Our great sponsors
-
wg-easy
Discontinued The easiest way to run WireGuard VPN + Web-based Admin UI. [Moved to: https://github.com/wg-easy/wg-easy] (by WeeJeWel)
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
outline-apps
Outline Client and Manager, developed by Jigsaw. Outline Manager makes it easy to create your own VPN server. Outline Client lets you share access to your VPN with anyone in your network, giving them access to the free and open internet.
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I run wg-easy https://github.com/WeeJeWel/wg-easy for this sort of thing. I use the docker container, and it's great. "Just works".
Also, unrelated, I just decided I don't like the sentiment of "PiMyProjectName" branding. I know most projects don't just run on a Pi, and that the intent is to say "you can self-host thing", but at this point if you want to run a home server sort of thing, just buy some cheap 100-200 dollar minipc thing. That's how much you'd pay for a Pi now anyway, and it comes with such great features as:
* just establishing an ssh connection doesn't take multiple seconds
* the ethernet doesn't go over a usb hub
* it doesn't run on an sd card that is going to fail within a year
I'm pretty dismissive of ARM chips for homelab stuff at this point. There's super cheap minipcs with "real" processors that will just destroy even an expensive ARM board.
Pi's shine with their ability to run both a real/full Linux and also do gpio type stuff that otherwise is usually an arduino board. I don't have anything against low-level programming but damn is it just a lot more fun to do in python. I love the Rpi zero w 2 products for this, just enough juice to run wifi and a python loop, plus the gpio pins. Too bad they've been sold out for literally years.
yes the webui now has some convenience options for generating and importing configs, but there's still a gap (as in default package installed) in client profile management or network management on cli.
What pivpn (and similar tooling wrapping lower level commands) bring along is this client management and even some network topology/routing management : https://docs.pivpn.io/wireguard/ and https://github.com/pivpn/pivpn/tree/master/scripts/wireguard
I think it's a interesting spectrum between wg-cli and tailscale.
Or just consider some HTTP over TLS proxy like this one: https://github.com/Snawoot/dumbproxy
It may appear a bit more flexible option, especially if forwarding all traffic to VPN entirely is undesirable.
WireGuard/Tailscale are fine if you don't need to deal with state-wide censorship. They might be blocked quite easily.
Outline/Shadowsocks has better chances to keep working (though it is not a true vpn, more like a private proxy) https://getoutline.org/
Algo project still works well. Very quickly launch a WireGuard VPN to several popular cloud providers, or any Linux instance you already have access to, including your rPi.
https://github.com/trailofbits/algo
Tinc was my goto for years, but there is a non-trivial performance penalty for it's userspace implementation.
If you can enumerate all your endpoints into wireguard, and squint, it'll kinda-sorta act like a mesh.
And if you want to go a little crazy with it, You can run https://github.com/m13253/VxWireguard-Generator + babeld, and get routing around failures in the mesh.
I'm using https://github.com/burghardt/easy-wg-quick for this. It works beautifully. I simply port forward to my raspberry pi that handles all of this.
Taking an opportunity here for a completely shameless plug for an enterprise-y wg based corporate VPN. Uses mTLS for device auth, wg (obvs), OIDC to authenticate users/set up firewall access (Azure AD and Keycloak tested). Runs as a redundant cluster and can be hooked in via BGP.
Very early and no docs to speak of yet, but raise an issue if interested. Works with standard WireGuard app on computers/phones, but an integrated app using the API might be in the works …
https://github.com/davidcoles/gpn
https://github.com/nolanl/ropi
There are commands to enable/disable read-write mode, so you can still make changes and do upgrades.
I've had 0 problems with SDcard death after I started using it.
I have a WireGuard VPN with about 250 devices, most of them POS machines in the wild. I adopted WireGuard for our first machines about half a year before the 1.0 release, so there weren't much tools yet.
I piggybacked onto the original configuration file format and built myself https://github.com/WolleTD/wg-setup, which helps me validating the correctness and uniqueness of new entries, hacks names into the entries and even updates an internal DNS zone.
I really don't have to care much for key rotation, though. As most of the devices are out of our control anyway, they aren't allowed to connect to anything inside the VPN. It's just for us to connect to them.