For the longest time i've used ssh and adhoc wg tunnels. But I think i would like to spend some time to make all those 10/24 nets become a single one.
Anyone have a similar setup? any routing problems i will get myself into?
I'm not going to think about the mobile phones at first and it is already confusing.... I know how to create the wg interfaces and set them up, but the routing after that point is confusing. Should I still use subnets to know to which peer send things? should I send everything to a central peer and then route from there?
my dream setup is to have one one of the openwrt modems being the "main" DHCP/DNS server. All LANs being 10.1.1.0/24 and it all looking like for the wifi devices as one big local network.
...But my main doubt on routing is, if everything is 10.1.1.0/24, and let's say the old isolated LAN routers are now 10.1.1.[1,2,3] (instead of 10.1.[1,2,3].1 from before).. how will they know to route locally if 10.1.1.101 wants to connect to 10.1.1.102, and both happen to be in the old 10.1.3.1 subnet (i.e. it will have to go thru internet to reach the new 10.1.1.1 (old 10.1.1.1, different location)
Keep the same lan IPs. Destination based routing requires each lian to have a unique IP subnet range.
If the three sites can accept incoming connections, you can setup direct tunnels between them all:
1<->2
1<->3
2<->3
Each site will route to one of the two others through the proper tunnel based on destination IP. This is inherently set up by using the route_allowed IPs option. The allowed IPs are the IP expected to come from / go to the other end of the tunnel. For example at site 1 the allowed IP on the 1<->2 tunnel is 10.1.2.0/24.
Road warrior laptops and phones can connect to any one of the sites (on a separate Wireguard interface set up for road warriors only) and reach all three. Once a packet has entered the system, it will be routed again into an inter-site tunnel if needed. Road warriors need a tunnel IP which will be the source IP for packets sent to a tunnel. The tunnel IPs typically are all within a single /24, which is also an allowed_ip at each site, but only on the tunnel that goes directly to the site that the road warriors connect through.
Note that phone OS will not route from a client of the hotspot into a VPN tunnel. For that you will need a travel router or terminate the tunnel on the client and use the phone for Internet access only.
i did not see the route_allowed options on the docs! nice.
So, i just assign wg interface an ip 10.1.1.100 on the 10.1.1.0 network, mark on the peers that it is route_allowed=10.1.1.0/24 and everything will just work?
No, the tunnel IPs (if assigned) have to be outside of any LAN. Technically the inter-site wireguard interfaces don't need IPs-- the one that links to a road warrior does. But it is very useful to have tunnel IPs for testing to ping the other end of the tunnel directly.
