Site-to-site vpn
How it works:
The Hetzner VM is running the netbird management UI and is managing both of the Wireguard configs on the open wrt VM's.
Without any portforwards it establishes a peer to peer Connection between everyone (both sites and hetzner VM).
When this fails it will revert to a relay server meaning all traffic flows through the hetzner vm.
In our case this relay connection type is too slow and too delayed.
To find wether connection is P2P or Relayed we ran:
netbird status -d
Or we could immediatly notice the ping: 0.9ms --> 23ms
Requirements:
- Netbird (ours is self hosted on hetzner but doesnt have to be): https://docs.netbird.io/selfhosted/selfhosted-quickstart
- two sites
Setup netbird (peer) on openwrt
setup netbird (on openwrt)
opkg update
opkg install wiregard-tools
curl -fsSL https://pkgs.netbird.io/install.sh | sh
reverting to slower relay server.
Connect to openwrt
Autostart:
Now you can proceed with the commands from the Netbird UI to add openwrt as a peer.
Fix connection being relayed
Relay in our case is very slow. Our Netbird instance is on a small vm which cant handle all the traffic.
Our kubernetes goals can only be achieved with a fast peer to peer connection with little delay.
(on both ends of course)
Hardening
I want no vpn peers to be able to access my home networks or other networks besides the 192.168.80.0/24 net:
Or it only works after rebooting the openwrt
I found this method to be the easiest although i dont know how efficient this is.
This source range is the entire Cgnat block.
Wireguard interfaces get ips from this block. By blocking this, wireguard cant go to another interface.
100.64.0.0/10
Wildcard Dns Record
Just like any DNSMASQ you can create wildcard records by editing /etc/dnsmasq.conf
address=/.docker.phonkd.net/10.0.0.130
and running:
service dnsmasq restart
Setup static routes
In order for the peers to be able to reach each other we have to configure static routes:
Ping:
Iperf:
Note even though we have 10Gbit/s, i have a one gig card.