As title, my main sticking point is about firewall rules/port forwarding/traffic rules to allow the two interfaces to co-exist without clashing. And, moreover, to allow the server to allow connections via a port - usually done via port-forwarding but I've gotten mixed messages about whether that's the case when this is the sole router and you're running directly on it.
Although I'm not certain whether I need to alter the Wireguard client's binding interfaces to allow this to occur. Currently, such as it is, I've got my set up fixed according to what's laid out in Mullvad's "WireGuard on a router" guide. Now, presumably that works just fine if you're trying to only connect to the internet via VPN without any leaks, but how does the VPN server fit into the mix? How do they co-exist in relation to one another and to WAN and LAN? Thanks!
You can just create a WG server interface and allocate a private subnet for the clients that will connect on that one. You don't need to change anything in the Mulvad interface. The WG server interface could be assigned to the lan firewall zone for simplicity so that you can be able to access your lan devices too, or create a new firewall zone to restrict access.
Brilliant, thanks. So should my port-forward for this interface connect WAN to LAN or Mullvad to LAN? WAN to LAN makes sense, but only if I allow forwarding from LAN to WAN interfaces in the firewall. Mullvad to LAN makes sense because it's the predominant internet gateway, as such, but it doesn't allow 'normal' port-forwarding - should I pre-allocate a port in Mullvad and use that for the server if this is the case? Thanks again!
I believe you mean zone forwarding.
It depends on your implementation. If the WG server is meant for local lan access only, then it needs a separate zone and only lan zone forwarding. If you also want to access the internet though Mulvad, then you can assign it to lan zone, without any other changes. If you only want to provide internet via Mulvad without lan access, then you need to create a new zone and allow forwarding to Mulvad.
Alright, I'm having a bit of difficulty in terms of parsing what you're getting at. The WG Server is meant to provide me access to LAN, but also serve for DNS (connected to router port 53). So I guess it might go WG Server-LAN-Mullvad? Moreover, I'm unfamiliar with zone forwarding - is that just a difference in terminology? How does that pertain to the port on the Wireguard client endpoint? Thanks again.
OK, so I needn't worry about port-forwarding in any capacity so long as the interfaces are configured appropriately then? Disregarding DNS access, if I only wanted to connect to the LAN I should just connect this new WG Server interface to the LAN and otherwise configure it as I would on any other instance of Linux and not have to worry about forwarding a port? So in my client the endpoint would just be DDNSDOMAIN or WANIP without a port?
You usually do port forwarding when you want to access a service behind NAT. In the case of WG Server and LAN is not needed since you shouldn't be NATing traffic there.
Each zone has a policy for INPUT, OUTPUT and FORWARD. Input is for traffic incoming to the router, Output for traffic originating from the router, and Forward for traffic traversing from one interface to another in the same zone.
So if you assign the WG server interface in the LAN zone, you don't need to do much more, as LAN zone ACCEPTs all above mentioned traffic.
OK, so that all should work, and does when not connected to VPN (after having enabled the LAN-WAN connection in firewall again).The problem seems to lie in Wireguard's default routing method, it just seems to suppress everything else. I'm certain that's also why the VPN-Policy-Routing service refuses to start when Wireguard is enabled. Is there any way to resolve this? Thanks.
Alright, update on this, managed to get VPN-Policy-Routing working by following the tutorial in the readme here. While it's nice to be able to do that, still hasn't quite yielded what I want. That having been said, there do seem to be packets traveling between the client and the wireguard server itself. I'm unsure as to what's blocking the free flow, though.
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'wgclient'
option name 'wgclient'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'ACCEPT'
option output 'ACCEPT'
config forwarding
option dest 'wgclient'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wgserver'
config forwarding
option dest 'wan'
option src 'wgserver'
config forwarding
option dest 'wgclient'
option src 'wgserver'
config rule
option dest_port '61820'
option src '*'
option name 'Allow-WG-Inbound'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config redirect
option dest_port '51825'
option src 'wan'
option name 'DietPi Server'
option src_dport '51825'
option target 'DNAT'
option dest 'lan'
option dest_ip ''
config redirect
option dest_port '30659'
option src 'wgclient'
option name 'Torrent'
option src_dport '30659'
option target 'DNAT'
option dest_ip ''
option dest 'lan'
config zone
option network 'wgserver'
option input 'ACCEPT'
option forward 'REJECT'
option name 'wgserver'
option output 'ACCEPT'
option masq '1'
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option dest_ipset 'ipset'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
list ignored_interface 'wgserver'
option enabled '1'
config include
option path '/etc/'
option enabled '0'
config include
option path '/etc/'
option enabled '0'
config policy
option interface 'wan'
option name 'Wireguard Server'
option src_port '61820'
option chain 'OUTPUT'
option proto 'tcp udp'
Honestly, if possible, I'd be tempted to just find a way to route an entire Virtual-Machine client to WAN and then use that client exclusively for a Wireguard server. I mean, as a secondary solution to running directly on the router. Definitely made progress, though. Thanks for your help.
You'll need to be a bit more specific as to what is not working.
From your config I don't see the reason for masquerade in wgserver zone. Actually the whole wgserver zone is kinda unnecessary, you could add the wgserver interface under lan zone.
One thing that might be wrong is having 2 default gateways (you can verify that with ip -4 ro)
The Wireguard Server, in its entirety doesn't work while behind the VPN. The interface shows that the server is sending and receiving packets, the client only appears to be able to send packets. Either way, there doesn't seem to be a legitimate connection. I bound the WGserver interface to the LAN, but that yields the same outcome. I can't tell whether I've more than one default route through that command, but according to VPN-Routing-Policy the WGClient is the default route. VPN Policy Routing does work now, though. I'm able to route IPs through the WAN, rather than their default route of going through the wgclient.
Edit: Actually it doesn't even send those few packets if I bind the wgserver to the LAN interface - Rx and Tx stay at zero.
default dev wgclient proto static scope link dev wgserver proto kernel scope link src dev wgserver proto static scope link dev pppoe-wan proto kernel scope link src dev br-lan proto kernel scope link src via dev pppoe-wan proto static
0: from all lookup local
32764: from all fwmark 0x20000 lookup 202
32765: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
default via dev pppoe-wan table 201 dev wgserver table 201 proto kernel scope link src dev wgserver table 201 proto static scope link
default via dev wgclient table 202 dev wgserver table 202 proto kernel scope link src dev wgserver table 202 proto static scope link
default dev wgclient proto static scope link dev wgserver proto kernel scope link src dev wgserver proto static scope link dev pppoe-wan proto kernel scope link src dev br-lan proto kernel scope link src via dev pppoe-wan proto static
local dev wgclient table local proto kernel scope host src 10.65.58 .106
broadcast dev wgserver table local proto kernel scope link src 10.2 00.200.1
local dev wgserver table local proto kernel scope host src 10.200.2 00.1
broadcast dev wgserver table local proto kernel scope link src 10 .200.200.1
local dev pppoe-wan table local proto kernel scope host src 124. 171.109.177
broadcast dev lo table local proto kernel scope link src
local dev lo table local proto kernel scope host src
local dev lo table local proto kernel scope host src
broadcast dev lo table local proto kernel scope link src 127.0.0 .1
broadcast dev br-lan table local proto kernel scope link src 192.168 .1.1
local dev br-lan table local proto kernel scope host src
broadcast dev br-lan table local proto kernel scope link src 192.1 68.1.1
I mean, they were all adequately committed as they survived through multiple reboots. Regardless, I appreciate your time and energy expenditure on this but I managed to get VPN-Routing-Policy to force an entire VM client to direct to WAN, then did the standard fare of port-forwarding and it works. Obviously not ideal as configuring on-router, but it's better than nothing. Thanks again for your help.