I have used Tailscale in the past, and really like it but I had problems at the time where there wasn't a 23 Ubuntu image so I ended up setting up Wireguard on my OPNSense firewall. I have four hosts I use to remote in, everything has been great.
I am now contemplating how to setup some changes I am making.
I have a lot of remote servers which I manage them all via SSH and have no issues. But I am looking at moving a few services from my LAN to WAN. Specifically Uptime-Kuma and CheckMK, as well as a few other things that I don't want to go offline if I lose power during winter storms.
I don't feel comfortable exposing these services to the Internet, so I was thinking I would use wireguard to allow direct access while I am on my LAN. Obviously, Tailscale would be super easy solution. I really don't want these remote servers (rented dedicated servers and VPS) having direct access to my LAN.
I was thinking I'd create a new Wireguard interface, and only allow outbound traffic on it. This way I can access these machines but they can't get on my LAN. I currently use SSH port forwarding when I need to access a web interface remotely and this works great but I got to open up a ssh connection before accessing the website. I like being able to just click on stuff through my Homepage dashboard.
Now that I am adding some new remote servers, I want to set this up right. I feel like setting up Wireguard in OPNSense is the most optimal solution for performance and security, it is just not as easy.
I am considering Netmaker, Tailscale, and my personal favorite option OPNSense.
tldr; I want to set up a wireguard dmz for remote servers so they can't access my LAN while keeping my road warrior trusted wireguard interface that do have full acess. I am using OPNSense.
I have this setup using mikrotik devices and have about 10 sites that I remotely connect to that are accessible via a /24 overlay network using Wireguard. I also have another /24 that I use for my daily road warrior connections.
I’m not much help for OPN/PFsense, but I can give you a few pointers.
For your management network, choose something unique (as in, avoid 192.168.1.0/24). I have the Mikrotiks setup to do NAT from my mgmt subnet to the local subnet that they get a DHCP from (sometimes these devices aren’t the actual router of the remote side I’m trying to access).
This way, when a request from my mgmt subnet is sent, it gets NATed to the Mikrotiks local IP and then the remote resource can respond without having to go through its gateway directly. This does require a little work, as I need to know exactly which device I’m trying to reach and which ports. This isn’t a big deal though and works seamless for my use case.
As far as securing access, I simply have a firewall rule in place that drops any traffic originating from the management network that isn’t established or related to existing traffic that originated from my other subnets.
As far as road warriors go, I have another subnet that is treated like my local subnet, and I just configure the peer to use the other subnet. Since my road warrior subnet is a “LAN” network/interface list, it’s not subject to the firewall rules above, which allows my phone to seamlessly reach my file server, etc.
It gets even more fun when if you have an iPhone and configure VPN on demand profiles. If I’m out and about and try to reach any of my subnets, it triggers con automatically and then disconnects as soon as I’m back on my home wifi.
Good luck!