I want to access my home network from the outside but we only have DS-Lite so I got myself a free VM from Oracle and installed wireguard on it. I did not install wireguard on the server because there are other devices in my home that I want to access as well (IP cameras etc.) that do not support wireguard.
My devices:
- Phone (Android)
- Router (OpenWrt 19.07)
- VM (Ubuntu 20.04) which should serve as a "proxy", the router and phone connect to and talk over
- Server (Voidlinux)
- Devices (IP cameras, etc.)
What works:
- Traffic Router -> VM
- Traffic VM -> Router
- Traffic VM -> Homeserver (10.100.0.2/16)
First my configuration for Router:
/etc/config/firewall
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
/etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.100.0.1'
config interface 'vpn'
option proto 'wireguard'
option private_key '...'
list addresses '10.52.0.1'
config wireguard_vpn
option public_key '<PUBLIC KEY VM>'
option description 'proxy'
option persistent_keepalive '25'
option endpoint_port '80' # most likely never blocked
option route_allowed_ips '1'
option endpoint_host '<DOMAIN>'
list allowed_ips '10.52.0.2/32'
Config on proxy VM
/etc/sysctl.conf
net.ipv4.ip_forward=1
/etc/wireguard/wg0.conf
[Interface]
Address = 10.52.0.2/24
DNS = 10.52.0.1 # resolve host names in home network
ListenPort = 80
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PrivateKey = ...
[Peer] # Phone
AllowedIPs = 10.52.0.3/32
PublicKey = <PUBLIC KEY PHONE>
[Peer] # Router
AllowedIPs = 10.52.0.1/32, 10.100.0.0/16
PublicKey = <PUBLIC KEY ROUTER>
Config phone
address = 10.52.0.3/32
dns server = 10.52.0.1
peer
public key = <PUBLIC KEY VM>
keepalive = 25
endpoint = <DOMAIN>:80
allowed ips = 10.52.0.2/24, 10.100.0.0/16
I think I need some iptables magic but I must confess that I never used it before and tutorials online are quite confusing.
Also I think I might have some weird thing going on with my bitmasks for the clients. Do I need a /24 for Allowed IPs? I am a bit confused as there are articles showing both ways out there.
Any help would be very much appreciated, many thanks!