Goal
Build a small WireGuard hub that drops you into your lab, while keeping IoT and guest networks isolated behind VLANs and firewall policy. No WAN port forwards; you ride the tunnel for admin access.
Prereqs
- Router/firewall that supports VLANs and policy-based rules.
- Tagged switch uplink to your AP; SSIDs mapped to VLANs (e.g., IoT, Guest).
- WireGuard-capable host (thin client/VM) on the management VLAN.
Network Layout
- Mgmt/Lab VLAN 10: 192.168.10.0/24 (Proxmox, NAS, proxy, WireGuard).
- IoT VLAN 20: 192.168.20.0/24 (deny east-west; allow only specific flows).
- Guest VLAN 30: 192.168.30.0/24 (internet-only).
- AP trunks SSIDs to VLAN 20/30; wired trunks carry 10/20/30.
WireGuard Hub Setup
- Deploy a lightweight host (Alpine/Debian) on VLAN 10 with static IP.
- Install WireGuard (`apt install wireguard`); enable IP forwarding.
- Create peer for each device: give them
AllowedIPs = 192.168.10.0/24andDNS = 192.168.10.2(your resolver). - Firewall: allow UDP 51820 from WAN to WireGuard host OR use a tunnel provider that supports UDP passthrough; otherwise run WG behind a TCP forward if you must.
Firewall Policy
- Allow WG clients to VLAN 10; deny to VLAN 20/30 except specific destinations.
- Block IoT/Guest to VLAN 10; allow internet only (and NTP/DNS to resolver).
- Log drops from IoT to lab; rate-limit DNS/DoH from IoT/Guest.
DNS & Split Horizon
- Run Pi-hole/Unbound in VLAN 10; DHCP option per VLAN points to it.
- Internal records for lab services (*.lab.local) resolve to VLAN 10 IPs.
- Do not expose Pi-hole to WAN; permit only per-VLAN resolver traffic.
Validation
- From a WG client: reach hypervisor/NAS; confirm IoT/Guest subnets are blocked (ping or curl should fail).
- Confirm mDNS/SSDP is not leaking between VLANs (no random device discovery).
- Run
traceroutefrom WG client to ensure you stay inside the lab path.
Hardening
- Use preshared keys on peers; rotate keys quarterly.
- Restrict WG port exposure to specific WAN IPs if possible.
- Back up WireGuard configs; test restore on a spare VM.