WireGuard is the VPN of choice for this home lab for three reasons: it is modern, fast, and requires minimal configuration compared to alternatives like OpenVPN or IPsec. Its kernel-level implementation delivers lower latency and higher throughput, while the configuration is a single file on both server and client. In this network, a WireGuard server runs on a Linux machine placed in VLAN 99 (ADMIN) — the management segment. The Cisco 892FSP port-forwards UDP 51820 from the WAN interface to that server, making it reachable from any internet connection. Once connected, remote clients can reach all internal VLANs as if they were physically on the network.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
Architecture
10.0.200.0/24, separate from all internal VLANs. Once a client is connected, the AllowedIPs = 10.0.0.0/16 route in the client config pushes all internal home network traffic through the tunnel.
WireGuard Server Setup
The server runs on a Linux host (e.g., a small machine or VM in VLAN 99)./etc/wireguard/wg0.conf:
Each remote client gets a unique
[Peer] block with its own public key and a dedicated /32 IP in the 10.0.200.0/24 tunnel range. Add additional [Peer] blocks for each device you want to allow (e.g., laptop, phone, Kali container).Client Configuration
On any remote device (laptop, phone, or Kali container):/etc/wireguard/wg0.conf or imported into the WireGuard app):
Cisco 892FSP Port Forwarding
The Cisco 892FSP must forward incoming UDP port 51820 on the WAN interface (GE8) to the WireGuard server’s internal IP on VLAN 99.10.0.99.X with the actual static IP of the WireGuard Linux server on VLAN 99. This creates a static NAT entry that maps any UDP traffic arriving on the WAN IP at port 51820 directly to the server.
Assign the WireGuard server a static IP within the VLAN 99 subnet (e.g.,
10.0.99.2) or use a DHCP reservation on the Cisco DHCP pool so its address never changes. A floating IP would break the NAT rule.