Help with configuration of wireguard to make a connection with home network

I have a typical need: I'd like to make a connection to my home LAN from office or from mobile. I'm not interested in surfing the Internet through the VPN, only to access Home LAN hosts.

This is my scenario.

Home network: 192.168.10.0/24

  • Fiber router for Internet access (Vodafone Station): 192.168.10.1
  • TPLink reflashed with Openwrt and Wireguard server: 192.168.10.3
  • NAS: 192.168.10.2
  • Desktop PC: 192.168.10.100

Office network: 192.168.1.0/24

  • Fiber router for Internet access (Vodafone Station): 192.168.1.1
  • NAS: 192.168.1.3
  • Desktop Windows PC with Wireguard client: 192.168.1.100

After some tests I found a working configuration (see below). I'm wondering if that is correct. I'm in doubt with firewall rules.

The wireguard interface (named vpn) was added to a new firewall zone (named vpn).

Is it correct to allow lan->vpn and vpn->lan traffic as in the picture?

If I disable Masquerading, the client is able to make the VPN tunnel, is able to ping 192.168.2.1 (wireguard interface), is able to ping 192.168.10.3 (local IP of openwrt), but it isn't able to ping 192.168.10.100. If i enable Masquerading all is ok.

I read Masquerading is used with WAN connection, not LAN.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4f:db7e:11ac::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'
        option ipaddr '192.168.10.3'

config device
        option name 'dsl0'
        option macaddr 'e8:de:27:bc:b3:eb'

config interface 'wan'
        option device 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key <key>
        option listen_port <port>
        list addresses '192.168.2.1'
        option mtu '1412'

config wireguard_vpn
        option description 'office'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '192.168.2.2/32'
        option public_key <key>
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        list network 'vpn'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

All good except for one detail... remove masquerading and mtu_fix from the vpn network. In your situation, it is only needed on the lan.

Because of masquerading, this is unnecessary, but it doesn't cause any harm.