Hi everyone !
I'm trying to build a wireguard gateway inside a vlan (no wireguard on the openwrt), the idea is that all clients in vlan id 125 (192.168.3.0/24) use my wireguard node (192.168.3.2) to reach internet.
Notes:
- The wireguard is in the same vlan (not sure it's a good idea ?). The wireguard node is not directly connected to the router, but through a switch (layer 3 capable). So in case its not possible, or not a good practice, I can set-up another network/ip for the wireguard node and deal with a new route on the router I guess ?
- The wireguard has only one ethernet port
eth0
Here are some samples from the configurations and cli:
router - /etc/config/network
...
# vpn
config bridge-vlan
option device 'br-lan'
option vlan '125'
list ports 'eth2:t' # mesh network
list ports 'eth3:t' # main switch
config interface 'vpn'
option device 'br-lan.125'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.3.1'
option gateway '192.168.3.2' # is this a good idea/practice ?
option delegate '0'
option ipv6 '0'
...
router - /etc/config/dhcp:
# vpn
config host
option ip '192.168.3.2'
option mac 'xxxx'
option name 'vpn-board'
config dhcp 'vpn'
option interface 'vpn'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
root@edgerouterx:/etc/config# ip route
default via 192.168.3.2 dev br-lan.125 proto static
default via 192.168.1.1 dev eth0 proto static src 192.168.1.36 metric 10
192.168.1.0/24 dev eth0 proto static scope link metric 10
192.168.2.0/24 dev br-lan.100 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-lan.125 proto kernel scope link src 192.168.3.1
...
Some debug would be welcome
EDIT: in case someone have been through a simlilar set-up, I struggle with wireguard keeping ssh access accessible from my 'management' vlan (id 100 under 192.168.2.1/24). I did something like this:
wg0.conf
[Interface]
PrivateKey = xxx
Address = yyy.yyy.yyy.yyy/32
DNS = zzz.zzz.zzz.zzz
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = ip rule add not from 192.168.2.0/24 table main
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
PostDown = ip rule del not from 192.168.2.0/24 table main
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward
[Peer]
PublicKey = ppp
AllowedIPs = 192.168.3.0/24
Endpoint = ii.ii.ii.ii:ll
Note: vlan 100 (192.168.2.0/24) can forward on 192.168.3.0/24 (permits my "management" vlan to keep an ssh access to the vpn gateway)
@trendy could you guide me ? I've seen a lot of your post helping people with routing.