Is system-level wireguard still coming?

[qwerty00]

I saw mentions about wireguard on a system level and not just an app sidecar earlier this year but haven't seen any appropriate ticket in the latest beta. Is it still planned?

 

[Mixel]

Would be interesting indeed! But, for me also some graphical presentation of Iptables rulesetting is high on the wishlist. Of you have a VPN, is internet traffic pushed over standard gateway? Can VPN clients ping LAN clients? And can they ping the clients on ix-systems (=apps) subnet?

At this point, its very unclear and diffcult to setup this networking part.

 

[truecharts]

We already offer a TailScale App that adds a TailScale interface to the host and are working on evaluating our wg-easy and wireguard apps for the same usecase :)

 

[MrGuvernment]

I guess my first question is, why would you want your NAS also acting as a VPN server? Your NAS should be no where near internet accessible, let alone being an end point for a VPN server with NAT rules going into it? (I may be bias because I already run a PFSense box)

 

[systract]

I mean, if you have a VPN server setup in the LAN, your NAS is already internet accessible.

I think system-level wireguard is a good idea because normally the NAS is the last piece of equipment gets offline (except router of course) .

 

[MrGuvernment]

I mean, if you have a VPN server setup in the LAN, your NAS is already internet accessible.

I think system-level wireguard is a good idea because normally the NAS is the last piece of equipment gets offline (except router of course) .

Not necessarily. it is not "directly" internet accessible, as in your NAS itself, isn't publishing itself as available on the public internet on a public IP via NAT Rules for the world to scan every day and discover (and potentially reveal info of what it is TrueNAS OS or something else..)

PFSense is designed around security as a perimeter device, TrueNAS, not likely as much, it is a NAS OS at its core.

If you run a VPN Server with in your network on another VM or system, sure, it could be compromised and someone now can get access to your internal LAN, but, that does not mean they can get into your NAS, if it is set up properly and secured.

Security is all about layers and segmentation to make it harder to be compromised, for me, putting your NAS, even if open to only 1 port, allows someone to find a potential exploit with in the implementation of OpenVPN and get into the OS layer, which can cause far more damage and say good by to your entire NAS possibly.

Sounds extreme, but it is not a matter of if, but when for all of this lovely tech we rely on.

 

[Glowtape]

In SOHO scenarios, it's more about having already having server platform and consolidating services.

In that case, it'll likely sit behind a NAT router, with a single UDP port forward to the NAS Wireguard port, which by nature silently drops all packages it can't decrypt or authenticate.

 

[MrGuvernment]

Def, so will throw in some advice, if you can affords to build a TrueNAS box, build out a small pfsense box as well, use some VLANS, get some pfblocker going and feel that much safer!