I'm running openwrt and wireguard on a NanoPi R2S as my router (location A / lan=192.168.200.0/24).
I use VLAN-3 (jail=192.168.203.0/24) to separate my IoT devices. So they do not have access to the internet.
Same config is running at my parents home (location B). Only difference are the ip ranges (lan=192.168.100.0/24 jail=192.168.103.0/24)
From any device within lan (192.168.200.0/24) it is possible to access a device in jail (192.168.203.0/24). Works as expected.
Both locations are connected via wireguard, and I'm able to access every device in the remote "lan" and vice versa.
But when I connect to location A as roadwarrior, I'm not able to access any device in jail or in location B.
Of course I can ping the NanoPi itself via 192.168.200.1 or 192.168.203.1.
So I assume that "allowed ip's" at roadwarrior is correct. -> "192.168.203.0/24, 192.168.200.0/24, 192.168.100.0/24"
I did not understand what is the difference between a device connected directly to lan and a device connected via wireguard as "wg0" and "lan" are 2 devices in "lan"
When looking in luci -> interfaces -> wg0 -> peer I found this:
"Required. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel."
But when adding "192.168.203.0/24" to allowed IPs, the route entry changes from "192.168.203.0/24 dev br-jail scope link src 192.168.203.1" to "192.168.203.0/24 dev wg0 scope link"
As a result nobody can connect to a device in "jail" anymore. So this information is very confusing.
I guess that I need a magic route entry to get access to my VLAN-3 and the 192.168.100.0/24 net as roadwarrior connected via wireguard.
Please help ...
You have two choices. You can either separate the VPN interface into it's own firewall zone, turn on masquerading, allow forwarding to LAN and vice versa. Or you can add the IP of your roadwarrior device to the allowed_ips on the device at location B.