Sign in Subscribe
By Andreas Turriff in homelab

Media Server, Pt 3 - VPN

Entire books have been written about this. I'm not going to repeat them here, no go into all the various arguments to be had. The fact of the matter is, though, sometimes, for whatever reason, you don't want people to be able to easily track online activity back to you. A VPN can help with that. I personally use Mulvad as a WireGuard VPN. This can be set up in a variety of places; I will demonstrate the setup for a single host on the network, specifically, the homelab server we are building out.

In this configuration, most connections from the media server will not transit the VPN; however, our downloaders will make use of it to ensure privacy.

First, we need to configure systemd's networkd for policy-based routing. We'll want a second routing table to be used for this purpose, so let's set that one up. Edit /etc/systemd/networkd.conf:

[Network]
RouteTable=download:1000

Next, we need to set the network device up. So, edit /etc/systemd/network/99-wg0.netdev:

[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=<your private key>
ListenPort=51820

[WireGuardPeer]
PublicKey=t2x4A+F04hKfxIHMcY2RswaVyj3XHelTT8Q1FAwBIj4=
AllowedIPs=0.0.0.0/0
AllowedIPs=::/0
Endpoint=199.229.250.53:51820
RouteTable=download

The example configuration shown here is for a Mulvad VPN server in Seattle. Adjust your PublicKey and Endpoint according to your VPN provider.

Now that we have the network device set up, we need to set up the layer 3 link. Edit /etc/systemd/network/99-wg0.network

[Match]
Name=wg0

[Network]
Address=<VPN IP address assigned to you>
DNS=<DNS server given by your VPN provider>

[Route]
Gateway=0.0.0.0
Destination=0.0.0.0/0
Table=download

[RoutingPolicyRule]
Table=download
User=10005-10006

This is a little more interesting. You obviously will need to configure your own IP address and DNS server as instructed by your VPN provider. We define an on-link default route for the routing table "download" we specified, and set up policy routing through that table for UIDs 10005 and 10006 - the ones we will use for our downloaders.

Configuration files up to this point are available at https://gitea.turriff.net/andreas/Homelab/releases/tag/Media_Server_Pt_3

Subscribe to Homelab Adventures

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe