https://homelab.nbkelley.com/tags/wireguard/ Recent content in Wireguard on homelab Hugo en Fri, 01 May 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/services/gluetun-vpn/ Fri, 01 May 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/services/gluetun-vpn/ <h1 id="gluetun-vpn-service">Gluetun VPN Service<a class="anchor" href="#gluetun-vpn-service">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <ul> <li><strong>Gluetun</strong> is a lightweight Docker container acting as a dedicated VPN gateway for other containers.</li> <li>Implements the <strong>sidecar pattern</strong>: dependent containers (e.g., qBittorrent, nzbget, prowlarr) share Gluetun&rsquo;s network namespace via <code>network_mode: &quot;service:gluetun&quot;</code>.</li> <li>AirVPN selected as the provider over ProtonVPN/Mullvad due to superior port forwarding support required for P2P services.</li> <li>Container-level VPN on the servarr VM is architecturally separate from the network-level UniFi VPN on Helms Deep (VLAN 2).</li> </ul> <h2 id="deployment-context">Deployment Context<a class="anchor" href="#deployment-context">#</a></h2> <p>Gluetun runs on the <strong>servarr VM</strong> (<code>192.168.1.112</code>) as part of the Servarr Docker Compose stack at <code>/docker/servarr/</code>. It is configured via <code>.env</code> file in that directory.</p> https://homelab.nbkelley.com/docs/networking/unifi-express-vpn/ Thu, 30 Apr 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/networking/unifi-express-vpn/ <h1 id="unifi-express-vpn--network-management">UniFi Express VPN &amp; Network Management<a class="anchor" href="#unifi-express-vpn--network-management">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <ul> <li>Methodology for configuring ProtonVPN WireGuard on UniFi Express.</li> <li>Kill switch implementation to prevent IP/DNS leaks when the VPN drops.</li> <li>Best practices for managing Netgear managed switches via dedicated subnets and secure ports.</li> </ul> <h2 id="key-decisions">Key Decisions<a class="anchor" href="#key-decisions">#</a></h2> <ul> <li><strong>WireGuard Protocol</strong>: Selected over OpenVPN for superior speed and efficiency on UniFi Express.</li> <li><strong>Kill Switch Pattern</strong>: Default-deny WAN traffic; only allow forwarding through the <code>wg0</code> interface.</li> <li><strong>Netgear Management</strong>: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.</li> </ul> <h2 id="current-configuration">Current Configuration<a class="anchor" href="#current-configuration">#</a></h2> <ul> <li><strong>VPN Client</strong>: ProtonVPN (WireGuard)</li> <li><strong>Endpoint</strong>: <code>us-123.protonvpn.net:51820</code> (example high-speed server)</li> <li><strong>ProtonVPN DNS</strong>: <code>10.2.0.1</code></li> <li><strong>Allowed IPs</strong>: <code>0.0.0.0/0</code> (full tunnel)</li> <li><strong>Netgear Switch Management Ports</strong>: <ul> <li>HTTP: <code>80</code> (insecure, avoid)</li> <li>HTTPS: <code>443</code> (secure web GUI)</li> <li>SSH: <code>22</code> (CLI access)</li> <li>SNMP: <code>161</code> (monitoring)</li> </ul> </li> </ul> <h2 id="historical-notes">Historical Notes<a class="anchor" href="#historical-notes">#</a></h2> <ul> <li>Conversation dated 2025-04-14.</li> <li>Gateway device referred to as UniFi Express (infrastructure list notes &ldquo;UCG Express &lsquo;Olorín&rsquo; at 192.168.1.1&rdquo;).</li> <li>Netgear MS308E is the managed switch in the homelab.</li> <li>Kill switch and DNS leak prevention rely on <code>iptables</code>/<code>nftables</code> or UniFi OS firewall rules.</li> </ul> <h2 id="open-questions">Open Questions<a class="anchor" href="#open-questions">#</a></h2> <ul> <li>Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?</li> <li>Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.</li> <li>Whether split tunneling is needed for specific homelab services.</li> </ul> <h2 id="related-pages">Related Pages<a class="anchor" href="#related-pages">#</a></h2> <ul> <li><a href="https://homelab.nbkelley.com/docs/infrastructure/network/">Network Infrastructure &amp; VLANs</a></li> <li><a href="https://homelab.nbkelley.com/docs/networking/vlan_setup/">VLAN Configuration: OPNsense &amp; Netgear MS308E</a></li> <li><a href="https://homelab.nbkelley.com/docs/security/cloudflare_integration/">Cloudflare Integration: SSL &amp; DNS</a></li> </ul> <p><a href="https://homelab.nbkelley.com/docs/services/uptime-kuma/">Uptime Kuma - Configuration &amp; Integrations</a></p>