I understand this is an absolute noob question, but bear with me as I’m fairly new to the world of VPN ‘self’ hosting.
I have set up WireGuard mainly to access my NextCloud without exposing the address outside my network, but it got me thinking: can this setup replace a ‘regular’ paid VPN? Am I safe using WireGuard to access my home network through any public wifi without risk?
Thanks!
Wireguard is just a protocol, some VPN providers use wireguard behind the scenes in their apps.
The biggest misunderstanding point with VPN’s is who can see your traffic.
Only people AFTER your end point can see. So if you are at starbucks, using wireguard to connect home then accessing your nextcloud hosting at home, no one can see shit.
However if you are starbucks, vpn’d home everything between you and your home is locked and hidden, but as soon as you leave that tunnel (say going to reddit.com) Sure Starbucks wont see that, but your home ISP can.
This is the same with a commercial VPN provider, between you and the VPN is locked down and private but anything PAST the tunnel (like the VPN’s ISP) can see everything after that.
So basically where does your trust lie PAST your tunnel is where you want your tunnel. For me, I’m NOT in the USA so I do not fall under their laws, my ISP is a premium provider and part of that extra cost they DONT want my data and I trust that (they are a small provider). They also don’t fuck with my traffic, so that’s nice (no throttling of anything, I can get 500mbit on steam, torrents or reddit, they don’t care) I trust my ISP more than I do a commercial VPN provider, so for me, I host my own wireguard server at home and use it when I need a VPN. I also have a DNS only wireguard profile on my phone that only routes DNS traffic home so my DNS requests go through pi-hole so I have an adblocker on my phone, but still get full speed access through 4g/5g. I still have a commercial VPN provider, I purchased a 40yr licence with Hotspot shield for like $150 6 years ago. So I have that and have it installed but I rarely use it. Maybe a couple times a year. If I didn’t have that 40yr licence I wouldn’t purchase a VPN.
Again, I only do this because I trust my ISP. You have to trust someone and that’s who I trust.
As for risk factor. Everything in between you and your VPN is safe. regardless of the VPN provider. Be it self hosted wireguard, self hosted OpenVPN, some paid provider, who ever your employers VPN is, doesnt matter, anyone sharing starbucks network is seeing fuck all. Unless you publicly post your keys (dont do that, blank those out when asking for help).
nothing connected to the internet is without risks, but in your case risks would be low provided it’s only Wireguard’s port you’re giving open network access from the internet.
“can this setup replace a ‘regular’ paid VPN?”
Sure can! Nordlynx servers for example use Wireguard, pretty sure their “Cybersec” option was just pi-hole modified to some extent. Most their other servers are using the older but more feature rich OpenVPN. So yes you can use a vps server or whatever meets your resource needs to make your own vpn tunnel.
And yeah, if you get familiar with a firewall like iptables you can do stuff like lock it down as tight as you want including even deep packet inspection on your own tunnel packets before they leave the machine.
Well they don’t need DPI for that tho
Damn that was extremely informative! Thanks for taking the time to explain this in detail.
As for risk factor. Everything in between you and your VPN is safe. regardless of the VPN provider. Be it self hosted wireguard, self hosted OpenVPN, some paid provider, who ever your employers VPN is, doesnt matter, anyone sharing starbucks network is seeing fuck all. Unless you publicly post your keys (dont do that, blank those out when asking for help).
Hello there! I found the OP post and your answer was so helpful to me so thank you!
I have 2 questions and I hope you can help me with them.
I have a pi-hole set up at home and pivpn access that I use on all public wifis, but I saw that you have a wireguard profile that only routes DNS traffic, how did you do that? can you provide me with a link to the process or what can I search in google to learn how to set up such profile?
My second question, what would you do if you don’t trust your ISP? I have hard time trusting commercial vpns, and of course I don’t trust my ISP, so what is a possible way to have privacy from my ISP without giving it away to a vpn commercial provider?
What a brilliant post, thanks so much!
I’m thinking of setting up a wireguard server on my qnap NAS and this explains things perfectly. What I’m doing between wherever I am and the NAS is untraceable, however what I access from the NAS is traceable and can be seen. E.g going to reddit through the NAS.
Thanks, I’ll give iptables a look!
Routing just DNS is very easy.
Follow any wireguard guide, once you have the profile loaded on your phone/laptop change the allowed IP’s to your pihole. For me I have 2 piholes.
10.1.1.5
10.1.1.11
So in my allowed IP’s I changed it to
10.1.1.5/32, 10.1.1.11/32
I also have a “Split DNS” profile which is the exact same thing but the allowed IP’s is
10.1.1.0/24
Either profile will run my dns traffic through my piholes, but my “split DNS” Profile allows me to access everything at home but my internet is still routed outside the VPN.
I just imported the same profile on my phone 3 times and changed allowed IP’s to 3 profiles (Full, Split, DNS only)
As far as your Endpoint in concerned , you need to pick the lesser of the evils. What you could do is spin up a VPS. A virtual Server in say Google Cloud, Oracle, linode, OVH take your pick.
Install your OS of choice (personally I’m an Ubuntu Server guy), install wireguard and done.
VPS plans are typically based on resources (cpu, ram, SSD/HDD Capacity) wireguard need basically nothing. If you only have a handful of clients, say your phone and laptop, you can get away with the cheapest plan. Just make sure if there is data limits you are aware of those.
But after spewing all this. What are you trying to hide? (I say that in a technical sense, vs the “I have nothing to hide so why hide it”)
It’s worth noting that most websites and services are HTTPS. So no one except you and the content provider knows what that content is. Are you trying to hide from Google or Facebook? Cause a VPN won’t help with that. Just worth asking that question before jumping down the rabbit hole.
So maybe start simple? Get your feet wet. Grab a raspberry pi or old laptop and setup wireguard and Pihole on it. Go one step further and run unbound so your DNS doesn’t leave your network. Your home ISP can see the ip addresses visited and if they have this in place, but I doubt many do due to cost, sniffing the packets. But remember most stuff is https.
Thank you for the detailed reply.
To answer your question, I’m not trying to hide from facebook or Google because it’s impossible, I just try to not use them when possible. I’m simply trying to hide my traffic from my ISP, I don’t like the idea that my ISP can simply see my traffic and know what I’m doing on the internet and sell my data.
But I also worry of VPN data breaches.
I already have a pi hole set up on my home with unbound, I also vpn into my home network to block ads
After doing a lot of research, it seems like the safest bet for my use case is proton vpn. I trust their service more than other vpn providers and in the end I don’t think my life depends on my data being hidden. For now I will stick to using proton vpn on my personal devices, and keeping the pihole running on my home network. I will look into VPS options when time allows!