Wireguard gateway inside a vlan

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone !

I'm trying to build a wireguard gateway inside a vlan (no wireguard on the openwrt), the idea is that all clients in vlan id 125 (192.168.3.0/24) use my wireguard node (192.168.3.2) to reach internet.

Notes:

  • The wireguard is in the same vlan (not sure it's a good idea ?). The wireguard node is not directly connected to the router, but through a switch (layer 3 capable). So in case its not possible, or not a good practice, I can set-up another network/ip for the wireguard node and deal with a new route on the router I guess ?
  • The wireguard has only one ethernet port eth0

Here are some samples from the configurations and cli:

router - /etc/config/network

...
# vpn
config bridge-vlan
        option device 'br-lan'
        option vlan '125'
        list ports 'eth2:t' # mesh network
        list ports 'eth3:t' # main switch

config interface 'vpn'
        option device 'br-lan.125'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option gateway '192.168.3.2' # is this a good idea/practice ?
        option delegate '0'
        option ipv6 '0'
...

router - /etc/config/dhcp:

# vpn
config host
        option ip '192.168.3.2'
        option mac 'xxxx'
        option name 'vpn-board'

config dhcp 'vpn'
        option interface 'vpn'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@edgerouterx:/etc/config# ip route
default via 192.168.3.2 dev br-lan.125 proto static 
default via 192.168.1.1 dev eth0 proto static src 192.168.1.36 metric 10 
192.168.1.0/24 dev eth0 proto static scope link metric 10 
192.168.2.0/24 dev br-lan.100 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-lan.125 proto kernel scope link src 192.168.3.1 
...

Some debug would be welcome :slight_smile:

EDIT: in case someone have been through a simlilar set-up, I struggle with wireguard keeping ssh access accessible from my 'management' vlan (id 100 under 192.168.2.1/24). I did something like this:

wg0.conf

[Interface]
PrivateKey = xxx
Address = yyy.yyy.yyy.yyy/32
DNS = zzz.zzz.zzz.zzz

PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = ip rule add not from 192.168.2.0/24 table main 
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
PostDown = ip rule del not from 192.168.2.0/24 table main
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward

[Peer]
PublicKey = ppp
AllowedIPs = 192.168.3.0/24
Endpoint = ii.ii.ii.ii:ll

Note: vlan 100 (192.168.2.0/24) can forward on 192.168.3.0/24 (permits my "management" vlan to keep an ssh access to the vpn gateway)

@trendy could you guide me ? I've seen a lot of your post helping people with routing.