Currently, I have two Wireguard interfaces. One (WGINTERFACE) acts as a client and creates a tunnel to a commercial vpn server. I use vpn-policy-routing to route my home servers ip (192.168.1.164) through this interface.
The second interface (REMOTELANWG) acts as a server and allows me to remotely connect to my home network.
Currently, I am able to connect remotely and access all devices on my home network except for my home server. If I stop vpn-policy-routing, I can then access my home server (except at that point it doesn't have a wan connection due to firewall kill switch that prevents traffic going through wan).
I can access my server while connected locally. Its only when I am remote that I can no longer access or ping the ip. I thought this was interesting since my lan and remotelanwg interfaces share the same firewall zone. I'm a noob so this may not matter at all.
Is it possible for me to be able to access my server remotely while its using the second Wireguard interface?
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '< removed >'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option bridge_empty '1'
option _turris_mode 'managed'
option delegate '0'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'wan'
option ifname 'eth2'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option ipv6 '0'
config interface 'WGINTERFACE'
option proto 'wireguard'
option delegate '0'
option private_key '< removed >'
option listen_port '51820'
list addresses '10.64.4.205/32'
config wireguard_WGINTERFACE
option public_key '< removed >'
option description '< VPNProvider '
option endpoint_host '< VPNProviderEndpoint '
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
config interface 'RemoteLanWG'
option proto 'wireguard'
option private_key '< removed >'
option listen_port '51821'
option delegate '0'
list addresses '192.168.2.1/24'
config wireguard_RemoteLanWG
option public_key '< removed >'
option description 'Iphone'
list allowed_ips '192.168.2.2'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan RemoteLanWG'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config zone
option name 'WGZONE'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option family 'ipv4'
option network 'WGINTERFACE'
config forwarding
option dest 'WGZONE'
option src 'lan'
config rule
option src 'wan'
option name 'WGRemoteLAN'
option target 'ACCEPT'
list proto 'udp'
option dest_port '51821'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option src 'lan'
option target 'REJECT'
option name 'VPN Killswitch'
option src_ip '192.168.1.164'
option proto 'all'
option dest 'wan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option dest_port '32400'
option src 'wan'
option name 'Plex'
option src_dport '32400'
option target 'DNAT'
option dest_ip '192.168.1.165'
option dest 'lan'
list proto 'tcp'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list supported_interface ''
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option enabled '1'
option webui_protocol_column '0'
option webui_chain_column '0'
list ignored_interface 'vpnserver wgserver'
config policy
option name 'Server'
option src_addr '192.168.1.164'
option interface 'WGINTERFACE'
Remote Device config
Addresses 192.168.2.2/32
DNS servers 192.168.1.1
Public key < removed >
Peer
Endpoint < removed >
Public key < removed >
Allowed IPs 0.0.0.0/0
Persistent keepalive 25
WG show
interface: WGINTERFACE
public key: < removed >
private key: (hidden)
listening port: 51820
peer:
endpoint: < removed >
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 40 seconds ago
transfer: 93.76 MiB received, 1.16 GiB sent
persistent keepalive: every 25 seconds
interface: RemoteLanWG
public key: < removed >
private key: (hidden)
listening port: 51821
peer:
endpoint: < removed >
allowed ips: 192.168.2.2/32
latest handshake: 48 seconds ago
transfer: 2.77 MiB received, 9.76 MiB sent