| Age | Commit message (Collapse) | Author |
|---|
|
Removed the detailed CARP failover testing section including
failover/failback test commands and results. The section was too
detailed for the blog post scope.
|
|
Updated client-side setup section to include DNS configuration.
Added instructions for adding /etc/hosts entries pointing LAN
service domains to the CARP VIP (192.168.1.138).
Renamed section from 'Client-side CA trust' to 'Client-side DNS
and CA setup' to reflect both DNS and certificate configuration.
|
|
Keep only Linux/FreeBSD setup instructions that match the actual
infrastructure. Removed unnecessary platform-specific instructions
for macOS and Windows from the Client-side CA trust section.
|
|
Gemini gemtext only supports headers up to ###. Changed all ####
headers to the *Header*: format for proper Gemini compatibility.
|
|
Added update notice at the beginning of the blog post to inform
readers about the LAN ingress feature addition in February 2026.
The notice references the new section and summarizes key features.
|
|
- Document CARP + relayd architecture for LAN access
- Explain cert-manager setup with self-signed CA
- Provide example LAN ingress configuration for Grafana
- Include CARP failover testing results
- Document three TLS offloaders (OpenBSD, Traefik, stunnel)
- Show step-by-step setup for FreeBSD relayd
- Add client-side CA trust instructions for Linux/macOS/Windows
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Amp-Thread-ID: https://ampcode.com/threads/T-019c086d-c760-779d-b740-0f748094b62a
Co-authored-by: Amp <amp@ampcode.com>
|
|
Amp-Thread-ID: https://ampcode.com/threads/T-019c086d-c760-779d-b740-0f748094b62a
Co-authored-by: Amp <amp@ampcode.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Updated all `wg show` output examples to include IPv6 addresses
in the "allowed ips" field for mesh peers.
Changes:
- All mesh peers now show dual-stack: 192.168.2.X/32, fd42:beef:cafe:2::X/128
- Roaming client output updated to show single gateway peer
- Reflects actual dual-stack WireGuard configuration
This makes the example outputs consistent with the IPv6 implementation
documented earlier in the blog post.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Removed invalid Gemtext formatting:
- Changed #### headers to plain text with colons (Gemtext only supports # ## ###)
- Removed ** bold formatting (Gemtext has no inline formatting)
Gemtext is a minimal format with no support for inline bold/italic
or 4-level headers. Changed to plain text formatting.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Restructured "Managing Roaming Client Tunnels" section to follow
a more logical flow:
1. First: Manual gateway failover configuration (create the configs)
- Configuration files for pixel7pro (QR codes)
- Configuration files for earth (systemd services)
2. Then: Usage instructions
- Starting/stopping on earth (using the configured services)
- Starting/stopping on pixel7pro (using the imported profiles)
- Verifying connectivity
This "configure first, then use" approach is more intuitive than
the previous order where usage instructions came before explaining
the failover configuration.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Moved "Manual gateway failover for roaming clients" section into
"Managing Roaming Client Tunnels" as a subsection. This provides
better flow:
1. First explains basic roaming client setup and management
2. Then explains start/stop operations
3. Finally discusses the failover limitation and manual solution
The manual failover discussion now comes after readers understand
the basic roaming client operations, making it easier to follow.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Updated the configuration example to show the complete setup for all
10 hosts (f0-f2, r0-r2, blowfish, fishfinger, earth, pixel7pro) with
their IPv6 addresses, instead of abbreviated "..." sections.
This makes the IPv6 configuration clearer and provides a complete
reference for readers implementing dual-stack WireGuard mesh.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Updated blog posts to include IPv6 (fd42:beef:cafe:2::/64) addresses
alongside IPv4 addresses for all WireGuard mesh hosts.
Changes:
- Part 5: Added IPv6 addresses to all three /etc/hosts examples
- Part 5: Updated wireguardmeshgenerator.yaml to show ipv6 field
- Part 6: Added IPv6 address for f3s-storage-ha VIP
All hosts now have dual-stack hostname resolution documented.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Added section explaining how to use separate gateway configurations
for pixel7pro and earth roaming clients to enable manual failover
between blowfish and fishfinger gateways.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
Added new 'Managing Roaming Client Tunnels' section before the conclusion
covering how to start and stop WireGuard on both roaming clients:
earth (Fedora laptop):
- systemctl start/stop/status commands
- Example wg show output showing active peers
- Notes about disabled service preventing auto-start
pixel7pro (Android phone):
- Step-by-step toggle instructions in WireGuard app
- Quick toggle from notification shade
- Optional automatic activation based on network conditions
- Instructions for configuring auto-activation settings
Also includes:
- Verifying connectivity section with ping and curl examples
- How to check which gateway is actively routing traffic
- Transfer statistics monitoring
This provides practical guidance for day-to-day VPN usage on roaming clients.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Updated rake generate output and keys listing to include:
- dist/earth/etc/wireguard/wg0.conf generation
- dist/pixel7pro/etc/wireguard/wg0.conf generation
- PSK keys for earth and pixel7pro with blowfish and fishfinger
- Private/public keys for earth and pixel7pro
This completes the integration of roaming clients into all output examples
throughout the blog post.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Rewrote Part 5 blog post to seamlessly integrate roaming client (earth, pixel7pro)
content throughout instead of having it as a separate update section. The post now
reads as one cohesive article.
Changes:
- Simplified header note about roaming clients (removed large update section)
- Updated introduction to include roaming clients in topology description
- Added roaming traffic patterns to "Expected traffic flow" section
- Updated YAML config example to show earth and pixel7pro entries with exclude_peers
- Added roaming client wg0.conf example after infrastructure example
- Added OpenBSD NAT/PF configuration section with detailed firewall rules
- Added roaming client /etc/hosts entries for earth and pixel7pro
- Added "Setting up roaming clients" subsection covering Android QR code and Fedora setup
- Removed separate "Adding Roaming Clients (Update)" section at end
- Deleted old wireguard-full-mesh.svg (without roaming clients)
- Updated wireguard-full-mesh-with-roaming.svg with improved positioning
The blog post now flows naturally as if roaming clients were part of the original
design, making it easier to read and understand the complete mesh network setup.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
