I have currently set my VPN in a new firewall zone;
Since I cant access devices in another subnet I'm sure that's not the way to do it.
I would want the machine over VPN to be able to connect to all machines 10.0.0.100 till 10.0.0.150.
Thanks again for the fast help here, was breaking my head over it for longer than I dare admit.
Then number the LAN or Tunnel so they are different subnets as already suggested by @trendy . Simple.
e.g.
(Why do people use the large 10/8 network - confusing themselves...)
Easy way, you assign the WG interface in LAN zone. But this means that it will be able to reach all the hosts in the LAN. You can narrow it down with a firewall rule, to deny from WG to 10.0.0.1-99 and .151-254
Don't forget:
This is still within the range of 10.0.0.0/24, it needs to be fixed - or the LAN hosts won't forward packets back to the router/tunnel.
Just quick question here, is it possible to set up wireguard with vpn provider like nordvpn.
They use wireguard for ios and linux but on their website they dont provide private keys, peers etc.?
Thanks
Please don't hijack others' threads, better open your own.
It seems that you have to use their application to connect with WG.
Everything is working now as desired, thanks again!
Reason for using 10/8 is that this network is going to be used over several locations with many devices per location and I want room to grow.
At this point I don't understand why the VPN should be on a different subnet than the devices the VPN is intended to reach. I'm doing a CCNA course later this year so I hope that becomes clear then. Is there a great non-cisco network certification course I could follow instead?
Wireguard is a Layer 3 tunnel. So it only carries IP packets. In addition, IP ranges are used to secure the "Cryptokey Routing" - based on allowed IPs related to any given associated peer key.
If you setup used and used a Layer 2 VPN protocol instead, this would not be an issue, as you can send frames, with IPv4 packets containing any SRC IPs you desire. This also means you could bridge the tunnel to a LAN so they use the same IP range, which seems to be what you truly wish.
You could use any Private IP (RFC1918) range as the router will send to a subnet/interface it possessed a route to. The issues remains that on a Layer 3 tunnel, IP still cannot overlap CIDR/mask ranges. This is a basic routing concept. If any router or host thinks the IP is in the same range - it believes the packet it to be local and does not forward it to its gateway/router for (your assumed) [im]proper transmission.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.