Please help me keep my sanity. All I want is remote access to my home network with WireGuard for secure and easy access when I am not home. I have set up pfSense and have some understanding of it as well as WireGuard.
For example, I run my own WireGuard VPN and have configured some WireGuard Privacy VPN gateways with failover, kill switch, etc. Unfortunately, my ISP did not support a bridge mode option, so I switched providers and got a box that has multiple bridge mode options with no clear documentation (but hey, at least this time the device is in a language I speak fluently!) I know I could use Tailscale to avoid all these headaches, but I’d like to have my pfSense router at the edge of my network so I can use DynDNS (I don’t even ask for a static address - I honestly don’t ask for much) and the native WireGuard package. However, this stupid ISP box comes with no documentation and no clear descriptive settings. So my best approach is to bruteforce my way through the settings.
Therefore, I want to know what is the best way to reliably test if my pfSense box is publicly accessible?
I got a fiber optic cable connection and the ISP box is configured with PPPoE. I am not an expert on that but would it be guaranteed that my pfSense box is on the edge of the network if I use the PPP settings (username and password) on the WAN pfSense box interface instead of the ISP box?
Why do all ISPs suck? Honestly, everyone on this forum should start their own ISP.
Does your WAN interface have a public IP address?
If you are using PPPoE you will have to enter your credentials into pfsense if you have put your ISP box into bridge mode.
To test if your WireGuard is accessible from the Internet you have to simulate being outside your home network and try to connect back to it.
Option #1 You could install WireGuard on your phone, turn off the Wifi so it’s now connected to the data plan, and try to connect back home.
Option #2 Make a hotspot with your cell phone, connect your computer / laptop to the hotspot and try to connect back to the WireGuard at home.
Option #3 You could rent a small cloud Linux box, SSH into it and try to connect back to the WireGuard at home.
I know. But would that guarantee that my WAN interface is public accessible?
I am aware of these options, but is there an easier option to cut potential other problems?
Is that a reliable method to verify it?
My idea: block private and bogon networks on the WAN interface and check if I can connect to the Internet. Does this make sense? Is there a more fail safe way?
By default pfsense blocks all inbound traffic. But I haven’t setup wireguard before and I’m not sure if it creates an inbound rule during the setup process. If you have a NAT rule setup you can test this by going to a port checker site and supply your public IP and port to you wireguard and see if the port is open. If it’s open then your firewall is accessible over the internet.
Since my ISP was not capable and I already lost a ridiculous amount of time for something as basic as a public IP on my pfSense box I deployed my own Tailnet with Headscale. It is a great project to avoid NAT problems.