I want to access my home network from the outside but we only have DS-Lite so I got myself a free VM from Oracle and installed wireguard on it. I did not install wireguard on the server because there are other devices in my home that I want to access as well (IP cameras etc.) that do not support wireguard.
- Phone (Android)
- Router (OpenWrt 19.07)
- VM (Ubuntu 20.04) which should serve as a "proxy", the router and phone connect to and talk over
- Server (Voidlinux)
- Devices (IP cameras, etc.)
- Traffic Router -> VM
- Traffic VM -> Router
- Traffic VM -> Homeserver (10.100.0.2/16)
First my configuration for Router:
config zone 'lan' option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' list network 'lan' list network 'vpn'
config interface 'lan' option type 'bridge' option ifname 'eth0.1' option proto 'static' option netmask '255.255.255.0' option ip6assign '60' option ipaddr '10.100.0.1' config interface 'vpn' option proto 'wireguard' option private_key '...' list addresses '10.52.0.1' config wireguard_vpn option public_key '<PUBLIC KEY VM>' option description 'proxy' option persistent_keepalive '25' option endpoint_port '80' # most likely never blocked option route_allowed_ips '1' option endpoint_host '<DOMAIN>' list allowed_ips '10.52.0.2/32'
Config on proxy VM
[Interface] Address = 10.52.0.2/24 DNS = 10.52.0.1 # resolve host names in home network ListenPort = 80 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PrivateKey = ... [Peer] # Phone AllowedIPs = 10.52.0.3/32 PublicKey = <PUBLIC KEY PHONE> [Peer] # Router AllowedIPs = 10.52.0.1/32, 10.100.0.0/16 PublicKey = <PUBLIC KEY ROUTER>
address = 10.52.0.3/32 dns server = 10.52.0.1 peer public key = <PUBLIC KEY VM> keepalive = 25 endpoint = <DOMAIN>:80 allowed ips = 10.52.0.2/24, 10.100.0.0/16
I think I need some iptables magic but I must confess that I never used it before and tutorials online are quite confusing.
Also I think I might have some weird thing going on with my bitmasks for the clients. Do I need a /24 for Allowed IPs? I am a bit confused as there are articles showing both ways out there.
Any help would be very much appreciated, many thanks!