Is there a difference if you run wireguard on a router compared to a regular device? I am genuinely wondering since I am planning on setting up a homelab soon and was wondering if I should factor this in.
If you run it on your router, your routing will probably be simpler.
I like it so that I can give my WireGuard peers a routable IP for the other non-WireGuard clients.
You don’t have to install WireGuard on individual devices and maintain configuration everywhere. Plus to run it on devices like TV, VPN router is the best choice.
You can shield your entire home using one license. Thermostats. Smart TVs. Roombas. They can’t run a vpn natively. They all feed data back to their own companies but this makes it more anonymous.
I prefer having the VPN on the router as it makes all the rules / route etc easier for me to configure.
And also one less device to worry about.
In my previous company we weren’t running our VPNs on our routers.
Our VPN use case was the roadwarrior case exclusively, enabling coworkers to acces to the corporate LAN from outside.
We had 3 different VPN techs (IPsec, OpenVPN, WireGuard), which had their own gateways on the LAN. On the router side, we had to set up port redirection to these gateways, plus one route for traffic from LAN to VPN and asymmetric routing.
For exemple, if the LAN is 192.168.0.0/16 and the VPN is 10.0.0.0/16, if a user from outside using the VPN (let’s say 10.0.0.10) wants to reach a local resource at 192.168.0.100, the incoming traffic can go through without problem, but the traffic back to the user is problematic without further configuration. Indeed, 192.168.0.100, wanting to respond to 10.0.0.10, will then use it’s own default route (that is to say the router), which has to know where the traffic to 10.0.0.0/16 should go.
Also notice that the traffic journey here is a bit peculiar. Here is what it’s like for a simple TCP connection initiated by the external user:
- External user (VPN 10.0.0.10) sends a TCP package to 192.168.0.100 using the VPN
- Main router (LAN 192.168.0.1) receives encrypted package, sends it to the VPN gateway using the port forwarding rule.
- VPN gateway (VPN 10.0.0.1 / LAN 192.168.0.10) decrypt the package and sends it to the local resource.
- Local resource (LAN 192.168.0.100) receives the packages and sends an ACK package to the user (10.0.0.10). It doesn’t find this network in its routing table to it addresses it to the default gateway (192.168.0.1).
- Main router receives the cleartext package, sees the target address 10.0.0.100, and routes it to the VPN gateway (192.168.0.10).
- Finally the VPN gateway receives the package, encrypts it and sends it to the user.
Notice that at step 2, the main router sees only encrypted data, so it has no way to match it with the package it receives at step 5. This is asymmetric traffic: the outgoing traffic follows a different path than the incoming traffic. This isn’t bad in itself, but you have to understand what you’re doing.
To conclude on this way too long story, it would probably have been easier for everybody to configure the VPN on the main router.
A router is a network device which forwards packets between different neworks. This means that a WireGuard gateway, ie a machine which forwards packets from other hosts in your lan via the tunnel, becomes a router.
And having multiple routers in your network can cause problems if you use a home router as the main router. Home routers usually lacks more advanced features needed to connect a second router, at least if you want to avoid double NAT. To connect a second router without NAT you need to add (static) routes on the main router, and the main router needs to apply NAT to traffic from the second router destined for the Internet. And it’s an advantage if the main router supports multiple (V)LANs since then you can have a separate (V)LAN for routers. If you connect multiple routers to your regular LAN if can cause asymmetric routing when devices in the LAN only knows about one router but may also receive traffic other networks via another router.
I run WireGuard on a portable router that connects to my home network. Allows myself and family in other cities to watch live local television anywhere. Another reason is certain apps have the ability to detect the vpn connection on a smart phone
That would be the main advantage as far as I am concerned.
Can anyone recommend a wireguard enabled router? Bonus points if it has an integrated DECT base station
So basically you don’t have to set up every device on your network as long as your is router up for all traffic to go through WG ?