Discussion
I needed a way to securely access my home cloud. I saw online a lot of people using Cloudflare Tunnels , but it looked to me like your information is residing on their servers temporarily. Not something I was interested in. Then I saw others talking about Tailscale Another quick google search and it looked like Wireguard was probably easier for me to implement on my pfSense firewall and various clients.
I use the Wireguard client on my laptop and the wg-tunnel app on my phone to connect to my Home Cloud services. I don't have a static public IP, but I am using Cloudflare DDNS for my domain so that I can link to the hostname.
- Note that most of the steps I used to install Wireguard for Mint came from this video: https://www.youtube.com/watch?v=knIV9TzcRjo
- If you prefer to read instead of watching, he has a step-by-step guide
- This site was also very helpful.
Installation
pfSense firewall
- First create a tunnel on your pfSense firewall if you haven't already done so (assuming that pfSense is your firewall/wireguard gateway)
- Add the Mint laptop as a new peer.
- Note: it won't let you save the peer without the public key. What I did here was copy the pfSense public key into the Mint public key as a temporary place-holder.
Linux Mint laptop
- Open a terminal window
sudo apt updatesudo apt install wireguard wireguard-toolsumask 077 && wg genkey > privatekeyumask 077 && wg pubkey < privatekey > publickey- sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <redacted>
Address = <redacted>
[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
Endpoint = <redacted>
AllowedIPs = <redacted>
pfSense Firewall
Now you have to go back into the pfSense firewall and edit the peer you created for the laptop. Specifically you need to replace the placeholder public key for the laptop peer with the one you generated on the laptop. Save, and you're ready to start the Wireguard VPN on the laptop.
Linux Mint laptop
Then I wanted a GUI "applet" that would allow me to control the tunnel and to see its state. I went to "Preferences" then "Applets", then clicked on the "Download" tab at the top. I then typed "Wireguard" in the search bar and clicked the download button to the right of the applet.
Before I could enable the applet, I had to type the following in a command prompt:
sudo setfacl -m u:$USER:rx /etc/wireguard
Now go back into the "Applets" control panel, find the "Wireguard" applet in the "Manage" tab and click the plus-sign button below it. You'll now have a gray icon at the bottom of your task bar that kind of looks like a figure 8. You can start and stop the VPN with this applet, but you have to type in your password each time.
Don't forget!
You have created sensitive keys in your home directory, and that's a bad place to keep them. I moved them to a sub-folder of the wireguard directory for safekeeping:
sudo mkdir /etc/wireguard/keys
sudo mv privatekey /etc/wireguard/keys/
sudo mv publickey /etc/wireguard/keys/
Previous: 1. Installation
Next: 3. Syncthing