Wireguard issues / confusion

Hello, I'm running an x86 install of OpenWrt 21.02.1 r16325-88151b8303.

About a year ago I created a wireguard vpn for when I travel, to help remote desktop in to machines at home as well as access my Samba fileshare. Most of my internal network is a smattering of linux machines as well as a SAN Qnap box running linux headless with many docker containers (jellyfin, npm, minecraft server, deluge, dovecot/postfix mailserver).

I have a two part problem I'd like some insight into not only fixing but also understanding better.

  1. Yesterday I noticed while I was still able to VPN in fine, I could not access any LAN resources: pinging internal IP's didn't work. Editing the interface settings for WG0 (the wireguard interface) to LAN fixed this but I vaguely remember it being set to WAN previous and there being a good reason for it set that way. Could someone help me to understand what I'm altering here? Should I change it back to WAN zone?

  2. I'd like to be able to access systems using their internal LAN hostnames instead of IP, aka instead of ssh USER@ be able to do ssh USER@potato-tower etc. What's the best way to implement dynamically without hard configuration files.

In the case of a road-warrior type VPN, the typical approach is to associate WG with either the lan zone or to put it in its own zone. Very rarely/never would it be desirable to put it in the wan zone because it is assumed that a) the remote peers are trusted, and b) inbound access to local resources is not possible on the wan (at least not by default, and changing that behavior would compromise the security of your network).

The only time that using the wan zone for a WG network makes sense is when you are using the WG network as an outbound VPN -- i.e. to a commercial VPN or similar where you do not want them to have inbound access to your network.

This is a DNS thing. On your remote peer, set the DNS to that of your main router. You may need to use a full domain name like potato-tower.lan or the like, but the DNS of the main router should be able to resolve that, assuming that it is possible to do this when you are locally on your lan (if not, we can discuss why and what needs to be done).

Does that help?

I made a whole write-up on this forum describing one way to do this:

My post uses IPv6 ULA addresses but it works the same way with IPv4. You basically create a subnet plan and second-level domains so DNS forwarding works.

Your situation is slightly different however, it appears you want a site-to-point tunnel instead of site-to-site. In that case the client needs to support "conditional forwarding" or "split DNS". In these systems, the client runs a DNS resolver locally and forwards DNS queries through your Wireguard tunnel as needed on a domain-by-domain basis.

How to set this up depends on the OS and/or the network management software being used. On Linux, you are either using NetworkManager or SystemD, which in turn relies on either dnsmasq or systemd-resolved for DNS resolution.

Helps a lot actually!

you're the same user who helped me initially setup the wireguard options so thanks again!

looks like I've got some reading to do. I'd be vaguely circling around split-horizon DNS as a term I needed to learn more about. Guess I'll need to begin.

Ideally what I'm after is the same sort of "it-just-works" that my linux local boxes seem to be able to use, I just don't know exactly what is enabling that to happen, perhaps avahi or some sort of ms-dns system that does auto-discovery of hostnames.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.