hey
I want to deploy a site to site wireguard config but have no plan how to achieve routing to see and route indivual devices instead of a NAT-Ed connection
I want to send traffic from site b to site a, handle them like a local vlan and route individual. clients to servers on another vlan
I know that vlans are layer 2 and the wg interfaces act as layer 3
does this mean that a packet from site b travels over the tunnel to site a and can be attributed to a vlan/local IP based on the Mac address?
so a packet originating from site b 192.168.2.2 travels to site a and could be assigned the ip 192.168.9.2 and being in the corresponding vlan?
what would I have to specify in the wireguard config or simply. leave out the masquerade?
As others have already suggested, you do not need vlans for this. It is a simple site to site configuration, so you just need to specify the other site’s IP subnet in the allowed IPs list. Since you only seem to would like to limit the access of your parents on your own network over the wireguard tunnel, you can simply put some rules in place on your own firewall. No need to touch iptables or anything else.
The remaining questions are topology and how to take care of the routing. What devices are the endpoints for the wireguard tunnel at each site? Here is an example with dedicated hardware for WG (for example a raspberry pi at each site). If your setup looks like this, you also need to take care of routing. I’m not going to give you suggestions on how to deal with that until I know how your topology looks like as there are too many possibilities based on the amount of information you shared so far. For example where is your firewall? Are you using it as the WG server or is it another dedicated hardware (or virtual instance or whatever may apply)?
wow that’s a fantastic writeup, thank you
still working through the different guides, but none of them “translate” remote devices into local ips right?
I’m looking to “integrate” the remote devices into thr local lan to use a centralized firewall (that where the vlan comes in)
I know that it’s best practice to use the eg interfaces as firewall but a) im not good with ip tables and b) I want a centralized fw management (in my case unifi firewall)
that’s where the vlan comes in… it isolates the traffic and specific firewall. rules are meant to allow packets through. this should definately work with a NAT-Ed connection (so the remote devices all use the local interfaces ip) but I want them to be individually identify able and thus route-able
thanks for sharing your experience
my topology looks similar
site A:
FW/WAN GW: Unifi Router
WG Gateway: Raspberry Pi
Site B:
FW/WAN GW: Asus Router
WG Gateway: Raspberry Pi
so the networks are smilarily built, with the big difference that site a utilizes vlans to isolate clients
when saying i don’t need vlans for this…you mean if i want site b to have full access to my “main” lan, right? i don’t, i want site A to be able to access site B (which only has one lan) whilst site B should only be able to access specific devices on Site A’s vlan x and vlan y
that’s how i came up with the idea of using a vlan
the wg-s2s “terminates” in vlan 123 and traffic can’t get any further - so even if site B is compromised, bad packages can’t reach my whole network unfiltered
i want to give site B access to reach my rustdesk instance and my nas, nothing else
no-aish… lets keep it simple: your home-net will be 192.168.x.x and your wireguard interface at 10.x.x.x on the endpoint server. so a client (phone/laptop/other side) will connect through a 10.x.x.x IP.
The server (home-net) needs to be able to translate questions from 10.x.x.x to 192.168.x.x to allow connections to different hosts (like 192.168.0.20 game server). This would make it to a gateway or NAT (Network Address Translator).
The client must know where to find those hosts (like in a hosts file or dns request) and should answer with: “oh 192.168.0.20 i will go via WG 10.x.x.x”
The other way would be: You give WG a 192.168.x.x Address itself but you will run into IP conflicts especially if you are using DHCP. Since you CANNOT use DHCP over WG this option is very difficult and a NAT with seperate networks and DNS for where to find a host is the better alternative.
So basically, your problem is that the wireguard is terminated on the pi and not on your firewall and you don’t know how to deal with that, right?
For what other purposes are you using this raspberry pi for and which vlan does it belong to? Is it running any services for your existing lan?
thanks for taking the time for your answer!
so a “splitting up” of eg routed traffic is not possible… damn 
so I have to stick with putting the WG gateway in a vlan, masquerade the traffic (NAT) and set vlan rules accordingly with the downside that those rules affect the whole traffic coming through the gateway, instead of being able to route explicit devices, right?
why I’m hesitant to use the fw on the gateways: I’m not good with Linux firewalls and the risk of making a grave mistake is higher than going the detour via the vlan and central firewall management… at least I think
how does a bridge work? can wireguard mimic a bridge?
what would be your advice in regards to your experience? I trust the inside network yes and no. I do trust my devices and my parents’ for the most part… yet they are not nearly as threat aware as I try to be… so I’m looking for a solution that offer security while being manageable by a rookie like me
the pi on Site A is positioned in a separate vlan for this purpose only
the pi itself will be replaced with a vm, once i get my proxmox machine running - the vm will end up in the same vlan of course
i dont’t know how i could terminate wireguard at my firefall, as the unifi router neither supports fqdn’s for it’s wireguard server (dynamic ip) nor does it support multiple wireguard instances
why multiple? because i don’t trust using one wg instance to handle all connections
there will be one that handles the “main devices” into the main lan, one for the mentioned s2s connection, another for a tunnel to my travel router etc
the downside of my setup is a) the packets end up IN my network (though initially contained within the vlan) and b) i can’t route traffic based per remote/accessing device
the ideal setup would be gatekeeping packages before they enter the tunnel (so on the peer side of the tunnel) and being identifyable in my LAN
my hope was, that wireguard could transport layer2 information (mac adresses) which makes packages/devices identifyable and subject to fw policies
but this would need another form of NAT i guess
question: why can’t my router “see” wireguard-connected devices, but my pihole can (eg device1.pivpn)?
you can “route” traffic but it is a client config.
yes, masquerade is the keyword you will need.(NAT)
you can explicit devices, when you know the addresses of those(difficult/iptables)
FW on the WG interface is kinda useless b/c you know your clients and (hopefully) trust them.
take me down if i’m wrong, but bridge is nothing else as a NAT ???
- wireguard cannot transport layer2 information on it’s own, but you can still identify devices based on IP. If you really need layer 2, your should run a layer 2 tunneling protocol (for example VXLAN) over the wireguard tunnel.
- You can create a new VLAN on the raspberry pi and assign it to a VRF (virtual routing and forwarding - it’s like VLAN just for layer 3 instead of layer 2) together with the wireguard interface. Here is an example on how that would roughly look like. You can add wireguard interfaces and vlans and add them to yet another vrf.
Either of these options work, and each has it’s own advantages and disadvantages, but both can hand off the control of the VPN connected network from the pi to the firewall.
Unfortunately, due to the lack of details, I cannot answer your question about the problem of your router not seeing the vpn connected clients.
I thought a bridge was transmitting layer 3 information and thus “bridging” lans over “wan”… I could be wrong though
an idea I have…
the whole thing is because I want to make a site to site connection to my parents… I want (and they want me) to be able to enter their network for support but I only want them to be able to access my locally hosted rustdesk and my nas… ideally only specific devices from their network
site a (mine), site b (theirs).
would it be able to make a central firewall roule on their router to only allow specific ips to take the route via the gateway?
is there any proven and fool (me) proof way to manage network access for specific remote devices?
please help me as this is new to me - how can i put them in different LANs with only one physical router? isn’t that what vlans are for? how is the routing of a vlan different than routing and rules for a physical lan?
I am no expert, in my point of view you need “one site visable” - either a public server as NAT (controlling both side requests) or one router(LAN) port open…
since you have specific IPs either you go to install WG on each device and enter it with “IP via WG iface” with Endpoint on “open IP:Port” router (home-net A) still NAT, most do it automatically, or you go full line and manually impement full dns for those IPs/servers/names
this time you need to understand the traffic,
A → INET → B → H1
B → H2
B → H3
I am unable to draw a picture here sorry.