In order to raise my WAF points I'd like to configure a VPN from my home network that egresses into the UK public internet. I've installed Wireguard on my OpenWRT router and have a Digital Ocean droplet for the other end. Both ends can connect and ping each other over the VPN but I can't get any LAN traffic to exit the droplet onto the internet. I guess I'm missing some vital firewall or routing configuration. Any help much appreciated.
Here's the OpenWRT config
config interface 'DO' option proto 'wireguard' option listen_port '5555' option private_key '<snip>' list addresses '10.0.0.2/24' list addresses '192.168.1.0/24' config wireguard_DO option public_key '<snip>' list allowed_ips '10.0.0.1/32' option endpoint_host '18.104.22.168' option endpoint_port '5555' config zone option name 'VPN' option forward 'REJECT' option output 'ACCEPT' option network 'DO' option masq '1' option mtu_fix '1' option input 'REJECT' root@gate:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 10.0.0.0 * 255.255.255.0 U 0 0 0 DO 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan 22.214.171.124 192.168.0.1 255.255.255.255 UGH 0 0 0 eth1
Since I'm using masq I'm pretty sure I don't need the LAN subnet in AllowedIP's.
Here's the droplet config
[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 5555 PrivateKey = <snip> [Peer] PublicKey = <snip> AllowedIPs = 10.0.0.2/32 Destination Gateway Genmask Flags Metric Ref Use Iface default 126.96.36.199 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 * 255.255.255.0 U 0 0 0 wg0 10.16.0.0 * 255.255.0.0 U 0 0 0 eth0 188.8.131.52 * 255.255.240.0 U 0 0 0 eth0
I'm testing by using VPN Policy Routing to send one client down the VPN. I also tested by sending everything down the VPN, which resulted in a lowering of the Wife Acceptance Factor for a short while.