Wireguard setup for multiple networks - eviltoast

I have used Tailscale in the past, and really like it but I had problems at the time where there wasn’t a 23 Ubuntu image so I ended up setting up Wireguard on my OPNSense firewall. I have four hosts I use to remote in, everything has been great.

I am now contemplating how to setup some changes I am making.

I have a lot of remote servers which I manage them all via SSH and have no issues. But I am looking at moving a few services from my LAN to WAN. Specifically Uptime-Kuma and CheckMK, as well as a few other things that I don’t want to go offline if I lose power during winter storms.

I don’t feel comfortable exposing these services to the Internet, so I was thinking I would use wireguard to allow direct access while I am on my LAN. Obviously, Tailscale would be super easy solution. I really don’t want these remote servers (rented dedicated servers and VPS) having direct access to my LAN.

I was thinking I’d create a new Wireguard interface, and only allow outbound traffic on it. This way I can access these machines but they can’t get on my LAN. I currently use SSH port forwarding when I need to access a web interface remotely and this works great but I got to open up a ssh connection before accessing the website. I like being able to just click on stuff through my Homepage dashboard.

Now that I am adding some new remote servers, I want to set this up right. I feel like setting up Wireguard in OPNSense is the most optimal solution for performance and security, it is just not as easy.

I am considering Netmaker, Tailscale, and my personal favorite option OPNSense.

tldr; I want to set up a wireguard dmz for remote servers so they can’t access my LAN while keeping my road warrior trusted wireguard interface that do have full acess. I am using OPNSense.