Take a look at https://github.com/AndySchroder/StaticWire . With lightning, it rents a wireguard tunnel for you from my rental server and then makes renewal payments automatically. The remote side of the tunnel is automatically configured and the local side can be automatically configured as well. The rented tunnel provides an IPv4 /32 subnet and an IPv6 /64 subnet. You can use ufw to simplify a lot of the iptables stuff.
reply
Oh interesting! So this is to hide your IP address from websites? Like other VPNs?
Since originally, VPNs were meant for internal services. Not to access the internet like through a proxy.
IPv4 /32 subnet and an IPv6 /64 subnet.
Do you mean /24 subnet for IPv4? /32 is just a single address
edit: Ah, just read Current Limitations. /32 is indeed correct.
reply
You can use StaticWire for whatever you want. However, what makes StaticWire unique:
  1. Dedicated public static IP assignments with no firewall.
  2. Ability to programmatically maintain the tunnel (rental server API actually provides all calls needed to do this and the python client also actually does it).
  3. Dual stack IPv4/IPv6 support.
I'd think of wireguard as a tunneling technology and not a Virtual Private Network. A tunnel is a tool that allows you to create a Virtual Private Network. If you want to use "VPN" to describe StaticWire, I'd call it a Virtual Public Network.
reply
To answer your question a bit more application specific, StaticWire can be used to host your own services. That means you can host a website with StaticWire over a cellular internet connection for example. Or, you can use it to allow inbound connections from other lightning nodes to your lightning node. Or, you can use it to connect to your lightning node with Zeus remotely and not deal with all the issues of trying to use TOR to do that. Or, maybe you want to use it with your home automation or security system and eliminate application specific proxies that can back door into your house. Maybe you want to host your own Jitsi server.
reply
For IPv4, yes a /32 is only a single address. If there is demand for larger subnets I will consider adding it, but it is challenging to cleanly allocate my address pool not knowing the subnet size that most people will want to rent.
reply
iptables is old. current linux uses nftables.
reply
That's right but when I tried migrating to nftables, docker broke.
And iptables still works fine afaict.
But good point, I wanted to mention it in my blog post but I forgot
reply
yes, it still works with a compatibility layer, just as ipchains did back in the day, but adding nftables would make the tutorial more future-proof
reply
edit: oh, you were faster, haha
I'll probably make another tutorial for nftables :)
That would also be a good motiviation for me to start learning about it
reply
To be clear, the problem is not nftables but docker. They don't support it.
I probably drop my usage of docker though in the future. There are also other problems with it.
reply
Really like the simple design of your website!
reply
I saw this back in the day and thought: Ain't nobody got time for that.
After fighting for 10 hours with a broken Wireguard topology, only to realise that the issue was a shit rule in iptables, I've finally seen the light. Now I want to learn the shit out of iptables.
Thanks for planting this seed in my brain.
reply
I saw this back in the day and thought: Ain't nobody got time for that.
Haha yes, it got quite lengthy but I felt like everything is important to understand the fundamentals. I thought about updating this post and use collapsibles to have a quick (uncollapsed sections) and detailed (collapsed sections) guide in one post.
Wireguard topology, only to realise that the issue was a shit rule in iptables, I've finally seen the light. Now I want to learn the shit out of iptables.
lol, we've all been there. This is the target group of this post :)
Let me know if you have any questions!
Thanks for planting this seed in my brain.
Which seed though? iptables seed?
🤔
reply
🤔
reply
🤔
reply