FreeBSD Home NAS, part 3: WireGuard VPN, routing, and Linux peers

Summary

I am continuing to set up my home server on FreeBSD 14.3, which is intended to serve as a NAS. In the previous post, FreeBSD: introduction to Packet Filter (PF) firewall, we got acquainted with firewalls; the next step is to configure a VPN for access. The main idea is to (finally!) connect my “office” and my apartment, and later, perhaps, also connect the server where rtfm.co.ua is currently running so that blog files and database backups can be stored directly on the ZFS mirror pool of the home server. All posts in this blog series: FreeBSD: Home NAS, part 1 – configuring ZFS mirror (RAID1) FreeBSD: Home NAS, part 2 – introduction to Packet Filter (PF) firewall (current) FreeBSD: Home NAS, part 3 – WireGuard VPN, Linux peer, and routing FreeBSD: Home NAS, part 4 – Local DNS with Unbound FreeBSD: Home NAS, part 5 – ZFS pool, datasets, snapshots, and ZFS monitoring FreeBSD: Home NAS, part 6 – Samba server and client connections … to be continued WireGuard vs OpenVPN When it came to choosing which specific VPN server to use, I initially thought about OpenVPN – since I’ve worked with it for years, and there are even some blog posts about it on RTFM. However, after giving it some thought, I decided that for a home VPN, solutions like OpenVPN or Pritunl would be a bit of overkill, and I could give WireGuard a try. The systems are very different, but in short: WireGuard has a much smaller codebase – for example, the Linux implementation is about 4,000 lines in the kernel, while OpenVPN is about 100,000 lines in user space WireGuard works as a kernel module – packet processing and cryptography are performed directly in kernel space, whereas OpenVPN is a user space service that operates through a TCP or UDP socket and interacts with the kernel via the standard kernel network stack The same applies to encryption, as WireGuard has built-in cryptography that is part of the protocol itself and runs in kernel space, while OpenVPN uses the standard SSL/TLS stack (OpenSSL, LibreS...