Skip to content

Sandbox IOT Network

date: 2024-04-27


This is a scheme for connecting your smart devices to an sandboxed subnet such that they cannot reach or be reached from anywhere outside of their subnet, with the only exception being that each smart device can reach, and be reached from an application server.

Using a wireguard tunnel between the application server and (wifi) ap server both enables the flow of traffic between the application server and smart devices on the sandboxed subnet, but also encrypts the mqtt traffic.

iot sandbox network


First install hostapd on your RaspberryPi. The relevant config file is /etc/hostapd/hostapd.conf. And then start/enable hostapd with systemctl.

Describe Wifi AP interface

Without explicitly routing traffic between eth0 and wlan0, no devices connecting to the wifi ap will be able to reach, or be reached from, the internet or your home network.

# /etc/network/interfaces.d/wlan0

auto wlan0
iface wlan0 inet static

Install and configure dnsmasq (for dhcp)

Each device connecting to the wifi ap will need to know its' ip address, therefore you can use dnsmasq for dhcp service.

Assuming you can figure out how to navigate the tasmota webui of each device well enough to set the hostname and figure out the mac addr, on the RaspberryPi wifi ap install dnsmasq and edit the config file.

# /etc/dnsmasq.conf

Create Wireguard Tunnel Between Application Server and Wifi AP

The wireguard tunnel both encrypts traffic between the application server and the wifi ap server, but also enables communication between the dashboard application server and the smart devices. The devil is in the configuration details.

I think you need to enable forwarding in sysctl on the wifi ap server so that traffic can pass between wlan0 and wg0 (but I'm not entirely positive).

# /etc/sysctl.conf

Configure wg-quick@wg0 on the wifi ap server as follows.

# /etc/wireguard/wg0.conf
Address =
PrivateKey = <private key>
ListenPort = 4449

PublicKey = <public key>
AllowedIPs =

Configure wg-quick@wg0 on the application server as follows. The magic is in the AllowedIPs value.

Address =
PrivateKey = <private key> 

PublicKey = <public key>
AllowedIPs =,
Endpoint =
PersistentKeepalive = 25

Next Step

The next step, not represented in the diagram, is to attach your application server to a second wireguard tunnel such that it can be reached from your client devices.

Note that you can also double-nat the application server in this scheme, because why not? Everything happens inside wireguard tunnels. In my diagram the application server is an virtual machine that is double-natted on an libvirt subnet.