Wireguard VPN Home Via VPS

Hello,

Looking for some general direction and possibly some specific config help.

I am currently using OpenWRT on a Raspberry Pi for my home router, and have a VPS setup with a wireguard tunnel to bypass CGNAT. I've been using a second RPi connected to the VPS through the VPN tunnel as an access point into my home network.

This works but what I would like to be able to do is connect a device/devices to the VPN tunnel and be able to seamlessly access home resources on my 192.168.9.0/24 subnet rather than the current VPN subnet (192.168.7.0/24). I currently don't want to use it as an overall VPN for internet traffic but it might be nice to know what I would need to change to also use the VPS as the exit point for internet traffic.

I assume this will be best achieved by connecting my OpenWRT router to the tunnel directly and passing traffic through it. What I'm looking for is some general advice on what I need to set up to do that, I can make the router a peer on the VPN easy enough (I think!) but do I need to make a new interface on the VPN subnet or can I include the VPN in the home subnet somehow and do away with the 192.168.7.0/24 subnet entirely?

How do I handle assigning IP addresses to peers to talk on the home network, as normally on my Wireguard setups I'm using static IPs, can I hand them out from the router via DHCP? Once they are connected I assume I only need forwarding set up on the router as they are all peers on the same subnet in the tunnel (i.e. I don't need anything fancy on the VPS)? On the client side i assume I just need to tell it to pass anything for the home network into the tunnel i.e. add that subnet to the AllowedIPs?

Thanks,
David McC

Assuming you are using WireGuard then setup the "server" side on the VPS.
That server side has multiple peers e.g. for your phone/laptop to connect to and also a peer for your Home/RPi.
This Home/Rpi setup needs special attention as it has to be setup as a site-to-site setup.
Basically you setup the Rpi also as a "server" meaning allow traffic, but with an endpoint to your VPS. Besides the regular Allowed IPs you allow the whole subnet of the VPN and the subnet of the VPS.

On the VPS you allow for the peer of the Rpi the whole home subnet (besides the usual VPN the address)

This way you should be able to connect e.g. with your phone to the VPS and connect to your home subnet as that is set in the Allowed IPs of the peer of the RPi and the RPi is allowing VPN traffic

Awesome, thanks. I'll give that a go later on.

Is there any sort of routing/forwarding needed anywhere or will a request from a VPN subnet endpoint to a home subnet addess make its way through automagically?

Yes that is how it should work indeed.
By adding the home subnet as Allowed IPs on the VPS peer of your Home/RPi there will be a route created.

Note that all subnets need to be different, so your home, your VPS and the VPN need to be different and non overlapping!

1 Like

It is a little simpler if the VPN tunnel terminates in the house's main router. If it is in a LAN device, the main router needs to have a route back to the remote network(s) (which may just be the road warrior subnet) via the VPN device's IP on the LAN.

Realize that the VPS will decrypt each packet, examine the inner source and destination IP, and process it through its kernel routing and firewall to send it back out (even if via the same Wireguard interface it came in on). So the VPS must be aware of the home network even though it is only forwarding packets from one tunnel to another.

I've had partial success so far. I can ping the home router from another device on the VPN going via the VPS however I can't manage to ping any other hosts on the home network (from either another host on the VPN or from the VPS), I just get "Destination Port Unreachable".

I've got both the home (192.168.9.0/24) and VPN subnets (192.168.7.0/24) in the allowed IPs on the VPS and on the VPN connected device. I've only added the VPN subnet to the allowed IPs on the router as when I added the home subnet as well it basically killed my network as all traffic was trying to route through the VPN and I had to connect to the RPi with a screen and keyboard to manually fix the routing table :joy:

Any thoughts on what i might need to do? If needed I can start posting redacted config files.

Cheers!

Scratch that, I've worked out it was my firewall zone settings, I needed to allow forwarding between the LAN and VPN. The settings in the screenshot seem to have sorted it, but I'd like to understand whats happening and make sure I'm not being overly permissive?

Hi @DavoedM,
I am trying to do something similar to what you have done:

Remote Laptop/Mobile -------> VPS ----------> Router at my home (Openwrt) -----> All devices on my home LAN.

I have been successful in only pinging the router from VPS but not any other device on my home LAN.

Any chance you can share your redacted config files so that I can see where I am going wrong?

Hi, no problem. Had meant to post the final config here in case someone else needed it but was too lazy! The router config I've assembled based on the luci interface for wireguard but IIRC it is essentially just the same as a client. I'm pretty sure the issue I had was with the firewall setup, i.e. the WG tunnel needs it's own firewall zone assigned to the interface and I've attached a screenshot of my settings for it. In this case the 192.168.9.0/24 is my home IP range and 192.168.7.0/24 is my tunnel IP range.

Hope this helps.

***** VPS CONFIG ****
[Interface]
PrivateKey = <priv key>
ListenPort = <VPS PORT>
Address = 192.168.7.1

#Home Router
[Peer]
PublicKey = <pub key>
AllowedIPs = 192.168.7.2/32, 192.168.9.0/24

#Client
[Peer]
PublicKey = <pub key>
AllowedIPs = 192.168.7.3/32

***** HOME ROUTER CONFIG *****
[Interface]
PrivateKey = <Priv Key>
Address = 192.168.7.2/32

[Peer]
PublicKey = <Pub Key>
AllowedIPs = 192.168.7.0/24
Endpoint = <VPS IP>:<PORT>
PersistentKeepalive = 21

***** CLIENT CONFIG
[Interface]
PrivateKey = <Priv Key>
Address = 192.168.7.3/32

[Peer]
PublicKey = <Pub Key>
AllowedIPs = 192.168.7.0/24, 192.168.9.0/24
Endpoint = <VPS IP>:<PORT>
PersistentKeepalive = 21