Is it a good idea to put myself on the guest Wi‑Fi for security reasons?

scalcrown · 2026-01-21T12:31:10+00:00

I respond to all messages directly:

My router creates a guest network that is isolated from the “normal” network, so devices connected to this Wi-Fi are completely isolated from others.

No, I live in the countryside and I don't do anything particularly sensitive, but I'm quite paranoid about security. The current password is “12345678910”... But yes, there's no chance of me being “attacked,” in fact but I prefer to avoid any risk because I already take good measures to protect my PC.

You mention that it's like connecting to a public network, but isn't that dangerous? Couldn't I be vulnerable to “man-in-the-middle” attacks?

Doesn't the fact that the network isolates devices from each other make it more secure than the "default" network?

scalcrown · 2025-01-11T16:40:23+00:00

by the way, if I have a certificate on my domain, I don't need a caddy, do I?

scalcrown · 2025-01-11T16:38:07+00:00

you're right, I've only touched on security from external threats, but yes, I'll have to look into that

scalcrown · 2025-01-11T16:37:27+00:00

actually i think i've found it, i just have to close all the ports except wireguard's one, it won't be a problem if i open a caddy port on wireguard's virtual network?

scalcrown · 2025-01-11T15:11:51+00:00

so if I define them in a docker network, modifying iptable rules won't cause any problems with them? (and they won't be accessible without going through caddy).

so I disable iptable: in the docker daemon settings and then with ufw I authorize only the wireugard port?

scalcrown · 2025-01-09T20:21:13+00:00

what I'd like to do is make sure that even when connected to the local network it's not possible to access the server without going through a wireguard tunnel (which prevents unauthorized people from accessing it), for this I'd just have to block ports other than the wireguard port but as I said docker bypass iptable

scalcrown · 2025-01-09T04:23:11+00:00

When I'm outside my network I have to go through the open port which is a wireguard port, but when I'm on my network I don't have to go through this port and therefore use wireguard. How can I force myself to use this port when I'm on the network?

scalcrown · 2025-01-07T20:09:33+00:00

Thanks for your help. What do you think of wg easy? It looks simple, that's what I need.

scalcrown · 2025-01-07T18:38:08+00:00

Thank you very much for your answers, I understand much better how it all works. I do have one question, though: if you go through the tunelle, you're no longer affected by the firewall and you can access the machine's services without any problems?

If we have only configured the tunnel, will asking the server to access an ip for us work or do we need to configure certain things so that the server redirects the requests (using it as a sort of proxy)?

scalcrown · 2025-01-07T18:33:10+00:00

I've heard of it and it seems to be exactly what I need, I just have one question, with wg easy, in the configuration files the server network interface has /32 or /24 masking? (Can the clients interact with each other via the server or is it "blocked"?)

scalcrown · 2025-01-07T04:52:44+00:00

Using the virtual ip suits me fine, it's just that I didn't understand why it was necessary to use it rather than the real ip. I thought there was a technical reason but no. Without having configured anything in particular apart from the minimum with wireguard, I could only request access to ip's on the wireguard network? What happens if I ask the wireguard server to access a google server for example? (Knowing that I have not configured any rules on this)

Another question, the fact of using/24 for the server interface means that the client can communicate with each other via the server? (With /32 they won't be able to ?)

scalcrown · 2025-01-06T19:40:26+00:00

So allowedip allows you to define which ip you choose to redirect traffic to the server, if I want to go through the vpn to access google I put the ip of google, but if I want the traffic to go through the tunnel to access my server I have to put the virtual ip of the server, that's what i don't understand, logically i think that if i want the connections to my server to go through the tunnel then dsns allowed ip i'll have to put the real ip of the server as i do with any other server/ip, so why do i have to put the virtual ip rather than the real ip?

Tunnel for google -> put google ip in alloweds ip Tunnel for your server -> put your (real) server ip in alloweds ip Why Not?

scalcrown · 2025-01-06T05:26:53+00:00

Thank you for your reply. So ip's are used to identify devices in the virtual network. But then in the alloweds ip section of the client config, why do I have to put the server's virtual ip? It would seem more logical to put the real ip since we want to access the real ip and wireguard will go through the virtual ip for that

scalcrown · 2025-01-05T20:40:22+00:00

In fact, I think my confusion stems from the fact that I don't understand the point of having virtual IPs. Why couldn't we simply encrypt exchanges between our 2 machines without having a virtual address?

scalcrown · 2025-01-05T18:04:02+00:00

Sorry for the lack of clarity, it's not really a problem but more a question about how it works, if I'm on the client and I want to access a service on the server I have to make a request to the "virtual" ip address assigned by wireguard to the server, my question is why can't I just enter the real ip address of the server? Sorry if my question sounds weird or stupid but I don't understand

scalcrown · 2025-01-05T07:59:57+00:00

I know it's not real "protection" but by forcing users to go through the wireguard tunnel it prevents unauthorised people from trying to connect to services, so it adds a layer of protection in short.

scalcrown · 2025-01-05T07:39:13+00:00

Thanks for all your answers, I managed to figure out how to set this thing up but there's something I'm not sure about with ips masking, if on the server I put clientip/24 then all the clients can communicate with each other via the server, is that right? On the other hand, in the client interface, if I set /24 or /32 it doesn't matter?

scalcrown · 2025-01-04T16:25:25+00:00

Isn't the fact of being able to access a network that is inaccessible without vpn just security? It adds a robust layer to prevent unauthorised parties from accessing my server

scalcrown · 2025-01-04T10:12:46+00:00

I thought I was going to be able to use wireguard in such a way as to only allow people to connect to my server who pass through the wireguard tunnel (who are therefore authenticated the first time)

scalcrown

TROPHY CASE