reading the details but seems cloud-flare will stop hosting an IPFS gateway and now its going to be 'transferred' to something called " interplanetary shipyard " Something fairly new it seems, and somehow tied to the IPFS project.

While it was nice that cloud-flare was offering bandwidth 'to the cause', they were also blocking addresses on demand, both for IPFS and Etherium..  Scumbag *ers. So it might be a good change. ( or worse, donno yet )

Ok so going to start back up playing with wireguard. last time it didn't go well ( for my original use case.. so i modified it somewhat ). Losing a drive this week, and the bad weather ( with tornadoes again ) has made me want to tackle it again.

I know its not hard, and was trivial to get the basics running last time too, but im lazy so going to use the config generator at https://www.wireguardconfig.com/  as a starting point  ( for phones, it creates a nice QR code for you... which was neat  )

But  related to troubles i had before, trying to do fancy stuff , so using just 'basic' configs couple of questions :( and i forget how much i tried and didn't try and screwed around with at this point, it was several days before i threw in the towel and punted )

• The wireguard subnet config: should it be the same as my home subnet or unique.   ?  ( i was trying to get the remote devices to be ON my network last time. i gave up on that part as it was a mess )
• assuming its not my home net, and I cant predict the remote subnet, so not sure what a good one to use that no other home router might use by default so it wont conflict at their place. 
• Can the remote devices attach to devices on my network or is it just an internet pipe only. ( i remember getting that to work, forget how)
• if its on my subnet, could i ssh/sftp into one of the remote devices, or do i need to change the routing rules on the remote device?
• If its not on my subnet, could i still ssh(SFTP really) from the local server back into one of the devices, or is that yet more 'special config'

New use case:

• Setup server at home. ( easy )
• Drop remote device at a friend for family house. ( a bit of a drive, but that is the point )
• May have to move it on a regular basis
• i have no control over remote network. just drop and go.
• Remote device connects back here automatically ( easy )
• Using rsync ( either via ssh or direct network, like via NFS ) to backup local files out to the remote device.  ( rsync so its always deltas..)

Optionally

• restore files from remote site instead of driving out ( but may be moot, if im restoring from there, my house is most likely gone anyway.. )

Really dont care if i have to run it all from the server, or directly from my network ( the original plan that blew up on me ). Dont care if its automated or i type commands. 

Worst case

• i have no control over the device, so a cron job to rsync on remote device to reach down grab from local folders on its own.   Drive out to restore in disaster situation 

Oh and for worst case,  i could always use openvpn i know, as it would let me access local devices out of the box.   but was hoping to not have to go with 'automated reach down' if i could pull it off. 

That is part of the problem i don't have any access to mess with the remote network. it has to be 100% transparent.  if i could screw with their network it would be a lot easier, id just open a port and 'dial in' directly.

( and no, im not secretly stealing network access... its a 'hey, can you plug this in for me and just walk away' situation. )

Fri Aug 02 2024 21:13:58 EDT from darknetuser

You need routing rules on both routers to allow LAN1 to see LAN2 and the other way around.

I think this is what i did, and it sort of worked then fell apart.  But ill try it that way again. ( hard part is testing.. last time i was screwing with VPN + VMs to get it off my network to test with, with intent to replicate it on the 'box'..  cell signal is too low here to tether )

Fri Aug 02 2024 21:18:38 EDT from darknetuser

New use case:
* Setup server at home. ( easy )
*snip*

Easy. Your home needs a static IP. Configure your home wireguard enpoint to accept a peer with a given key from address 0.0.0.0 (all addresses).

Then you configure the drop-in in your friend's house to peer with your home with address $YOURHOME. You may need to play with the keepalive settings in order to pass through botched NAT systems at your riend's house, though.

Still waiting for my file restore... so took a few minutes to set stuff up again.

i'm back where i was before i started mucking around with the confg files more.

Server running.  Client connects, cant access my network OR the outside...  But i can ssh from server to it. So it will do the job.    

Ill snapshot both and mess with the configs later see if can at least get the client to hit the internet.  ( might want to do OS updates someday and not drive out to do it )

client is at friends.  no way i can open ports. 

Sat Aug 03 2024 14:55:29 EDT from darknetuser

Home system in LAN 1 <> big badass router <> WAN <>lame router fromfriend's house < server at friend's LAN

.

Did have to add keepalive this time.  Client kept dropping after a while. Might have last time too, but i didn't leave it for long, kept beating on it.

Not like im trying to hiding the client, so not a big deal in the bigger picture.

Guess its time to load the actual hardware, figure out the best way to test it without having to drive anywhere.  ( if i had cell signal here, be easy, just go wireless off that for testing but no, have to drive to the local park and if i do that, might as well drive 2x to somewhere that has actual wifi. ).   I guess i could setup a PC with external VPN, hang it off a 2nd router bla bla bla.   

to  me i think 'server' = the one i have to open endpoints on. When you said 'server at friends', that was what i was thinking.

Not real sure what a good value is for keep alive, figured that its a good idea no matter what unless i was trying to hide it.  Their example showed 25, and it worked here. So unless that is a 'bad' number ill just leave it at that.

Sun Aug 04 2024 13:38:05 EDT from darknetuser

2024-08-03 15:29 from Nurb432
client is at friends.  no way i can open ports. 

It makes no difference. ONly one of the endpoints needs a wireguard port to be reachable. In this case it has to be your big badass router at your home.

You may need to set a sane keepalive for the connection to survive through NAT if your friend's NAT is just sucky.

Up to the point of taking it somewhere to test.   While what i did is pretty close to being 'remote' ... i still want to test.

Might be in the office Monday for managers meeting,if so ill drag it along with me and do tethering off my phone since i actually get signal there and don't need to make a special trip. Can set it to auto connect so i wont need console access to the thing if i try some random wifi... ( of course might be in the office staring next month on a regular basis :( )

Sun Aug 11 2024 12:57:07 EDT from IGnatius T Foobar

So did you get it to work? Wireguard's ability to punch through firewalls using the traditional UDP semantics is excellent.

It is interesting that UDP has become quite popular in recent years. HTTP 3.0 uses it, Wireguard uses it, mosh uses it ... seems like everyone's got a TCP replacement these days.

Well, that was fun.

Didn't make it to the office Monday like i thought so plans to test there fell thru.

Went ahead and set it auto connect to my phone then took the phone out to the back yard in the shade to get just enough signal to work. Grabbed a battery for the device and stuck it out there in the shade too..Ran back in the house, nope its not connecting.  Brought it back in, hit the console and it wasn't resolving the host name for my server. Really odd. The hotspot must be blocking normal DNS servers or something, i donno. So just stuck it in the hosts file, reboot and it was fine. yay.   

Then i noticed the storage drive was not being seen.. ( 1TB mini size m.2, 2242 i think? i forget the numbers ). Puled it apart, and the case was literally melted slightly.. Its toast.  Seems others have had the same problem, this stupid ass board eats m.2  SSDs for lunch.

Sun Aug 11 2024 12:57:07 EDT from IGnatius T Foobar

So did you get it to work? Wireguard's ability to punch through firewalls using the traditional UDP semantics is excellent.

It is interesting that UDP has become quite popular in recent years. HTTP 3.0 uses it, Wireguard uses it, mosh uses it ... seems like everyone's got a TCP replacement these days.