I have a linux server at home and I would like to configure wireguard to protect my local server from the outside world. I have searched on google but there are only tutorials for using it as a classic vpn.
From what I understand I have to configure wireguard and then with iptable, authorise only to go through the subnet of my vpn.
But if my server needs to contact a google api then google won’t be able to respond?
wireguard is for vpn, not for protecting server… im not even sure what ur trying to do
WireGuard is a peer to peer VPN protocol. What you need is a firewall and you most likely have already one if you have an internet uplink. Because in the router you use to dial up to the internet there is a firewall integrated and as long as you don’t open any ports to your server it is protected from the outside world.
Time to read more about network security in general when you can’t even tell the difference between a VPN and a Firewall.
There are several aspects to your idea.
VPN (WireGuard) is a tool to enable secure communication between Peers or a Server and Peers. As such you might securely tunnel all the requests from your Peers (e.g. your phone) directly to the WireGuard server. You would not need to really open other ports to the internet in a firewall for this.
A firewall accepts/rejects traffic to ips/ports … whatsoever. You would for example manage to what servers/ports your peer from WireGuard may talk to. You could spin up a firewall on several servers; a router; your WireGuard-server and also on your linux server
You‘ll definitely need both to achieve what you seem to search for.
It now depends on your specific setup. Is your Linux server also the wg-server … are you using containers (docker) to separate these services, etc.
Securing a server has absolutely nothing to do with wireguard.
Thanks for all your answers, I managed to figure out how to set this thing up but there’s something I’m not sure about with ips masking, if on the server I put clientip/24 then all the clients can communicate with each other via the server, is that right? On the other hand, in the client interface, if I set /24 or /32 it doesn’t matter?
Yo hize en iptables una regla para bloquear todo el tráfico de la tarjeta de red eth0 excepto la conexión del puerto wireguard. Con esa regla es como si levantaras un firewall que bloquea todo el tráfico excepto el wireguard. Para permitir las api…yo establecí otra regla en iptables que permitiera la conexión con los equipos y puertos que iniciaste mi servidor. Eso permite que tengas servicios de api y conexión a internet, pero claro…te expone algo en la red si tienes un malware en tu red que inicia una conexión saliente…para las reglas de iptables…o Google…o chatgpt
Instead wasting peoples time, you could have asked AI and got instant answer. You dont undertand what is wg and firewall.
From what I understood, I could make sure that only users who are connected to the tunnel can access the server (it won’t respond otherwise), couldn’t I?
I know, but that’s precisely the point of opening a port on my box to make my server accessible, wireguard seemed to allow me to secure this “gate” (I’m sorry if I’m wrong, but that’s what I understand)
The services are managed by docker (except wireguard, which I don’t think can or should be installed by docker) and yes, I was planning to have wireguard directly on the machine
I thought I was going to be able to use wireguard in such a way as to only allow people to connect to my server who pass through the wireguard tunnel (who are therefore authenticated the first time)
I joined the party a little late, however, I suggest you take a look at WG-Easy. It really made using wireguard a breeze.
As an example: you could make sshd only listen on your server’s WIreGuard IP, so it will only be accessible for a client via WireGuard.
No, that is not what a VPN is for.
You use a VPN to access a network that otherwise is inaccesible to you.
So, you have to have a network inaccesible from the internet. This is achieved by securing that network and not exposimg it to the internet. You only allow access to local devices directly connected to this network.
Remote access is only allowed vía VPN.
then use ufw its more readable than iptables… configure to deny incoming requests by default, and allow vpn subnet
What WireGuard does is allow you to access your home network via an encrypted tunnel which needs authentication by using a pre shared key method. In a way yes it isn’t allowing access to your server unless someone has access to to the VPN.
WireGuard is a VPN and it works fine with Docker, there’s no issue running it that way. It provides a secure tunnel to your server, making it safer than exposing it directly to the internet, but it doesn’t inherently “secure” the server. That depends on your configuration and overall network security practices.
Also, if you want to block specific outbound connections, that’s a firewall (iptables/nftables) issue, not WireGuard’s job.
use firewall and ssh
I’ve heard of it and it seems to be exactly what I need, I just have one question, with wg easy, in the configuration files the server network interface has /32 or /24 masking? (Can the clients interact with each other via the server or is it “blocked”?)