It is more easier and also better resource wise to have a site to site connection. Wireguard is pretty lightweight compared to ipsec or openvpn.
You can also add remote clients easily.
All you need to do is routing. And that's mainly the only benefit all these "easy to use" solutions offer.
Individual firewall can also be easier maintained by the local operator. But I'm a old fart maybe that's why I don't understand the need for third party tools when using wireguard. Again it's by far the most simple solution in regards to concepts and implementation.
3 Likes
Besides the site-to-site traffic, I also use wg to connect from my mobile phones to one of the sites, and have access to the resources on both sites. So, @jbrodriguez does not need to use any third party tools.
2 Likes
starting to work on this, setting things up
i already created different domains / network segments on each site
a - 192.168.1.0/24 | sitea.lan
b - 192.168.2.0/24 | siteb.lan
questions
-
are '172.16.0.1/24' and '172.16.0.2/24' the wg interface ip addresses on each site ? if that's the case any reason for using 172.16.x (maybe readibility) or i can use some other segment from 192.168.x.x (i dont plan to have that many sites, segments)
-
can i import these config snippets into wg luci gui
-
i want to access the sites in a "road warrior" scenario :), just need to add a peer as normal right ?
-
finally, to create the keys, i should follow this guide right ? https://openwrt.org/docs/guide-user/services/vpn/wireguard/server#key_management
I have several 192.168 networks on each site, so I decided to reserve 192.168.0 to 192.168.128 for one site, and 192.168.129 to 192.168.255 for the other site. Obviously, you can make it simpler, and have just one network on each site.
I used 172.16.0 as the range for the wg link, you can use 192.168.3, if that is easier for you.
I have never used the GUI to config wg, sorry but I cannot help with that.
Yes, you can add a road warrior to any end of the wg tunnel, just use a different IP address and different keys.
And, yes, the keys can be created following that guide.
I have some notes how to setup a WireGuard interface as a server maybe that can be helpful, see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/notes
Tailscale is not a "third party tool", it is a Zero Configuration Mesh VPN which uses Wireguard. It is a new generation of VPN.
What people are showing @jbrodriguez to configure is the traditional manually configured Hub-Spoke VPN which also uses Wireguard.
Sorry mate but this is marketing bullshit.
3 Likes
Tailscale Option:
- Install Tailscale on each Router and enable Tailscale Exit Node.
- Install Tailscale on each client you want on your Tailscale Tailnet.
There are no IP address ranges to worry about, no keys to manage, no configuration changes to make when you move from site to site, this is very useful for mobile devices like phones, tablets, Laptops. You are not having to specifically configure for Road Warrior access because Tailscale devices will just find each other even behind Double NAT and CGNAT.
Tailscale Tailnet is like a virtual LAN spanning multiple geographical locations.
Again, everybody here knows the offering tail scale provides and it is just sugar and candy on top of wireguard.
Nobody "needs" it. Sure if you are a 15 to 35 person startup and don't have time to roll out your infra then sure these services can provide a time benefit but it is not necessary. (And of course if you hired 10 over paid developers and then be cheap and skip the sysadmin who knows networking.)
A site to site connection has 2 peers, so you need 2 keys, 2 configs and 2 firewall rules. Yeah indeed this is really heavy and complicated and you need someone to hold your hand while you ride with training wheels.
1 Like
Please, explain to me how can I have a site-to-site VPN, with the same IP ranges on both sites, and not have conflicts; or how can I resolve names on the remote network, without configuring different domain names and DNS delegation.
Also, you refuse to call Tailscale a "third party tool", but it requires a subscription to Tailscale's services, and it requires Tailscale's servers to be operative. I have nothing against Tailscale, but it is what it is.
1 Like
Tailscale Subnet Router is used to create Site-to-Site VPNs
Tailscale uses Magic DNS
Tailscale is not a "third party tool" to configure a Hub-Spoke VPN.
Tailscale is one of a few Zero Configuration Mesh VPN
Tailscale has a free Subscription tier
I really do hope you get royalty for your advertisment. But can you please do so on tiktok and not here.
@eduperez
If you are really keen you could self host Headscale which is an open source, self-hosted implementation of the Tailscale control server.
Or you could just use wireguard without any third party tools on top...
1 Like
Yes, but that would not have the features of a Mesh VPN.
Unless you set it up that way...
1 Like
That is why Tailscale is a Zero Configuration Mesh VPN, because you don't manually setup tunnels between each device in the Mesh
Yes, I get what tailscale is. You've mentioned it umpteen times. However, repeating what it is doesn't make it anymore necessary or beneficial to the topic. Nor does it make it any less of a third party tool on top of wireguard
1 Like
Ok, maybe you still don't get it, but just in case you are not totally brainwashed by advertisement: You can EASILY! build a "mesh vpn" (yeah nice marketing bs lingo) by yourself. You don't need any extra shizzle!
Each router either connects fully meshed, or partially with a hub-and-spoke, to each other. Each routers speaks i.e. OSPF to announce connected networks. You could even use static routes if you like.
That's it.
That's the same (as a net result) as with using a third-party-tool.
I still don't get it why you do all the advertisement.
1 Like