Hi there,
In short, I'd like to set up Wireguard so I can access a couple of servers from my laptop or phone when away from home. I could get Wireguard up and running between one client and my server, but can't access my servers (actual servers doing some work, no Windows systems here ) which sit in a VLAN firewall zone (that's where my setup may differ from the documentation).
Thanks to anyone who's willing to help here
In more details:
I've been using OpenWRT for a few years now, it's running on a RPi4 at the heart of my home network. It's a router sitting between my FTTH router and my VLAN networks - one for our devices (named LAN, on 192.168.7.0/24 VLAN 7), one for IOT (192.168.3.0/24 VLAN 3), one for guests (192.168.9.0/24 VLAN 9) and a management network to access my WAP, etc (192.168.111.0/24 VLAN 111).
Behind the ISP router, we find 192.168.1.0 no VLAN, so TV boxes can get fed (ISP uses specific routing here and you wouldn't want to touch this).
On the RPi, I run two physical interfaces. One is dedicated to WAN, the other is running the VLAN'd interfaces. To spice up all that, there is AdGuard Home up and running.
I've set up the VPN interface (10.20.10.1/32) with its own firewall zone (VPN). From the client on my cellphone I get the connection but can't get access to my local systems. I guess the issue is all about routing from that zone to my target zone (say LAN) and allowing for a way back.
If I enable "route_allowed_ips", I get my static routing table with an entry for 192.168.7.0/24 to VPN interface which basically kills that subnetwork...
Please note my ISP router is under featured and can't be replaced (unless I switch to another ISP): no static routes can be implemented, nor can one get it acting as a bridge.
Sorry, info will come in the wrong order but I'm limited to one media per post.
Interfaces:
Static routes:
# ip route list
default via 192.168.1.1 dev eth1
192.168.1.0/24 dev eth1 scope link src 192.168.1.2
192.168.3.0/24 dev eth0.3 scope link src 192.168.3.1
192.168.7.0/24 dev eth0.7 scope link src 192.168.7.1
192.168.9.0/24 dev eth0.9 scope link src 192.168.9.1
192.168.111.0/24 dev eth0.111 scope link src 192.168.111.1
WG client (from /etc/config/network):
config wireguard_VPN
option description 'ONECLIENT'
option public_key 'ONEPUBKEY'
option private_key ONEPRIVATEKEY'
option preshared_key 'ONEPSK'
option persistent_keepalive '25'
option route_allowed_ips '0'
list allowed_ips '10.20.10.0/32'
list allowed_ips '192.168.7.0/24'
WG interface:
config interface 'VPN'
option proto 'wireguard'
option private_key 'THISPRIVATEKEY'
list addresses '10.20.10.1'
option listen_port '51555'
list dns '192.168.7.1'