Setup your site to site VPN properly
May 2025
I had a Wireguard site to site VPN between two sites. Now when I provisioned my second site, I was initially using the ISP crappy modem/router/wap combo unit. So I just used Wireguard on a server on the DMZ and then port forwarded on the combo unit. Over the weekend I was doing some iptables stuff with Docker and I accidently added a bad rule that broke the networking. Well now I lost connection and had to go on site. This could have all been avoided if I setup the VPN on the router. I upgraded the edge firewall to OPNsense/Pfsense. I also plugged the GPON module directly into a 10gig SFP+ network card that cost my around 70 bucks on eBay. That picked up a public IP and I setup the VPN there. Of course also setup a DDNS client on the edge firewall monitoring the WAN IP address and updating DNS records properly. Now generally your IP doesn’t change at all. My ISP uses the MAC address of the WAN interface to assign an /22 IPv4 and a /56 IPv6 prefix. If I change the MAC address I get a totally different IP. If I leave my firewall unplugged for a long time AND the IP gets assigned to another customer, I get a different IP. Anyways, moral of the story.