Wireguard VPN to my home network

I recently upgraded (or downgraded?) my home wifi router to an eero device.

Form factor on the router is great, very small, but for wired ethernet devices, it requires seperate switches to connect ethernet devices.

Previous routers had openvpn built in which allowed me to get into my home network if I were on the road for work or just away from home in general. Helpful to keep my plex library going if I’m away from home. Happy Wife, Happy Life and all that ūüėČ

Anyway, the eero does not have a VPN option.¬† There is a paid feature in the iphone app for VPN, however it does not allow you to create a VPN connection to your home network, just a VPN on your mobile device for accessing the internet. I already have a PIA VPN account that’s paid for several years, so I don’t need the eero one (or the extra $99 a year).

My home network is all running Fedora Linux. Instead of Docker, Fedora uses podman.

Asking around for recommendations, Wireguard was typically the answer to ‘what home vpn do i need’, so I started with Wireguard.

Running inside a container, the syntax I went with is here . Replacing ‘docker’ with ‘podman’, first time around, the container logs threw an error on iptables

iptables v1.8.10 (legacy): can’t initialize iptables table `filter’: Permission denied (you must be root)

This lead me to github and to this tweak.¬†¬† I’ve got firewalld disabled and the ip_tables module wireguard uses was not loaded. ¬† I created the file /etc/modprobes-load.d/iptable_raw.conf, rebooted, and confirmed¬† lsmod shows it was loaded

$ sudo lsmod |grep iptable
iptable_nat 12288 1
iptable_filter 12288 1
nf_nat 65536 4 xt_nat,nft_chain_nat,iptable_nat,xt_MASQUERADE
iptable_raw 12288 0
ip_tables 28672 3 iptable_filter,iptable_raw,iptable_nat

Still getting ‘Permission denied’ error after restarting the container – the final answer here was to add ‘–privileged’ to my podman command and binjo, VPN.

My final ‘docker run’ command :

$ cat run
sudo podman rm -f wireguard
sudo podman run -d \
–name=wireguard –privileged \
–cap-add=NET_ADMIN \
–cap-add=SYS_MODULE \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-e PEERS=1 `#optional` \
-e PEERDNS=auto `#optional` \
-e INTERNAL_SUBNET=10.13.13.0 \
-e ALLOWEDIPS=0.0.0.0/0 \
-e LOG_CONFS=true \
-p 51820:51820/udp \
-v /local/docker_data/wireguard/config:/config \
-v /lib/modules:/lib/modules \
–sysctl=”net.ipv4.conf.all.src_valid_mark=1″ \
–restart unless-stopped \
lscr.io/linuxserver/wireguard:latest

I loaded the wireguard app onto my iphone, used it to scan in the QR code generated by the container (accessible via ‘podman logs -f wireguard’).¬† I am behind an ATT router which blocks many incoming ports but I was able to find an open port.¬† From the ATT router, i port forwarded that port to the eero¬† and then in the eero app, I could create a port forward to my fedora container machine and the default wireguard port ‘51280’.

Finally, I modified the entry in the wireguard app with the open att port and saved it.  I dropped my iphone all wifi and hit connect in the wireguard app and   bingo, via terminus (a ssh app on iphone), I could connect to my internal machines.  I checked with Lunasea   that I use to access my other home entertainment containers and that also let me connect via wireguard without wifi

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.