Share single service via WireGuard
-
I wanted to share a service I’m hosting, but didn’t feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network.
So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host’s.
Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client’s network access.
Initial tests seems to be ok, is there anything I may have overlooked?
Please feel free to comment. -
I wanted to share a service I’m hosting, but didn’t feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network.
So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host’s.
Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client’s network access.
Initial tests seems to be ok, is there anything I may have overlooked?
Please feel free to comment.I think this is exactly what Pangolin was designed for and does.
-
I think this is exactly what Pangolin was designed for and does.
Isn’t Pangolin just a reverse proxy?
-
Isn’t Pangolin just a reverse proxy?
The connection between your Pangolin service (hosted outside your network) and your LAN is through a VPN. Essentially you’re creating a proxy that you can point your domain address at which isn’t your house’s IP address. Plus then everything inside your network is still secure behind your VPN.
So you connect to Pangolin, and Pangolin routes the traffic to your network.
-
I wanted to share a service I’m hosting, but didn’t feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network.
So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host’s.
Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client’s network access.
Initial tests seems to be ok, is there anything I may have overlooked?
Please feel free to comment.You don’t really need forwarding as you don’t need NAT here.
A part of the filtering can be done by wireguard by setting the allowed IPs correctly. Just check if only one service is listening on the server port you’ll allow.
Now a question: all without tls right?
-
You don’t really need forwarding as you don’t need NAT here.
A part of the filtering can be done by wireguard by setting the allowed IPs correctly. Just check if only one service is listening on the server port you’ll allow.
Now a question: all without tls right?
Could you elaborate what you mean with setting the allowed IPs? Yes, without tls.
-
The connection between your Pangolin service (hosted outside your network) and your LAN is through a VPN. Essentially you’re creating a proxy that you can point your domain address at which isn’t your house’s IP address. Plus then everything inside your network is still secure behind your VPN.
So you connect to Pangolin, and Pangolin routes the traffic to your network.
If I understood correctly I should either get a VPS to host Pangolin or use their cloud. This would increase the costs right?
-
If I understood correctly I should either get a VPS to host Pangolin or use their cloud. This would increase the costs right?
Yes, correct. You can always locally host it as there are other benefits like unifying user credentials for all your hosted services. But its primary design is to be hosted externally.
currently I host everything locally, but I don’t like the fact that anyone visiting my domain can easily find my address.
I’m in the process of determining on if I set up Pangolin myself or not.
Another huge benefit is higher availability.
(ex. If my internet goes down at home, I won’t know until I try to connect, but if I have an external service and it’s monitoring that connection, it can inform me when it loses connection)Price is certainly something to consider when weighing its value for your setup
