From my understanding, here are the ips I allowed on the other peer (my wg server) so I add another ip here, from the new peer lets say, it fails. If I delete that new ip (that my server of course doesn't know about) it works
Yes, I did assign a different port and I did add a new rule to firewall to allow it.
No that didn't ever work. It works when I put it on a different interface and I assign it to firewall zone lan. Any other zone - no chance to get it to work. And it doesn't work when I add the peer to the existing interface.
On the other end of my existing connection there is no endpoint.
wg0 has one peer - it connects to my server on an public ip.
My server on the other end has no endpoint set, cause it is the endpoint.
You've got a remote server with a public IP. You've installed WireGuard on it.
Your router is configured as a WG peer of your remote server.
You would like to configure another WG interface on your router - to which your phone would connect to. The purpose of this is to use some services outside your country.
Is the above correct?
config wireguard_wg0
option route_allowed_ips '1'
....
list allowed_ips '0.0.0.0/0'
^ This part of your config means the router will forward everything to the remote server. No surprise your router's WAN is not reachable. There are a couple of ways to make this work - some are easier than others. It all depends on what are you using the remote server VPN for?
Option 1 - if you use the remote server to host something like nextcloud, pihole, or some other services that you'd want to be not-accessible to the internet an only to your WG peers - then this will make things pretty simple.
Option 2 - you still want your router at home to forward all of your traffic to the remote WG server, except for when your phone is connected to the 2nd WG interface on your router. You want your phone's internet access to be via your router's WAN interface. This one is a trickier option.
Let me know which one and if it's the 1st option - I will be able to help right away. 2nd option would need some more work, and like someone above mentioned - policy based routing would be a good choice.
First, thank you for your reply @SirToffski.
Yes, all of your three assumptions are indeed true.
Oh men, I should have thought about that. This might also be the reason why my public facing wan IP is not pingable
To the options: Yes I have some other serivices installed on that server. I have a dockerized setup of pihole, unbound and Wireguard - wich makes browsing web much more pleasant I think.
What changes are required to get option one working ?
I also got VPN Policy/Bypass installed because there are some services that need to connect directly through my wan ip.
I think this all comes down to network numbering and routing. Part of the issue is that this is a policy thing, we don't know what you want to have happen...
Btw I strongly recommend you abandon ipv4 for your private network stuff and just use ipv6 ULA only, it will make your life easier!
@dlakelan Yeah, I'd love to ditch ipv4 in favor for ipv6. The thing is, my ISP doesn't provide native ipv6. So I use my VPN to get a /64 routed to my home network. I might abuse the ULA field, I pasted the /64 I route via wg there. So all my devices will get a /128 handed out via DHCP.
And also one question about having ipv6 only in my network. How can devices then reach out to an ipv4 website ? Ipv4 and ipv6 are incompatible on the wire, aren't they ? So, will I loose ipv4 connectivity if I only hand out ipv6s's ?
Use a squid proxy on the vps. Then it's the only thing doing ipv4.
Don't do that, get a ULA generated again and route that around your network. You can subnet it for different parts of your internal network. Ipv6 it's totally normal to have multiple networks
All your home devices set your VPS as their proxy using a name that resolves to the ULA of your VPS. like http://myproxy.lan:3128 The VPS runs squid listening on port 3128. Whenever a device wants an http or https resource it connects to the VPS, which fetches the resource. If the VPS has both ipv6 and v4 then it can reach all the things.
Depending on your usage you might still need a ipv4 network and have the VPS masquerade it, but you can at least use the ipv6 portion of your network for all the infrastructure.
Just put that ip range on your LAN as static address. You don't need any addresses on the wireguard tunnel itself. Just use some routing rules on the VPS to route that prefix over the wg tunnel
UPD:
here's the running config on the router and VPS.
should give you a good idea how to do this
https://gist.github.com/SirToffski/5502cd558d855cc36e9dfb00628b708d
Yes I've got a similar retup! Here's a diagram.
Your solution is:
Let's say wg0 subnet (for remote server) is 10.100.200.0/28. Put this range for the allowed IPs on your router wg0 interface and check "Create routes for allowed IPs". Create a separate FW zone for wg0 interface - and make it similar to the WAN zone, including MASQUERADING. This way all our outboud traffic to the server will have the source IP of the router's wg0 interface.
Then another network/interface wg1 10.200.200.0/28 is where your phone will connect to, Also make a separate FW zone for it and configure that zone similar to your LAN zone.
Also - if you use remote server for outbound and pihole - I found it's actally easier to make that remote server a peer of the WG server hosted on the router. In that case the wg config on your remote server would be like this:
My setup: [EDIT... this was my setup about 4 days ago. Now the VPS is a part of wg0 (yellow) zone. I find it’s easier because you don’t have to open any ports to the internet on the VPS that way. And the setup is simpler too]