[ghostpepper]

Would love to hear more about how you provision wireguard. I have a simple VLAN setup where I can open a tunnel from my "guest/home" network to my "lab" network (ie. docker hosts, desktop PCs that I use for development, etc) and a second tunnel from the lab network to the network that can access mgmt interfaces, however it's all mostly manual (ie. sudo wg-quick up in a terminal)

[spr-alex]

Somewhat related -- with the project I work on, https://github.com/spr-networks/super, we do support wireguard peers (and also support combining that wireguard identity with a wifi peer identity as well).

Devices are provisioned by assigning or generating a wireguard keypair in the API.

Next the peers are routed together by policy and by default can't access one another. There's support for bidirectional network groups or one-way firewall rules with NAT.

One area of improvement is multicast support with wireguard, it's doable, just not ready yet.

[fragmede]

Tailscale. It's Wireguard under the hood but with a company doing got UX on top.

[whatindaheck]

I’m familiar with Tailscale but could you provide more detail on how to use it as an authentication method?

The two ways I see:

On my home server, only allow incoming connections from the Tailnet. However, this seems lockout prone.

Or I could create a VLAN and put all hardwired devices in it. All running Tailscale. But this wouldn’t cover securing my laptop (has to be on WiFi in my situation). This still seems lockout prone?

Additionally, the router is still exposed “normally” and can be compromised without requiring VPN access

Sorry if this post is a bit of A mess. Thanks.

[batch12]

Maybe they expose the wiregard port through the firewall and VPN into a flat management network

[xoa]

For most stuff I've been comfortable with having my OPNsense gateways be trusted points, which has struck a reasonable balance for me between convenience, security, and compatibility. So I Wireguard into that, and from there it's normal firewall and routing in one place, with the ability to lean on hardwired subnets or VLANs so that the universe of old sensitive appliance things (like UPS interfaces) can still be reached. I have site to site wg tunnels between gateways as well. For LAN usage going through a central point has generally not been a significant performance burden, the only thing I have personally that is both very demanding and secure is iSCSI and there I've gone to the trouble of just physically isolating it. Going through a point also means there isn't much in the way of provisioning to do, each client just needs the single WG to the gateway for all (or most) traffic and that's it. Most stuff can be provisioned with ansible, a few mobile clients though I just use QR codes for manually. I should really try to figure out if Wireguard can be provisioned on iOS/Android with MDM but that's been a backburner so far.

I've started to play around with having some things go exclusively into a Nebula mesh with OPNsense only running a lighthouse, but it's more work and rougher. And unlike WG to the gateway and leaning on VLANs for some older kit, really putting everything behind a virtual network they don't natively support requires sticking a translator between them and the rest of the network. Fun to play with a little and the potential is cool, but I don't think there are any prebaked options as smooth and cheap as would be ideal for that, and I suspect the ROI there at my level is getting pretty dang low. IPMI access is the main place I think might be worth it since that's just so sensitive yet simultaneously so useful in resolving issues all while having extremely mediocre security on its own.

Whereas WG to the gateway does leave the gateway as a point of failure, but I'm depending on that to a significant degree for now anyway. And it is fast, simple, reliable, easy to manage/reason about, and eliminates layer 2 auth from the picture entirely. Don't have to worry about someone plugging into some open ethernet port either for example and any necessary effort to secure those, not just WiFi. Threats may evolve but hopefully the options we have to combat them evolve in concert to some degree. Lots of other HNers are vastly more experienced in this then me, and I'm not unaware of some of the potential failure points, but it's hard sometimes to figure out how to balance risk vs resources we have to spend on them (not just money but time).

Also there are other good gateway/firewall options like VyOS, or just working directly off your favorite flavor of Linux or OpenBSD or whatever, that might fit your needs/preferences/tooling better than OPNsense. I don't mean to suggest that it is the best choice, it's just what I've settled in on as a good balance of other values.