Hi everyone !
I'm trying to build a wireguard gateway inside a vlan (no wireguard on the openwrt), the idea is that all clients in vlan id 125 (192.168.3.0/24) use my wireguard node (192.168.3.2) to reach internet.
- The wireguard is in the same vlan (not sure it's a good idea ?). The wireguard node is not directly connected to the router, but through a switch (layer 3 capable). So in case its not possible, or not a good practice, I can set-up another network/ip for the wireguard node and deal with a new route on the router I guess ?
- The wireguard has only one ethernet port
Here are some samples from the configurations and cli:
router - /etc/config/network
... # vpn config bridge-vlan option device 'br-lan' option vlan '125' list ports 'eth2:t' # mesh network list ports 'eth3:t' # main switch config interface 'vpn' option device 'br-lan.125' option proto 'static' option netmask '255.255.255.0' option ipaddr '192.168.3.1' option gateway '192.168.3.2' # is this a good idea/practice ? option delegate '0' option ipv6 '0' ...
router - /etc/config/dhcp:
# vpn config host option ip '192.168.3.2' option mac 'xxxx' option name 'vpn-board' config dhcp 'vpn' option interface 'vpn' option start '100' option limit '150' option leasetime '12h' list ra_flags 'none'
root@edgerouterx:/etc/config# ip route default via 192.168.3.2 dev br-lan.125 proto static default via 192.168.1.1 dev eth0 proto static src 192.168.1.36 metric 10 192.168.1.0/24 dev eth0 proto static scope link metric 10 192.168.2.0/24 dev br-lan.100 proto kernel scope link src 192.168.2.1 192.168.3.0/24 dev br-lan.125 proto kernel scope link src 192.168.3.1 ...
Some debug would be welcome
EDIT: in case someone have been through a simlilar set-up, I struggle with wireguard keeping ssh access accessible from my 'management' vlan (id 100 under 192.168.2.1/24). I did something like this:
[Interface] PrivateKey = xxx Address = yyy.yyy.yyy.yyy/32 DNS = zzz.zzz.zzz.zzz PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward PostUp = ip rule add not from 192.168.2.0/24 table main PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; PostDown = ip rule del not from 192.168.2.0/24 table main PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward [Peer] PublicKey = ppp AllowedIPs = 192.168.3.0/24 Endpoint = ii.ii.ii.ii:ll
Note: vlan 100 (192.168.2.0/24) can forward on 192.168.3.0/24 (permits my "management" vlan to keep an ssh access to the vpn gateway)
@trendy could you guide me ? I've seen a lot of your post helping people with routing.