My Home OpenWrt > Wireguard > NordVPN = working. How do I now connect to LAN remotely with phone?

Merry Christmas everyone and Happy New Year!
I have finally managed to get my OpenWRT wireguard VPN setup on a RPi4b to give every device on my local network my VPN provider's public ipv4 address. Now I can not figure out for the life of me how to properly tunnel into my home network remotely from my phone or some other network to access my Windows Domain and other network resources. I am not sure if another wireguard interface is needed or what exactly to do. Here is how my setup is currently:

 ISP Modem
PiUSB Eth1(WAN) ISP ip
Pi4b w/OpenWRT  --->  Pi on-board eth0  --->  TP-Link WAN (DHCP192.168.11.170)
          ^ WG1 interface                                                                                      |
                                                          .10.0/24 DHCP Server  -->  TP-LinkRouter LAN ip
                                                                                                                         | <-- LAN Port (.10.0/24)
                                                                                                     ASRock Access point (
                                                                       AD Domain Controller (   (DNS for .10.0/24)

Everything connected to the .10.0/24 network is leaving through the network with the VPN ip from Nord. But Do I need to create another wireguard interface and then setup another peer from that new interface if I want to be able to connect with my phone remotely to access my files AND also get the benefit of having an encrypted connection and a changed ip with Nord or do I simply need to create another peer with my current wg interface and then import the config to my phone?

I am not sure what commands I can type to give you guys more info, but just let me know and I'll happily post it.

Does your account with NordVPN give you your own personal public IP address for reverse connections? The typical NordVPN (and others) is to provide you with a measure of privacy from the local connection (i.e. your ISP or a public network) or can be used for geo-IP reasons, but most of those accounts don't provide you with a specific personal IP address for reverse tunneling. So, please check your account type to verify that you do indeed have this feature. That's critical for this to work.

Thank you for telling me that as I am paying I believe $8 a month for a static ip, but have forgot to look into it. I do recall the email saying that the ip is not useable with wireguard, only OpenVPN.

We are contacting you regarding your dedicated IP request.
The dedicated IP address has been assigned to your account You will always get the IP address 1XX.2XX.3XX.4XX when connected to the dedicated IP server "United Kingdom #1613" through the OpenVPN protocol.
You will be able to use the assigned dedicated IP on 2 devices simultaneously. You would only need to use different connection protocols - TCP and UDP, which you can find in the NordVPN application settings.

Please note that you will not be able to locate and use your dedicated IP when using the NordLynx protocol.
Besides, you will be the only one who will get this IP address. 

There are two possible ways of reading into the feature you have paid for (and I don't honestly know which one is correct):

  1. You have a dedicated IP in that your traffic will always be tunneled through a specific IP on their side, but that equates to the idea that your apparent IP will always be consistent but it still could be shared with other subscribers.

  2. You have a dedicated IP that is truly and uniquely yours. In this case, you should also be able to forward inbound connections through the tunnel to your network.

If it is the first one, that will not help you with your stated goal. Hopefully it is the latter one, but I honestly don't know, and I find the email slightly vague in that respect.

You and me both. I probably should get clarification on that. So there is no way as is without having a reverse tunnel via a dedicated ip to tunnel back into my network, access resources on my LAN and also hop onto the NordVPN tunnel on it's way out to the internet? What about DDNS setup on my TP-Link Router? That won't work I suppose because its WAN ip is a .11.0/24 ip given to it by DHCP from my OpenWRT router, so DDNS could not work like that correct?

If you do not have a public IP on your main router's WAN, your only option to be able to gain remote access to your home network will be to use a VPN that supports reverse connections/tunnels. It is worth asking NordVPN if that dedicated IP is uniquely yours (nobody else using it) and if you can therefore use it to port-forward and/or setup another inbound VPN connection that will allow your remote device to tunnel through NordVPN and back to your home network.

In general, people tend to setup a VPS (virtual private server) which can be configured with a VPN specifically for the purpose desire. I don't know if NordVPN supports this mode of operation.

This is all moot if the main router doesn't have a public IP. If there is a public IP on the main router, though, you can actually setup ddns to handle the 'double-NAT' situation of your OpenWrt router. And if that is the case, you can also skip the issue around NordVPN in the first place.

Would it be best to convert the TP-Link into another Access Point for the LAN that is on the RPi/OpenWRT? This way I have a public IP on my home router and can do as you said above. I'm not married to how I have this network setup, I just would like all devices to route through NordVPN on my LAN and when on unsecure networks with the ability to access files, all management features etc.

For sure I am going to contact Nord about the static ip, but if it is not necessary with a different topology, I'd rather take that route and save the money. Thank a lot for your help. I have seen you all over these forums helping folks out and that is extremely kind of you.

This really depends on your goals and your network topology. We can go into that if you want... I think I only have a partial understanding of what you are trying to achieve.

Is that the case? Do you have a public IP on your main router's WAN?
Do you need to use the existing main router or could you replace it with an OpenWrt based router instead?

Modem gives public ip to USB ethernet port on OpenWRT. The LAN port on the OpenWRT goes to the WAN port of my TP Link Router that hosts my AD Domain network. I am not certain why I did it like this as it was not easy finding info. Most seemed to be just setting up Wireguard to access your home network only and not setting it up with a VPN provider. My "WAN ip on the TP link is given to it by DHCP ("upstream") from the Raspberry Pi (OpenWRT) network. It would be easier to change the OpenWRT router's network to the and make the TP-Link another access point. If you could point me in the direction I need, I would appreciate it very much.

So this is good. You can certainly setup a normal inbound VPN... but that will require some additional work.

This will likely need to be removed. Does that TP-Link router need to be there? If you're using it as an AP, you could run it as a dumb AP (no routing on the device). Check out the OpenWrt recipe for a dumb AP... if your TP-Link router is running (or can run) OpenWrt, you can apply this directly. If not, just take the concepts and apply it to that device.

Ultimately, you want to remove the TP-Link router from any routing duties... unless it is necessary, that is. If you want it as a dumb AP and you want to use the network for your lan, then change the Pi's lan address to use that same network and set the TP-Link device as a dumb AP only (be sure to avoid any IP address conflicts -- it should be on the same subnet, but a unique IP that is not used by any other devices on the network and also outside the DHCP pool.

With your topology as it is now, you almost certainly will not be able to reach your local lan resources over any VPN connection -- the TP-Link router is likely performing NAT maquerading and blocking inbound connections with its firewall. At a minimum, those features need to be disabled, but better yet is to make that a dumb AP only.