Accessing .local adresses from Internet via WireGuard (without TOR)

Guides & How-To
, ,
1

This guide provides a step-by-step process to access Start9 services from a mobile device without relying on TOR, using a WireGuard VPN and dnsmasq for resolving .local addresses. The solution ensures seamless access to Start9 services and other LAN devices whether on the local LAN or over the internet, without manually changing addresses.

Note :
The 1st setup is made for the case of you can not access your home network directly from the internet, whatever the reason (Starlink with no public IP, Internet Box with port forwarding restrictions…) : To solve the issue, the VPN initiates the access from within you home lan to a VPS with a static public IP, and then you can access you home lan from any wireguard client.

In case of you can connect directly from internet to your home lan, the setup should work as well even if it has not been tested with a port forwarding context. (see last part of the documentation)

Overview

Objective

Enable a mobile device to access Start9 services (hosted on a local server) via a WireGuard VPN, resolving .local domains transparently, and accessing other LAN devices, whether connected locally or remotely.

Network Configuration

  • Machine A (Start9 Server 0.3.5.1):
    • LAN: 192.168.8.0/24, IP: 192.168.8.100
    • VPN IP: 10.10.10.2
  • Machine B (VPS):
    • OS: Debian Linux
    • Public IP: BB.BB.BB.BB (replace with your VPS’s public IP)
    • VPN IP: 10.10.10.1
  • Mobile Phone:
    • VPN IP: 10.10.10.3
  • VPN Network: WireGuard, 10.10.10.0/24
  • DNS Resolution: dnsmasq on Machine A resolves .local to 192.168.8.100

What is WireGuard?

WireGuard is a modern, lightweight, and secure VPN protocol. It is easy to configure, performs efficiently, and supports both peer-to-peer and client-server setups. In this guide, WireGuard creates a secure tunnel between the mobile phone, the Start9 server, and a VPS, allowing seamless access to Start9 services and other LAN devices.

This guide ensures .local domains resolve correctly within the VPN.

Prerequisites

Before starting, ensure:

  • Administrative access to Machine A (Start9) and Machine B (VPS).
  • A mobile device capable of running a WireGuard client (iOS/Android).
  • Basic familiarity with Linux commands (see Appendix A: Basic Linux Commands for beginners).
  • The public IP address of your VPS (replace BB.BB.BB.BB with your actual IP).

Generating WireGuard Keys

Each device (VPS, Start9, mobile phone) requires a unique private and public key pair for WireGuard. Below are example keys used in this guide, followed by instructions to generate your own.

Example Keys

  • VPS (Machine B):
    • Private Key: oL3Xz4Y5Qz8K2m9W7vP0Rt1J6hN8xG2F9kA3M5B4C=
    • Public Key: aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3=
  • Start9 (Machine A):
    • Private Key: pM4N5xY6Qz9K3m0W8vR1Jt2H7nN9xG3F0kA4M6B5C=
    • Public Key: bC2dE3fG4hI5jK6lM7nO8pQ9rS0tU1vW2xY3zA4=
  • Mobile Phone:
    • Private Key: qN5P6yZ7Rz0K4m1W9vS2Kt3I8oO0yH4G1lB5N7C6D=
    • Public Key: cD3eF4gH5iJ6kL7mN8oP9qR0sT1uV2wX3yZ4a5=

How to Generate Keys

For each device, generate a key pair (see Appendix C: Generating WireGuard Keys for details):

umask 077
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  • On the mobile phone, use the WireGuard app to generate keys (consult the app’s documentation).
  • Replace the example keys in the configurations below with your generated keys.

Step-by-Step Setup

Each step includes instructions, intermediate testing, and references to appendices for detailed tasks.

Step 1: Install and Configure WireGuard on All Devices

WireGuard must be installed and configured on Machine A, Machine B, and the mobile phone.

1.1 Machine B (VPS)

  1. Install WireGuard:
    • Update the package list and install WireGuard (see Appendix B: Installing Packages on Debian).
      sudo apt update
sudo apt install wireguard
  2. Generate Key Pair:
    • Use the commands in Appendix C or the example keys above.
  3. Configure WireGuard:
    • Create /etc/wireguard/wg0.conf with the following content, including comments explaining each line:
      # Interface configuration for the VPS (WireGuard server)
[Interface]
# Private key for the VPS
PrivateKey = oL3Xz4Y5Qz8K2m9W7vP0Rt1J6hN8xG2F9kA3M5B4C=
# IP address of the VPS in the VPN network
Address = 10.10.10.1/32
# Port on which the WireGuard server listens
ListenPort = 55820
# Enable IP forwarding to allow traffic routing between peers
PreUp = sysctl -w net.ipv4.ip_forward=1

# Peer configuration for the mobile phone
[Peer]
# Public key of the mobile phone
PublicKey = cD3eF4gH5iJ6kL7mN8oP9qR0sT1uV2wX3yZ4a5=
# Allowed IP for the mobile phone in the VPN network
AllowedIPs = 10.10.10.3/32

# Peer configuration for the Start9 server
[Peer]
# Public key of the Start9 server
PublicKey = bC2dE3fG4hI5jK6lM7nO8pQ9rS0tU1vW2xY3zA4=
# Allowed IPs for the Start9 server, including its VPN IP and LAN subnets
AllowedIPs = 10.10.10.2/32, 192.168.8.0/24, 192.168.1.0/24
  4. Start WireGuard:
    • Launch the VPN (see Appendix D: Managing WireGuard).
      sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Test:

  • Verify the VPN is running:
    sudo wg show wg0
  • Expected output includes the interface and listening port (55820).

1.2 Machine A (Start9 Server)

Start9’s constrained environment requires installations in a chroot environment and persistent configurations via a startup script. The postinit.sh script handles starting WireGuard and dnsmasq on boot.

  1. Prepare the Chroot Environment:
    • Run the chroot-and-upgrade script to enable package installation:
      sudo /usr/lib/startos/scripts/chroot-and-upgrade
  2. Install WireGuard and dnsmasq:
    • Install required packages:
      apt update
apt install wireguard dnsmasq
  3. Generate Key Pair:
    • Use the commands in Appendix C or the example keys above.
  4. Configure WireGuard:
    • Create /etc/wireguard/wg0.conf with comments explaining each line:
      # Interface configuration for the Start9 server (WireGuard client)
[Interface]
# Private key for the Start9 server
PrivateKey = pM4N5xY6Qz9K3m0W8vR1Jt2H7nN9xG3F0kA4M6B5C=
# IP address of the Start9 server in the VPN network
Address = 10.10.10.2/32
# Port for the WireGuard client (optional, used if acting as a server)
ListenPort = 51822

# Enable IP forwarding to allow traffic routing
PreUp = sysctl -w net.ipv4.ip_forward=1
# Mark incoming VPN traffic for routing
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
# Enable NAT for VPN traffic to access LAN
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
# Allow DNS traffic (TCP) from VPN network to dnsmasq
PreUp = iptables -I INPUT -p tcp -s 10.10.10.0/24 --dport 53 -j ACCEPT 
# Allow DNS traffic (UDP) from VPN network to dnsmasq
PreUp = iptables -I INPUT -p udp -s 10.10.10.0/24 --dport 53 -j ACCEPT
# Allow DNS traffic (TCP) from LAN to dnsmasq
PreUp = iptables -I INPUT -p tcp -s 192.168.8.0/24 --dport 53 -j ACCEPT
# Allow DNS traffic (UDP) from LAN to dnsmasq
PreUp = iptables -I INPUT -p udp -s 192.168.8.0/24 --dport 53 -j ACCEPT

# Clean up iptables rules when VPN stops
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -D INPUT -p tcp -s 10.10.10.0/24 --dport 53 -j ACCEPT 
PostDown = iptables -D INPUT -p udp -s 10.10.10.0/24 --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -p tcp -s 192.168.8.0/24 --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -p udp -s 192.168.8.0/24 --dport 53 -j ACCEPT

# Peer configuration for the VPS (WireGuard server)
[Peer]
# Public key of the VPS
PublicKey = aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3=
# Public IP and port of the VPS
Endpoint = BB.BB.BB.BB:55820
# Allowed IPs for the VPN network (routes all VPN traffic through the VPS)
AllowedIPs = 10.10.10.0/24
# Keep the connection alive by sending periodic pings
PersistentKeepalive = 25
  5. Persist Configuration:
    • Edit /media/embassy/config/postinit.sh to ensure WireGuard and dnsmasq start on boot:
      #!/bin/bash
# Log file for startup activities
LOG_FILE="/var/log/postinit.log"
echo "$(date) - Starting postinit.sh" >> "$LOG_FILE"

# Start WireGuard
WG_CONFIG="/etc/wireguard/wg0.conf"
if [ -f "$WG_CONFIG" ]; then
    if ! wg show wg0 > /dev/null 2>&1; then
        wg-quick up wg0 >> "$LOG_FILE" 2>&1 || echo "$(date) - Failed to start WireGuard" >> "$LOG_FILE"
    else
        echo "$(date) - WireGuard already running" >> "$LOG_FILE"
    fi
else
    echo "$(date) - WireGuard configuration ($WG_CONFIG) not found" >> "$LOG_FILE"
fi

# Start dnsmasq
if systemctl is-enabled dnsmasq > /dev/null 2>&1; then
    if ! systemctl is-active dnsmasq > /dev/null 2>&1; then
        systemctl start dnsmasq >> "$LOG_FILE" 2>&1 || echo "$(date) - Failed to start dnsmasq" >> "$LOG_FILE"
    else
        echo "$(date) - dnsmasq already running" >> "$LOG_FILE"
    fi
else
    echo "$(date) - dnsmasq is not installed or not configured" >> "$LOG_FILE"
fi

echo "$(date) - Finished postinit.sh" >> "$LOG_FILE"
    • Make the script executable (see Appendix E: Creating and Making Scripts Executable):
      sudo chmod +x /media/embassy/config/postinit.sh
  6. Exit and Reboot:
    • Exit the chroot environment:
      exit
    • The Start9 server will reboot, persisting the installations and configurations. The postinit.sh script will start WireGuard and dnsmasq on boot.

Test:

  • In the chroot environment, test WireGuard configuration:
    sudo wg-quick up wg0
wg show wg0
    • Expected output includes the interface and peer details.
  • Test dnsmasq by running it manually (since systemctl may not work in chroot):
    sudo dnsmasq --test
    • Expected output: No errors in configuration.
  • After reboot, verify services are running (outside chroot):
    sudo wg show wg0
sudo systemctl status dnsmasq
  • Check the log file for errors:
    cat /var/log/postinit.log

1.3 Mobile Phone

  1. Install WireGuard:
    • Download the WireGuard app from the App Store (iOS) or Google Play Store (Android).
  2. Configure WireGuard:
    • Create a new tunnel with the following configuration, including comments:
      # Interface configuration for the mobile phone (WireGuard client)
[Interface]
# Private key for the mobile phone
PrivateKey = qN5P6yZ7Rz0K4m1W9vS2Kt3I8oO0yH4G1lB5N7C6D=
# IP address of the mobile phone in the VPN network
Address = 10.10.10.3/32
# DNS server (Start9 server running dnsmasq)
DNS = 10.10.10.2

# Peer configuration for the VPS (WireGuard server)
[Peer]
# Public key of the VPS
PublicKey = aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3=
# Public IP and port of the VPS
Endpoint = BB.BB.BB.BB:55820
# Allowed IPs for the VPN network and LAN subnets
AllowedIPs = 10.10.10.0/24, 192.168.8.0/24, 192.168.1.0/24
# Keep the connection alive by sending periodic pings
PersistentKeepalive = 25
    • Add the configuration via the app (e.g., scan a QR code or import a file).

Test:

  • Activate the VPN in the WireGuard app.
  • Verify connectivity to the Start9 server and other LAN devices:
    ping 10.10.10.2
ping 192.168.8.100

Step 2: Configure dnsmasq on Machine A (Start9)

dnsmasq resolves .local domains to the Start9 server’s LAN IP (192.168.8.100) within the VPN.

  1. Identify the Primary Ethernet Interface:
    • Run the following command to list network interfaces:
      ip link
    • Look for the Ethernet interface (e.g., eth0, enp0s3). It’s typically the interface connected to the LAN (192.168.8.0/24), not lo (loopback) or wg0 (VPN).
    • Example output:
      1: lo: <LOOPBACK,UP,LOWER_UP> ...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> ...
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> ...
    • In this example, eth0 is the primary Ethernet interface.
  2. Edit dnsmasq Configuration:
    • Modify /etc/dnsmasq.conf in the chroot environment (re-enter if needed via /usr/lib/startos/scripts/chroot-and-upgrade):
      # Resolve all .local domains to the Start9 server's LAN IP
address=/.local/192.168.8.100
# Listen on the primary Ethernet interface (replace eth0 with your interface)
interface=eth0
# Exclude the loopback interface
except-interface=lo
# Disable upstream DNS resolution (use specified servers only)
no-resolv
# Listen for DNS queries on the VPN IP
listen-address=10.10.10.2
# Bind to specified interfaces only
bind-interfaces
# Upstream DNS servers for non-.local queries
server=8.8.8.8
server=1.1.1.1
  3. Test dnsmasq Configuration:
    • In the chroot environment, validate the configuration:
      sudo dnsmasq --test
    • After reboot, the postinit.sh script will start dnsmasq automatically.

Test:

  • From the mobile phone, with the VPN active, resolve a .local address:
    nslookup example.local 10.10.10.2
  • Expected output: Resolves to 192.168.8.100.

Step 3: Access Start9 Services and LAN Devices

  1. Connect to VPN:
    • On the mobile phone, activate the WireGuard VPN.
  2. Access Services:
    • Open a browser and navigate to a Start9 service (e.g., http://service.local).
    • The .local domain should resolve to 192.168.8.100, and the service should load.
  3. Access Other LAN Devices:
    • Connect to other devices on 192.168.8.0/24 or 192.168.1.0/24 (e.g., a router at 192.168.8.1).

Test:

  • Verify access to multiple .local services.
  • Test connectivity to other LAN devices (e.g., ping 192.168.8.1).
  • Test both on the LAN and over the internet (e.g., via mobile data).

Step 4: Alternative Configuration: Running WireGuard Server on Start9

Note: This configuration has not been tested by the author but should theoretically work for users who can access their Start9 server directly from the internet (e.g., via a public IP or port forwarding on their internet router) and do not wish to use a VPS. If you try this setup and can confirm its functionality, your feedback is welcome!

Overview

Instead of running the WireGuard server on a VPS (Machine B), you can configure the Start9 server (Machine A) to act as the WireGuard server. The mobile phone connects directly to the Start9 server over the internet, assuming your home router supports port forwarding to allow external access to the Start9 server.

Requirements

  • A public IP address for your home network or a dynamic DNS service if your ISP provides a dynamic IP.
  • Port forwarding configured on your router to forward WireGuard’s listening port (e.g., 51822) to the Start9 server’s LAN IP (192.168.8.100).
  • The same Start9 constraints apply (chroot environment for installations, postinit.sh for persistence).

Configuration Steps

  1. Install WireGuard and dnsmasq on Start9:
    • Follow Step 1.2 to install wireguard and dnsmasq in the chroot environment.
  2. Configure WireGuard on Start9 as Server:
    • Modify /etc/wireguard/wg0.conf on the Start9 server to act as the server:
      # Interface configuration for the Start9 server (WireGuard server)
[Interface]
# Private key for the Start9 server
PrivateKey = pM4N5xY6Qz9K3m0W8vR1Jt2H7nN9xG3F0kA4M6B5C=
# IP address of the Start9 server in the VPN network
Address = 10.10.10.2/32
# Port on which the WireGuard server listens
ListenPort = 51822
# Enable IP forwarding to allow traffic routing
PreUp = sysctl -w net.ipv4.ip_forward=1
# Mark incoming VPN traffic for routing
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
# Enable NAT for VPN traffic to access LAN
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
# Allow DNS traffic (TCP) from VPN network to dnsmasq
PreUp = iptables -I INPUT -p tcp -s 10.10.10.0/24 --dport 53 -j ACCEPT 
# Allow DNS traffic (UDP) from VPN network to dnsmasq
PreUp = iptables -I INPUT -p udp -s 10.10.10.0/24 --dport 53 -j ACCEPT
# Allow DNS traffic (TCP) from LAN to dnsmasq
PreUp = iptables -I INPUT -p tcp -s 192.168.8.0/24 --dport 53 -j ACCEPT
# Allow DNS traffic (UDP) from LAN to dnsmasq
PreUp = iptables -I INPUT -p udp -s 192.168.8.0/24 --dport 53 -j ACCEPT

# Clean up iptables rules when VPN stops
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -D INPUT -p tcp -s 10.10.10.0/24 --dport 53 -j ACCEPT 
PostDown = iptables -D INPUT -p udp -s 10.10.10.0/24 --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -p tcp -s 192.168.8.0/24 --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -p udp -s 192.168.8.0/24 --dport 53 -j ACCEPT

# Peer configuration for the mobile phone
[Peer]
# Public key of the mobile phone
PublicKey = cD3eF4gH5iJ6kL7mN8oP9qR0sT1uV2wX3yZ4a5=
# Allowed IP for the mobile phone in the VPN network
AllowedIPs = 10.10.10.3/32
  3. Configure Port Forwarding:
    • Access your router’s admin interface (e.g., via 192.168.8.1).
    • Set up port forwarding to forward external port 51822 (UDP) to 192.168.8.100:51822 on the Start9 server.
    • Consult your router’s documentation for specific instructions.
  4. Configure WireGuard on the Mobile Phone:
    • Use the following configuration:
      # Interface configuration for the mobile phone (WireGuard client)
[Interface]
# Private key for the mobile phone
PrivateKey = qN5P6yZ7Rz0K4m1W9vS2Kt3I8oO0yH4G1lB5N7C6D=
# IP address of the mobile phone in the VPN network
Address = 10.10.10.3/32
# DNS server (Start9 server running dnsmasq)
DNS = 10.10.10.2

# Peer configuration for the Start9 server
[Peer]
# Public key of the Start9 server
PublicKey = bC2dE3fG4hI5jK6lM7nO8pQ9rS0tU1vW2xY3zA4=
# Public IP or domain of your home network and Start9's listening port
Endpoint = YOUR_PUBLIC_IP:51822
# Allowed IPs for the VPN network and LAN subnets
AllowedIPs = 10.10.10.0/24, 192.168.8.0/24, 192.168.1.0/24
# Keep the connection alive by sending periodic pings
PersistentKeepalive = 25
    • Replace YOUR_PUBLIC_IP with your home network’s public IP or dynamic DNS hostname.
  5. Configure dnsmasq:
    • Follow Step 2 to configure dnsmasq on the Start9 server.
  6. Persist Configuration:
    • Ensure the postinit.sh script starts WireGuard and dnsmasq on boot, as described in Step 1.2.

Testing

  • Test WireGuard and dnsmasq in the chroot environment as described in Step 1.2.
  • After reboot, verify the VPN is running on the Start9 server:
    sudo wg show wg0
  • On the mobile phone, activate the VPN and test connectivity:
    ping 10.10.10.2
ping 192.168.8.100
nslookup example.local 10.10.10.2
  • Access Start9 services (e.g., http://service.local) and other LAN devices.

Notes

  • Ensure your router’s firewall allows incoming UDP traffic on port 51822.
  • If your ISP assigns a dynamic IP, use a dynamic DNS service (e.g., No-IP, DuckDNS) to maintain a consistent endpoint for the mobile phone.
  • This setup requires your home network to be accessible from the internet, which may not be feasible for all users due to ISP restrictions (e.g., CGNAT).

Feedback

This configuration is theoretical and untested by the author. If you implement this setup, please confirm whether it works and share any adjustments needed. Your feedback will help improve this guide for the community!

Appendices

Appendix A: Basic Linux Commands

For beginners:

  • Navigate directories: cd /path/to/directory
  • Edit files: Use nano (e.g., sudo nano /etc/wireguard/wg0.conf).
  • Save and exit nano: Press Ctrl+O, Enter, then Ctrl+X.
  • Check service status: systemctl status <service> (e.g., systemctl status dnsmasq).

Appendix B: Installing Packages on Debian

sudo apt update
sudo apt install <package>

Replace <package> with wireguard, dnsmasq, etc. For Start9, run in the chroot environment.

Appendix C: Generating WireGuard Keys

umask 077
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  • For mobile phones, use the WireGuard app to generate keys.

Appendix D: Managing WireGuard

  • Start WireGuard:
    sudo wg-quick up wg0
  • Enable on boot:
    sudo systemctl enable wg-quick@wg0
  • Check status:
    sudo wg show wg0

Appendix E: Creating and Making Scripts Executable

  • Create a script:
    sudo nano /path/to/script.sh
  • Make it executable:
    sudo chmod +x /path/to/script.sh

Appendix F: Configuring dnsmasq

  • Edit configuration:
    sudo nano /etc/dnsmasq.conf
  • Test configuration:
    sudo dnsmasq --test
  • Restart service (outside chroot):
    sudo systemctl restart dnsmasq
  • Check status (outside chroot):
    sudo systemctl status dnsmasq