zlacker

[return to "A story on home server security"]
1. acidbu+s3[view] [source] 2025-01-05 13:25:14
>>todsac+(OP)
I really like the "VPN into home first" philosophy of remote access to my home IT. I was doing openvpn into my ddwrt router fortunately years, and now it's wireguard into openwrt. It's quite easy for me to vpn in first and then do whatever: check security cams, control house via home assistant, print stuff, access my zfs shared drive, run big scientific simulations or whatever on big computer, etc. The router VPN endpoint is open to attack but I think it's a relatively small attack surface.
◧◩
2. Mister+wq[view] [source] 2025-01-05 16:50:57
>>acidbu+s3
I've taken this approach as well. The WireGuard clients can be configured to make this basically transparent based on what SSID I'm connected to. I used to do similar with IPSec/IKEv2, but WireGuard is so much easier to manage.

The only thing missing on the client is Split DNS. With my IPSec/IKEv2 setup, I used a configuration profile created with Apple Configurator plus some manual modifications to make DNS requests for my internal stuff go through the tunnel and DNS requests for everything else go to the normal DNS server.

My compromise for WireGuard is that all DNS does to my home network but only packets destined for my home subnets go through the tunnel.

[go to top]