Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Tips for getting end-to-end encryption to home LAN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Tips for getting end-to-end encryption to home LAN

let_rockslet_rocks Member
edited June 2023 in Help

Currently I run the following setup to connect to web apps in my home LAN:

  1. VPS is connected to the LAN VM using a WireGuard tunnel
  2. VPS runs nginx, with proxy_pass to the LAN VM
  3. Client connects to VPS using WireGuard (other tunnel than the one mentioned earlier)
  4. I can visit web apps hosted in the LAN VM from outside my LAN, using two WG tunnels*

I can also skip the second WireGuard (client <-> VPS) tunnel if I want to, and just visit the VPS address itself, but this is just for testing purposes.

But now I want to have end-to-end encryption, so the VPS only sees encrypted traffic.

Thought of adding HTTPS to client <-> VPS and VPS <-> LAN VM is not the solution because decryption will take place on VPS.

With both WG tunnels active, traffic will be decrypted and encrypted on the VPS, so no E2EE.

I can disable the IPv6 firewall on my ISP router but I rather leave that on, and access my LAN stuff through a VPS using WG.

Any ideas/thoughts? All feedback is appreciated.

Comments

  • CyberneticTitanCyberneticTitan Member

    I think this is what you might be interested in: https://www.procustodibus.com/blog/2021/12/wireguard-e2ee-hub-and-spoke/

    But it would require you to abandon running nginx on the VPS and instead everything is handled on your LAN VM.

    Thanked by 1let_rocks
  • Daniel15Daniel15 Veteran

    Why can't the client connect directly to the LAN VM via WireGuard? Use an IPv6 address or port forwarding to allow access to it externally.

    Thanked by 1let_rocks
  • BetaRacksBetaRacks Member

    I believe zerotier is the easiest solution

    Thanked by 1let_rocks
  • let_rockslet_rocks Member

    @Daniel15 said:
    Why can't the client connect directly to the LAN VM via WireGuard? Use an IPv6 address or port forwarding to allow access to it externally.

    I can’t seem to find the port forwarding option in my ISPs router.
    Don’t know if it’s available.

    Using IPv6 to connect directly isn’t really an option for me since I don’t want to turn off the firewall for my whole network, and that seems to be the only option.

  • Daniel15Daniel15 Veteran

    @let_rocks said: Using IPv6 to connect directly isn’t really an option for me since I don’t want to turn off the firewall for my whole network, and that seems to be the only option.

    The firewall doesn't let you open just a single port??

    @let_rocks said:

    I can’t seem to find the port forwarding option in my ISPs router.
    Don’t know if it’s available.

    What's the model number of the router?

  • treesmokahtreesmokah Member

    https://yggdrasil-network.github.io/

    Thanked by 1let_rocks
  • let_rockslet_rocks Member

    I managed to open up a port on my router over IPv6 to set up a tunnel to my LAN, as @Daniel15 suggested, thanks :)

    I added IPv4 port forwarding as well in case IPv6 is not available.

    Now I don't use the VPS.

    It seems to fit my needs, will test it the coming days/weeks.

    Thanks all for your replies.

    Thanked by 1Daniel15
Sign In or Register to comment.