I have set up a RP4 B+ as a dumb AP at home, it works fine. I connect to my router via LAN and assign the PI a static IP, expose a WiFi network that attaches to a separate VPN users interface and firewall rules to go to wireguard VPN tunnel.
I'm going to use this on university campus that has ethernet ports in walls. First thing I notice is the gateway IP is on a completely different range (10.5.4.1 instead of 192.168.1.254 at home). Does this mean that along with this gateway IP, I also need to change what IP I assign my static interface to? What if that static IP is taken somewhere else on that network? Does the netmask need to change, how do I know?
Is there anything else I need to know before I get to try it out?
DHCP client will usually get the proper configuration from the network. But often you can only get one IP from the wall port, so you can't bridge in multiple devices, instead you have to NAT/route to it.
Also the only reason a dumb AP needs an IP address at all is to log in and administer it. The wifi users are converted to wired at layer 2, they don't need the AP's layer 3 features.
Thanks. Can you be kind enough to give me a quick runthrough on what would need to change in this config? I don't have a chance yet to try it out; but any up-front help will be great.
I also use a ethernet adapter, so I do use the wired bridge into vpnusers as well.
Network:
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd75:fddf:4d3d::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '192.168.1.254'
config interface 'vpniface'
option proto 'static'
option type 'bridge'
list ipaddr '192.168.99.1/24'
option ifname 'eth1'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'xxxxxxxxxxx'
list addresses '10.71.240.227/32'
option force_link '1'
config wireguard_WGINTERFACE
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option description 'mullvad pgb27'
option public_key 'MFY3o3SFgAsTRL0EVAfvFU0qxQ2GWLdtE1xTsk87w1U='
option endpoint_host 'gb27-wireguard.mullvad.net'
Firewalls:
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnusers'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpniface'
config zone
option name 'vpntunnel'
option output 'ACCEPT'
option masq '1'
option network 'WGINTERFACE'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'vpnusers'
option dest 'vpntunnel'
config forwarding
option src 'lan'
option dest 'wan'
Create a new network named 'wan' (exactly that, lower case, since that is already defined in the firewall). It would be of proto dhcp. Move the eth0 port from lan to wan and plug the cable from eth0 into the wall. Presumably you have a wifi AP on lan to log in from.
It looks like the VPN should work without changing anything, it will find wan as the "raw" path to the Internet.