Adding Wireguard Tunnel #524
Conversation
…sensitive server data
…sensitive server data
|
Why did you choose Wireguard to achieve what you described? |
|
It is probably quite a personal opinion, but I do not like to open ports at my VPS. My VPS is a remote entry point into my mixed local/remote network, where everyone can communicate with each other. So I really need a "closed environment". EDIT: I can also access from anywhere and all my devices the regular opendtu local website. Which comes at handy from time to time. Of course, one can make this happen having a tunnel into your home local network as well. But with wireguard everything is nicely organized and orchestrated and imho very secure. |
|
I would not choose wireguard on a small microcontroller like the esp32/8266 etc. |
| @@ -28,6 +28,7 @@ lib_deps = | |||
| nrf24/RF24 @ ^1.4.5 | |||
| olikraus/U8g2 @ ^2.34.13 | |||
| buelowp/sunset @ ^1.1.7 | |||
| https://github.com/janchri/WireGuard-ESP32-Arduino | |||
There was a problem hiding this comment.
You might want to pin the exact version so this stays reproducible
Wireguard is an easy way to connect peers together even behind NATs and all kinds of firewall constructs. A possible use case might be, that one already has a VPS configured somewhere (AWS, Ionos, Netcup, Strato....) and wants to use the server to capture all the data from OpenDTU. This is possible with the fork! One has to simply configure the regular Wireguard VPN network (maybe already done!) and set the MQTT broker of the OpenDTU to the "local Wireguard IP address" of the endpoint/server.
The implementation of the Wireguard function is basically a copy/fork of https://github.com/ciniml/WireGuard-ESP32-Arduino . However, due to strict compile rules within the OpenDTU project, I had to fork the WireGuard-ESP32-Arduino and remove some minor "errors/flaws".
In platformio.ini, one can see I used a forked version of the above Wireguard Arduino library. Additionally to that, I implemented the backend following more or less the general "work flow of OpenDTU". Finally, the frontend is updated, too.
Unfortunatley, if one wants to reconfigure the Wireguard parameters online, the OpenDTU has to reboot. I have really tried to fix this problem, however, "live" changes can occasionally create kernel panics/runtime errors and forced reboots. But, I assume that changing the parameters quite frequently is not needed at all and, therefore, I think the current status is a viable solution.
Happy to discuss the approach and the general idea of using Wireguard + OpenDTU. For me, it does make great sense, as I do not have to buy, configure, and support an additional device such as an Raspi, etc. pp.