I would like to configure the following for when I'm travelling abroad.
VPN provider = Private Internet Access (they only allow OpenVPN to run on routers).
VPN connection from my laptop to my home OpenWrt router.
Traffic from my laptop is routed to my OpenWrt router via VPN.
Traffic breaks out to internet, from my home router, without using VPN.
Would this allow me to access UK streaming services as if I was in the UK? For example, I would like access NowTV which no longer supports EU roaming, Netflix UK service, iPlayer, etc.
The VPN connection would be from the laptop (anywhere) to home router. Is there another way to obtain a secure connection to the home router and break out to the internet?
I have configured adblock and DNS redirection on my home wan, so it would be nice to route my phone's mobile data via my home router to maintain adblocking, etc.
If you make a VPN connection e.g. via Wireguard to your router then have "Allowe IPs on 0.0.0.0/0, ::/0" on the client then all traffic from the client goes to the router. If you put the wireguard in a firewall zone that allows it to be forwarded to wan then all the traffic from the client can go the internet. I can make some screenshots from my config if needed
You can run your own. I am doing pretty much the exact same thing.
I have wireguard on my openwrt at home. With my phone I connect to the openwrt router and from there i access the internet. I mainly do this for privacy and security reasons, e.g. if i use a public WiFi then everything i send is secure, also people cannot detect what sites/IPs im using. Of course my ISP at home can detect. There is always somebody you need to trust.
On the client (=phone) ,
Main config:
Address: 192.168.16.100/32
DNS server is 192.168.8.1 (= router main IP address on "lan" interface)
Define a peer:
Public Key: Fill in routers public key.
Allowed IPs: 0.0.0.0/0, ::/0
Endpoint: Router public IP:43648
Preshared key: xxxxxxxxxxxxxxx
The preshared key is not really needed btw, but you can use it for extra security. Guest interface is also not needed. Do make sure that the wireguard port is accessible from the internet. My main lan is 192.168.8.1/21
I put both of them in the "lan" firewall zone and set "forward" to accept=allow forwarding between different interfaces in the zone.
If you want broadcast to also get through then you may want to install avahi-dbus-daemon
I think it might have been the pre-shared key. Because it was 'optional', I hadn't added it to my wireguard client. Once I added that, it started working - but only for LAN.
When I attempted to use my mobile phone as a hotspot, the connection didn't establish.
The firewall rules had been added via the CLI, but I'd fiddled with the settings in an attempt to get it working - I had changed the 'destination zone' to 'WAN'. I've now changed that back to 'Device (input)' and everything appears to be working correctly.
I've now added my laptop as a client. For future reference, the router needed a reboot to get that working - I think restarting the VPN interface would also have worked.
I'll try and get my phone working next.
** Edit **
My phone is now using my home connection when mobile data is enabled and I have full adblocking, etc.
With regards to security, just how secure is Wireguard and this configuration? Do I need to be worried about opening up my network?
I agree, wireguard is relatively easy to setup, has a small attack surface, and is fast. Especially if you add the preshared it is secure. Of course the weak point here is not the protocol, it is the endpoint. If that gets compromised then you are out of luck. If you do not care about accessing your home network, but still want your traffic to go via your router, you can consider adding it to the "guest" network then you can keep it separated.
Would you recommend changing the default IP addresses and subnets to provide additional security? I've used the IPs in the guide which, I presume, would be the ones targeted if Wireguard were to become compromised?
In general if a certain device does not need access to a certain resource it is better to not give it access. E.g. if you have visitors dont give them access to your secure WiFi, make a guestnet. Or if you have IoT device that do not need access to your file server, then separate them. Or your new fridge needs internet, why allow it to talk to anything else. Ideally separate the trafic with VLANs if you have multiple switches/routers.
What I did was make a guest network, with separate SSID and use vlan tagging to keep it separated (I have a r7800 which is AP& router, and an r7800 which is just an AP and also have a e4200V2 which i use as switch). Things like an internet radio also only get access to the guestnet. I did set it up that I can operate the internet radio via my RPi which is on my secure net.