Hi All,
In order to raise my WAF points I'd like to configure a VPN from my home network that egresses into the UK public internet. I've installed Wireguard on my OpenWRT router and have a Digital Ocean droplet for the other end. Both ends can connect and ping each other over the VPN but I can't get any LAN traffic to exit the droplet onto the internet. I guess I'm missing some vital firewall or routing configuration. Any help much appreciated.
LAN: 192.168.1.0/24
VPN: 10.0.0.0/24
Here's the OpenWRT config
config interface 'DO'
option proto 'wireguard'
option listen_port '5555'
option private_key '<snip>'
list addresses '10.0.0.2/24'
list addresses '192.168.1.0/24'
config wireguard_DO
option public_key '<snip>'
list allowed_ips '10.0.0.1/32'
option endpoint_host '209.97.179.43'
option endpoint_port '5555'
config zone
option name 'VPN'
option forward 'REJECT'
option output 'ACCEPT'
option network 'DO'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
root@gate:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
10.0.0.0 * 255.255.255.0 U 0 0 0 DO
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
209.97.179.43 192.168.0.1 255.255.255.255 UGH 0 0 0 eth1
Since I'm using masq I'm pretty sure I don't need the LAN subnet in AllowedIP's.
Here's the droplet config
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 5555
PrivateKey = <snip>
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.2/32
Destination Gateway Genmask Flags Metric Ref Use Iface
default 209.97.176.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 * 255.255.255.0 U 0 0 0 wg0
10.16.0.0 * 255.255.0.0 U 0 0 0 eth0
209.97.176.0 * 255.255.240.0 U 0 0 0 eth0
I'm testing by using VPN Policy Routing to send one client down the VPN. I also tested by sending everything down the VPN, which resulted in a lowering of the Wife Acceptance Factor for a short while.