Does this VPN config look secure?

[HomeLabEnthusiast321]

I'm going to get an Intel NUC and set up OpnSense on it

My LAN is on the 192.168.1.0/24 subnet. My Synology NAS running OpenVPN server already occupies the 10.8.00/16 subnet.

In order not to overlap anything, I'm going to set up my WireGuard VPN  on the 172.16.0.0/12 subnet.

1) Does this configuration look correct, or will I run into issues?

2) If I want my WireGuard VPN clients to only be able to talk to my NAS inside my LAN and no other LAN devices/resources, then I'll set up 2 rules:

                 #1: All IPs will be able to talk to the WireGuard VPN Server port

                 #2: The WireGuard VPN Server subnet will only be able to talk to the NAS IP, the LAN Subnet (192.168.1.0\24) will be blocked for the VPN Server subnet

The specific order of rules will be as follows, from top to bottom:

1) All IPs will be able to talk to the WireGuard VPN Server port

2) The WireGuard VPN Server subnet will be allowed to talk to the NAS IP

3) The WireGuard VPN Server subnet will be blocked from accessing the LAN subnet


By doing this, the VPN clients will be able to access the NAS but not any of the other LAN devices, am I correct?

[bartjsmit]

No red flags - I would test WG and fix issues as they appear.

[lfrieseke]

But why using Wireguard and needless VPN clients when you can have all perfectly fine and safer with the onboard VPN clients in all operating systems inclusive mobile phones??  ;)
https://administrator.de/tutorial/ipsec-ikev2-vpn-fuer-mobile-benutzer-auf-der-pfsense-oder-opnsense-firewall-einrichten-337198.html

[schnipp]

The decision to favor one to another is more complex. Both VPN technologies/implementations have their strenghts and weaknesses. For most people wireguard is easier to configure than IPsec. Furthermore, it prevents making mistakes in tems of secure encryption, and the wireguard protocol is more state of the art. IPsec instead allows a more detailed configuration specific to use cases.

Especially, with IPsec and roadwarrior you can run into problems in case you do not own a puclic IPv4 address and you have to switch to IPv6.