Hi, how are you all doing?
I have this situation that I've been trying to fix, maybe someone more experienced can help me:
PLACE "A":
Internet ----> Main router ----> PC (running Wireguard)
PLACE "B":
Internet ----> Main router ----> OpenWRT router (running Wireguard) ----> various_devices
My question is: Is there a way for all the various_devices on PLACE "B" (connected through ethernet ports) to reach the PC on PLACE "A"? If there's a way, how can I make it work?
The thing is, I need the OpenWRT router to be portable, so I can take it somewhere else and connect a device through one of it's ethernet ports for reaching the PC at PLACE "A" through a VPN tunnel (I don't want to open ports to specific services on the Main router at PLACE "A", and neither can I install Wireguard on it). The OpenWRT router will be connected to a Main router on PLACE "B" through WiFi.
So, in essence:
1- Everything that enters the OpenWRT router through ethernet, should go through a VPN tunnel and reach the PC (where it would be decrypted).
2- The response from the PC should go through a VPN tunnel and reach the OpenWRT router again, (where that would be decrypted and sent to the correct ethernet port).
Let me know if I overcomplicated this explanation, english is not my main language!
Are you willing to open/forward a port for WG at place A (i.e. forward the WG port on Place A's WAN > the PC)? If so, yes, this is not hard to do. It not, this will be much more difficult.
Yes that is how it works. The PC will hold an IP inside the tunnel. You can connect to multiple services with different ports on that IP. The encrypted packets all come in through one connection on one port. When they are decrypted and de-encapsulated the internal port number is used.
A site to site Wireguard does require one of the sites to have one port open to the Internet for the incoming encrypted packets. It would make sense to do this at A since B is not always the same place.
So:
1- On the PC side, I should set the Wireguard Interface with it's own IP (for example: 192.168.10.1/24), and add a Peer with an IP (for example 192.168.10.2/24), which would be the OpenWRT router.
2- On the OpenWRT side, I should set the Wireguard Interface with IP (192.168.10.2/24) and add the PC's public IP as Peer?
The firewall configuration depends on your goals... what is supposed to happen? Are you just accessing that one host at location A (from location B)? Or are you tunneling all of your internet access through that host? Or something else?
I personally like to put the VPN into its own zone. Create a new zone and allow forwarding from your lan > wg zones. Also allow output. You can safely allow input and forward if you want, too.
You'll probably need masquerading enabled unless your host at location A has a static route assigned for the return traffic.